翻译文献-10.5　鉴别用户

外文原文NOTETHATTHEEFFECTIVEUSERIDISSETTO0WHENTHEPROGRAMISRUNYOUCANUSETHECHMODCOMMANDWITHTHEUSARGUMENTSTOSETTHESETUIDANDSETGIDBITSONANEXECUTABLEFILE,RESPECTIVELYFOREXAMPLEYOUCANALSOUSETHECHMODCALLWITHTHES_ISUIDORS_ISGIDMODEFLAGSSUISCAPABLEOFCHANGINGTHEEFFECTIVEUSERIDTHROUGHTHISMECHANISMITRUNSINITIALLYWITHANEFFECTIVEUSERIDOF0THENITPROMPTSYOUFORAPASSWORDIFTHEPASSWORDMATCHESTHEROOTPASSWORD,ITSETSITSREALUSERIDTOBEROOTASWELLANDTHENSTARTSANEWSHELLOTHERWISE,ITEXITS,UNCEREMONIOUSLYLEAVINGYOUASANONPRIVILEGEDUSERTAKEALOOKATTHEPERMISSIONSONTHESUPROGRAMNOTICETHATITSOWNEDBYROOTANDTHATTHESETUIDBITISSETNOTETHATSUDOESNTACTUALLYCHANGETHEUSERIDOFTHESHELLFROMWHICHITWASRUNINSTEAD,ITSTARTSANEWSHELLPROCESSWITHTHENEWUSERIDTHEORIGINALSHELLISBLOCKEDUNTILTHENEWSHELLCOMPLETESANDSUEXITS105AUTHENTICATINGUSERSOFTEN,IFYOUHAVEAESTUIDPROGRAM,YOUDONTWANTTOOFFERITSSERVICESTOEVERYONEFOREXAMPLE,THESUPROGRAMLETSYOUBECOMEROOTONLYIFYOUKNOWTHEROOTPASSWORDTHEPROGRAMMAKESYOUPROVETHATYOUAREENTITLEDTOBECOMEROOTBEFOREGOINGAHEADWITHITSACTIONSTHISPROCESSISCALLEDAUTHENTICATIONTHESUPROGRAMISCHECKINGTOSEETHATYOUAREAUTHENTICIFYOUREADMINISTERINGAVERYSECURESYSTEM,YOUPROBABLYDONTWANTTOLETPEOPLELOGINJUSTBYTYPINGANORDINARYPASSWORDUSERSTENDTOWRITEDOWNPASSWORDS,ANDBLACKHATSTENDTOFINDTHEMUSERSTENDTOPICKPASSWORDSTHATINVOLVETHEIRBIRTHDAYS,THENAMESOFTHEIRPETS,ANDSOFORTHPASSWORDSJUSTARENTALLTHATSECUREFOREXAMPLE,MANYORGANIZATIONSNOWREQUIRETHEUSEOFSPECIAL“ONETIME“PASSWORDSTHATAREGENERATEDBYSPECIALELECTRONICIDCARDSTHATUSERSKEEPWITHTHEMTHESAMEPASSWORDCANTBEUSEDTWICE,ANDYOUCANTGETAVALIDPASSWORDOUTOFTHEIDCARDWITHOUTENTERINGAPINSO,ANATTACKERMUSTOBTAINBOTHTHEPHYSICALCARDANDTHEPINTOBREAKININAREALLYSECUREFACILITY,RETINALSCANSOROTHERKINDSOFBIOMETRICTESTINGAREUSEDIFYOUREWRITINGAPROGRAMTHATMUSTPERFORMAUTHENTICATION,YOUSHOULDALLOWTHESYSTEMADMINISTRATORTOUSEWHATEVERMEANSOFAUTHENTICATIONISAPPROPRIATEFORTHATINSTALLATIONGNU/LINUXCOMESWITHAVERYUSEFULLIBRARYTHATMAKESTHISVERYEASYTHISFACILITY,CALLEDPLUGGABLEAUTHENTICATIONMODULES,ORPAM,MAKESITEASYTOWRITEAPPLICATIONSTHATAUTHENTICATETHEIRUSERSASTHESYSTEMADMINISTRATORSEESFITITSEASIESTTOSEEHOWPAMWORKSBYLOOKINGATASIMPLEPAMAPPLICATIONLISTING104ILLUSTRATERTHEUSEOFPAMTOCOMPLIETHISPROGRAM,YOUHAVETOLINKITWITHTWOLIBRARIESTHELIBPAMLIBRARYANDHELPERLIBRARYCALLEDLIBPAM_MISCGCCOPAMPAMCLPAMLPAM_MISCTHISPROGRAMSTARTSOFFBYBULIDINGUPAPAMCONVERSATIONOBJECTTHISOBJECTISUSEDBYTHEPAMLIBRARYWHENEVERITNEEDSTOPROMPTTHEUSERFORINFORMATIONTHEMISC_CONVFUNCTIONUSEDINTHISEXAMPLEISASTANDARDCONVERSATIONFUNCTIONTHATUSESTHETERMINALFORINPUTANDOUTPUTYOUSHOULDWRITEYOUROWNFUNCTIONTHATPOPSUPADIALOGBOX,ORTHATUSESSPEECHFORINPUTANDOUTPUT,ORTHATPROVIDESEVENMOREEXOTICINPUTANDOUTPUTMETHODSTHEPROGRAMTHENCALLSPAM_STARTTHISFUNCTIONINITIALIZESTHEPAMLIBRARYTHEFIRSTARGUMENTISASERVICENAMEYOUSHOULDUSEANAMETHATUNIQUELYIDENTIFIESYOURAPPLICATIONFOREXAMPLE,IFYOURAPPLICATIONISNAMEDWHIZBANG,YOUSHOULDPROBABLYUSETHATFORTHESERVICENAME,TOOHOWEVER,THEPROGRAMPROBABLYWONTWORKUNTILTHESYSTEMADMINISTRATOREXPLICITLYCONFIGURESTHESYSTEMTOWORKWITHYOURSERVICESO,INTHISEXAMPLE,WEUSETHESUSERVICE,WHICHSAYSTHATOURPROGRAMSHOULDAUTHENTICATEUSERSINTHESAMEWAYTHATTHESUCOMMANDDOESYOUSHOULDNOTUSETHISTECHNIQUEINAREALPROGRAMPICKAREALSERVICENAME,ANDHAVEYOURINSTALLATIONSCRIPTSHELPTHESYSTEMADMINISTRATORTOSETUPACORRECTPAMCONFIGURATIONFORYOURAPPLICATIONTHESECONDARGUMENTISTHENAMEOFTHEUSERWHOMYOUWANTTOAUTHENTICATEINTHISEXAMPLE,WEUSETHEVALUEOFTHEUSERENVIRONMENTVARIABLENORMALLY,THISISTHEUSERNAMETHATCORRESPONDSTOTHEEFFECTIVEUSERIDOFTHECURRENTPROCESS,BUTTHATSNOTALWAYSTHECASEINMOSTREALPROGRAMS,YOUWOULDPROMPTFORAUSERNAMEATTHISPOINTTHETHIRDARGUMENTINDICATESTHEPAMCONVERSATION,DISCUSSEDPREVIOUSLYTHECALLTOPAM_STARTFILLSINTHEHANDLEPROVIDEDASTHEFOURTHARGUMENTPASSTHISHANDLETOSUBSEQUENTCALLSTOPAMLIBRARYROUTINESNEXT,THEPROGRAMCALLSPAM_AUTHENTICATETHESECONDARGUMENTENABLESYOUTOPASSVARIOUSFLAGSTHEVALUE0MEANSTOUSETHEDEFAULTOPTIONSTHERETURNVALUEFROMTHISFUNCTIONINDICATESWHETHERAUTHENTICATIONSUCCEEDEDFINALLY,THEPROGRAMSCALLSPAM_ENDTOCLEANUPANYALLOCATEDDATASTRUCTURESLETSASSUMETHATTHEVALIDPASSWORDFORTHECURRENTUSERIS“PASSWORD“ANEXCEPTIONALLYPOORPASSWORDTHENRUNNINGTHISPROGRAMWITHTHECORRECTPASSWORDPRODUCESTHEEXPECTEDIFYOURUNTHISPROGRAMINATERMINAL,THEPASSWORDPROBABLYWONTACTUALLYAPPEARWHENYOUTYPEITINITSHIDDENTOPREVENTOTHERSFROMPEEKINGATYOURPASSWORDOVERYOURSHOULDERASYOUTYPEHOWEVER,IFAHACKERTRIESTOUSETHEWRONGPASSWORD,THEPAMLIBRARYWILLCORRECTLYINDICATEFAILURETHEBASICSCOVEREDHEREAREENOUGHFORMOSTSIMPLEPROGRAMSFULLDOCUMENTATIONABOUTHOWPAMWORKSISAVAILABLEIN/USR/DOC/PAMONMOSTGNU/LINUXSYSTEMS106MORESECURITYHOLESALTHOUGHTHISCHAPTERWILLPOINTOUTAFEWCOMMONSECURITYHOLES,YOUSHOULDBYNOMEANSRELYONTHISBOOKTOCOVERALLPOSSIBLESECURITYHOLESAGREATMANYHAVEALREADYBEENDISCOVERED,ANDMANYMOREAREOUTTHEREWAITINGTOBEFOUNDIFYOUARETRYINGWOWRITESECURECODE,THEREISREALLYNOSUBSTITUTEFORHAVINGASECURITYEXPERTAUDITYOURCODE1061BUFFEROVERRUNSALMOSTEVERYMAJORINTERNETAPPLICATIONDAEMON,INCLUDINGTHESENDMAILDAEMON,THEFINGERDAEMON,THETALKDAEMON,ANDOTHERS,HASATONEPOINTBEENCOMPROMISEDTHROUGHABUFFEROVERRUNIFYOUAREWRITINGANYCODETHATWILLEVERBERUNASROOT,YOUABSOLUTELYMUSTBEAWAREOFTHISPARTICULARKINDOFSECURITYHOLEIFYOUAREWRITINGAPROGRAMTHATPERFORMSANYKINDOFINTERPROCESSCOMMUNICATION,YOUSHOULDDEFINITELYBEAWAREOFTHISKINDOFSECURITYHOLEIFYOUAREWRITINGAPROGRAMTHATREADSFILESORMIGHTREADFILESTHATARENOTOWNEDBYTHEUSEREXECUTINGTHEPROGRAM,YOUSHOULDBEAWAREOFTHISKINDOFSECURITYHOLETHATLASTCRITERIONAPPLIESTOALMOSTEVERYPROGRAMFUNDAMENTALLY,IFYOUREGOINGWOWRITEGNU/LINUXSOFTWARE,YOUOUGHTTOKNOWABOUTBUFFEROVERRUNSTHEIDEABEHINDABUFFEROVERRUNATTACKISTOTRICKAPROGRANINTOEXECUTINGCODETHATITDIDNOTINTENDTOEXECUTETHEUSUALMECHANISMFORACHIEVINGTHISFEATISTOOVERWRITESOMEPORTIONOFTHEPROGRAMSPROCESSSTACKTHEPROGRAMSSTACKCONTAINS,AMONGOTHERTHINGS,THEMEMORYLOCATIONTOWHICHTHEPROGRAMWILLTRANSFERCONTROLWHENTHECURRENTFUNCTIONRETURNSTHEREFORE,IFYOUCANPUTTHECODETHATYOUWANTTOHAVEEXECUTEDINTOMEMORYSOMEWHEREANDTHENCHANGETHERETURNADDRESSTOPOINTTOTHATPIECEOFMEMORY,YOUCANCAUSETHEPROGRAMTOEXECUTEANYTHINGWHENTHEPROGRAMRETURNSFROMTHEFUNCTIONITISEXECUTING,ITWILLJUMPTOTHENEWCODEANDEXECUTEWHATEVERISTHERE,RUNNINGWITHTHEPRIVILEGESOFTHECURRENTPROCESSCLEARLY,IFTHECURRENTPROCESSISRUNNINGASROOT,THISWOULDBEADISASTERIFTHEPROCESSISRUNNINGASANOTHERUSER,ITSADISASTER“ONLY“FORTHATUSERANDANYBODYELSEWHODEPENDSONTHECONTENTSOFFILESOWNEDBYTHATUSER,ANDSOFORTHIFTHEPROGRAMISRUNNINGASADAEMONANDLISTENINGFORINCOMINGNETWORKCONNECTIONS,THESITUATIONISEVENWORSEADAEMONTYPICALLYRUNSASROOTIFITCONTAINSBUFFEROVERRUNBUGS,ANYONEWHOCANCONNECTVIATHENETWORKTOACOMPUTERRUNNINGTHEDAEMONCANSEIZECONTROLOFTHECOMPUTERBYSENDINGAMALIGNANTSEQUENCEOFDATATOTHEDAEMONOVERTHENETWORKAPROGRAMTHATDOESNOTENGAGEINNETWORKCOMMUNICATIONSISMUCHSAFERBECAUSEONLYUSERSWHOAREALREADYABLETOLOGINTOTHECOMPUTERRUNNINGTHEPROGRAMAREABLETOATTACKITTHEBUGGYVERSIONSOFFINGER,TALK,ANDSENDMAILALLSHAREDACOMMONFLAWEACHUSEDAFIXEDLENGTHSTRINGBUFFER,WHICHIMPLIEDACONSTANTUPPERLIMITONTHESIZEOFTHESTRINGBUTTHENALLOWEDNETWORKCLIENTSTOPROVIDESTRINGTHATOVERFLOWEDTHEBUFFERFOREXAMPLE,THEYCONTAINEDCODESIMILARTOTHISTHECOMBINATIONOFTHE32CHARACTERBUFFERWITHTHEGETSFUNCTIONPERMITSABUFFEROVERRUNTHEGETSFUNCTIONREADSUSERINPUTUPUNTILTHENEXTNEWLINECHARACTERANDSTORESTHEENTIRERESULTINTHEUSERNAMEBUFFERTHECOMMENTSINTHECODEARECORRECTINTHATPEOPLEGENERALLYHAVESHORTUSERNAMES,SONOWELLMEANINGUSERISLIKELYTOTYPEINMORETHAN32CHARACTERSBUTWHENYOUREWRITINGSECURESOFTWARE,YOUMUSTCONSIDERWHATAMALICIOUSATTACKERMIGHTDOINTHISCASETHEATTACKERMIGHTDELIBERATELYTYPEINAVERYLONGUSERNAMELOCALVARIABLESSUCHASUSERNAMEARESTOREDONTHESTACK,SOBYEXCEEDINGTHEARRAYBOUNDS,ITSPOSSIBLETOPUTARBITRARYBYTESONTOTHESTACKBEYONDTHEAREARESERVEDFORTHEUSERNAMEVARIABLETHEUSERNAMEWILLOVERRUNTHEBUFFERANDOVERWRITEPARTSOFTHESURROUNDINGSTACK,ALLOWINGTHEKINDOFATTACKDESCRIBEDPREVIOUSLYFORTUNATELY,ITSRELATIVELYEASYTOPREVENTBUFFEROVERRUNSWHENREADINGSTRINGS,YOUSHOULDALWAYSUSEAFUNCTION,SUCHASGETLINE,THATEITHERDYNAMICALLYALLOCATESASUFFICIENTLYLARGEBUFFERORSTOPREADINGINPUTIFTHEBUFFERISFULLFOREXAMPLE,YOUCOULDUSETHISTHISCALLAUTOMATICALLYUSESMALLOCTOALLOCATEABUFFERBIGENOUGHTOHOLDTHELINEANDRETURNSITTOYOUYOUHAVETOREMEMBERTOCALLFREETODEALLOCATETHEBUFFER,OFCOURSE,TOAVOIDLEAKINGMEMORYYOURLIFEWILLBEEVENEASIERIFYOUUSECORANOTHERLANGUAGETHATPROVIDESSIMPLEPRIMITIVESFORREADINGINPUTINC,FOREXAMPLE,YOUCANSIMPLYUSETHISTHEUSERNAMESTRINGWILLAUTOMATICALLYBEDEALLOCATEDASWELLYOUDONTHAVETOREMEMBERTOFREEITOFCOURSE,BUFFEROVERRUNSCANOCCURWITHANYSTATICALLYSIZEDARRAY,NOTJUSTWITHSTRINGSIFYOUWANTTOWRITESECURECODE,YOUSHOULDNEVERWRITEINTOADATASTRUCTURE,ONTHESTACKORELSEWHERE,WITHOUTVERIFYINGTHATYOURENOTGOINGTOWRITEBEYONDITSREGIONOFMEMORY1062RACECONDITIONSIN/TMPANOTHERVERYCOMMONPROBLEMINVOLVESTHECREATIONOFFILESWITHPREDICTABLENAMES,TYPICALLYINTHE/TMPDIRECTORYSUPPOSETHATYOURPROGRAMPROG,RUNNINGASROOT,ALWAYSCREATESATEMPORARYFILECALLED/TMP/PROGANDWRITESSOMEVITALINFORMATIONTHEREAMALICIOUSUSERCANCREATEASYMBOLICLINKFORM/TMP/PROGTOANYOTHERFILEONTHESYSTEMWHENYOURPROGRAMGOESTOCREATETHEFILE,THEOPENSYSTEMCALLWILLSUCCEEDHOWEVER,THEDATATHATYOUWRITEWILLNOTGOTO/TMP/PROGINSTEAD,ITWILLBEWRITTENTOSOMEARBITRARYFILEOFTHEATTACKERSCHOOSINGTHISKINDOFATTACKISSAIDTOEXPLOITARACECONDITIONTHEREISIMPLICITLYARACEBETWEENYOUANDTHEATTACKERWHOEVERMANAGESTOCREATETHEFILEFIRSTWINSTHISATTACKISOFTENUSEDTODESTROYIMPORTANTPARTSOFTHEFILESYSTEMBYCREATINGTHEAPPROPRIATELINKS,THEATTACKERCANTRICKAPROGRAMRUNNINGASROOTTHATISSUPPOSEDTOWRITEATEMPORARYFILEINTOOVERWRITINGANIMPORTANTSYSTEMFILEINSTEADFOREXAMPLE,BYMAKINGASYMBOLICLINKTO/ETC/PASSWD,THEATTACKERCANWIPEOUTTHESYSTEMSPASSWORDDATABASETHEREAREALSOWAYSINWHICHAMALICIOUSUSERCANOBTAINROOTACCESSUSINGTHISTECHNIQUEONEATTEMPTATAVOIDINGTHISATTACKISTOUSEARANDOMIZEDNAMEFORTHEFILEFOREXAMPLE,YOUCOULDREADFROM/DEV/RANDOMTOGETSOMEBITSTOUSEINTHENAMEOFTHEFILETHISCERTAINLYMAKESITHARDERFORAMALICIOUSUSERTOGUESSTHEFILENAME,BUTITDOESNTMAKEITIMPOSSIBLETHEATTACKERMIGHTJUSTCREATEALARGENUMBEROFSYMBOLICLINK,USINGMANYPOTENTIALNAMESEVENIFSHEHASTOTRY10,000TIMESBEFOREWININGTHERACECONDITION,THATONETIMECOULDBEDISASTROUSANOTHERAPPROACHISTOUSETHE0_EXCLFLAGWHENCALLINGOPENTHISFLAGCAUSESOPENTOFAILIFTHEFILEALREADYEXISTSUNFORTUNATELY,IFYOUREUSINGTHENETWORKFILESYSTEMNFS,ORIFANYONEWHOSUSINGYOURPROGRAMMIGHTEVERBEUSINGNFS,THATSNOTASUFFICIENTLYROBUSTAPPROACHBECAUSE0_EXCLISNOTRELIABLEWHENNFSISINUSEYOUCANTEVERREALLYKNOWFORSUREWHETHERYOURCODEWILLBEUSEDONASYSTEMTHATUSESNFS,SOIFYOUREHIGHLYPARANOID,DONTRELYONUSING0_EXCLINCHAPTER2,“WRITINGGOODGNU/LINUXSOFTWARE“,SECTION217“USINGTEMPORARYFILES“,WESHOWEDHOWTOHOWTOUSEMKSTEMPTOCREATETEMPORARYFILESUNFORTUNATELY,WHATMKSTEMPDOESONLINUXISOPENTHEFILEWITH0_EXCLAFTERTRYINGTOPICKANAMETHATISHARDTOGUESSINOTHERWORDS,USINGMKSTEMPISSTILLINSECRUEIF/TMPISMOUNTEDOVERNFSSO,USINGMKSTEMPISBETTERTHANNOTHING,BUTITSNOTFULLYSECUREONEAPPROACHTHATWORKSISTOCALLLSTATONTHENEWLYCREATEDFILETHELSTATFUNCTIONISLIKESTAT,EXCEPTTHATIFTHEFILEREFERREDTOISASYMBOLICLINK,LSTATTELLSYOUABOUTTHELINK,NOTTHEFILETOWHICHITREFERSIFLSTATTELLSYOUWHATYOURNEWFILEISANORDINARYFILE,NOTASYMBOLICLINK,ANDTHATITISOWNEDBYYOU,THENYOUSHOULDBEOKAYLISTING105PRESENTSAFUNCTIONTHATTRIESTOSECURELYOPENAFILEIN/EMPTHEAUTHORSOFTHISBOOKHAVENOTHADITAUDITEDPROFESSIONALLY,NORAREWEPROFESSIONALSECURITYEXPERTS,SOTHERESAGOODCHANCETHATITHASAWEAKNESS,TOOWEDONOTRECOMMENDTHATYOUUSETHISCODEWITHOUTGETTINGANAUDIT,BUTITSHOULDATLEASTCONVINCEYOUTHATWRITINGSECURECODEISTRICKYTOHELPDISSUADEYOU,WEVEDELIBERATELYMAKETHEINTERFACEDIFFICULTTOUSEINREALPROGRAMSERRORCHECKINGISANIMPORTANTPARTOFWRITINGSECURESOFTWARE,SOWEVEINCLUDEERRORCHECKINGLOGICINTHISEXAMPLETHISFUNCTIONCALLSOPENTOCREATETHEFILEANDTHENCALLSLSTATAFEWLINESLATERTOMAKESURETHATTHEFILEISNOTASYMBOLICLINKIFYOURETHINKINGCAREFULLY,YOULLREALIZETHATTHERESEEMSTOBEARACECONDITIONATTHISPOINTINPARTICULAR,ANATTACKERCOULDREMOVETHEFILEANDREPLACEITWITHASYMBOLICLINKBETWEENTHETIMEWECALLOPENANDTHETIMEWECALLLSTATTHATWONTHARMUSDIRECTLYBECAUSEWEALREADYHAVEANOPENFILEDESCRIPTORTOTHENEWLYCREATEDFILE,BUTITWILLCAUSEUSTOINDICATEANERRORTOOURCALLERTHISATTACKDOESNTCREATEANYDIRECTHARM,BUTITDOWSMAKEITIMPOSSIBLEFOROURPROGRAMTOGETITSWORKDONESUCHANATTACKISCALLEDADENIALOFSERVICEATTACKFORTUNATELY,THESTICKYBITCOMESTOTHERESCUEBECAUSETHESTICKYBITISSETON/EMP,NOBODYELSECANREMOVEFILESFROMTHATDIRECTORYOFCOURSE,ROOTCANSTILLREMOVEFILESFROM/TMP,BUTIFTHEATTACKERHASROOTPRIVILEGE,THERESNOTHINGYOUCANDOTOPROTECTYOURPROGRAMIFYOUCHOOSETOASSUMECOMPETENTSYSTEMADMINISTRATION,THEN/TMPWILLNOTBEMOUNTEDVIANFSANDIFTHESYSTEMADMINISTRATORWASFOOLISHENOUGHTOMOUNT/TMPOVERNFS,THENTHERESAGOODCHANCETHATTHESTICKYBITISNTSET,EITHERSO,FORMOSTPRACTICALPURPOSES,WETHINKITSSAFETOUSEMKSTEMPBUTYOUSHOULDBEAWAREOFTHESEISSUES,ANDYOUSHOULDDEFINITELYNOTRELYON0_EXCLTOWORKCORRECTLYIFTHEDIRECTORYIINUSEISNOT/TMPNORYOUSHOULDRELYONTHESTICKYBITBEINGSETANYWHEREELSE中文翻译请注意，当程序运行时，有效的用户ID会被设置成0。你可以使用CHMOD命令加上US来给一个可执行文件分别的设置SETUID和SETGID，举例来说代码段你同样可以使用CHMOD来访问S_ISUID或者S_ISGID模式的标志位。SU能够通过这种机制来改变有效用户ID。当它开始运行时，会使用0作为有效用户ID。然后它会提示你输入密码。如果你所输入的密码与ROOT密码相吻合，它会将它现在的用户ID设置成ROOT并且创建一个新的SHELL。否则的话，它会将你作为一个没有权限的用户并退出。请看SU程序上的权限请注意，它被ROOT用户所拥有，并且它的SETUID位已经被设置为1。请注意，在正在运行的SHELL上，SU并没有真正改变用户ID。系统使用这个新的用户ID创建了一个新的SHELL进程作为代替。最初的SHELL会一直处于锁定状态，知道这个新的SHELL被完成或者退出。105鉴别用户通常的，如果你拥有一个ESTUID程序，你并不希望向每个人都提供它的服务。举例来说，只有你知道ROOT密码的时候，SU的程序才会将你改为ROOT。系统在你有其他动作前会要求你证明你有资格成为ROOT。这种方法被称为鉴别SU的程序在检查你是否是可信的。如果你在管理一个非常安全的系统，你可能不会希望人们仅仅通过敲入几个平常的密码就能登入你的系统。用户设置密码，黑客尝试去破解它们。由于用户通常会选用由他们的生日或者他们宠物的名字所组成的密码，所以密码密码并不是那么的安全。举例来说，当前许多组织要求用户使用特殊的“一次性”密码，这些密码由用户保管的特殊电子ID卡所生成。同样的密码无法被使用两次，并且用户在被要求输入电子卡生成的密码的同时还会被要求输入PIN码。所以，一个攻击者必须同时持有密码和PIN码才能进入系统。在一个真正安全的设备上，视网膜扫描或者其他种类的生物检测是会被运用的。如果你正在编写一个需要鉴定用户的程序，你应该允许管理者在他的设备上使用任何能帮助他完成鉴别的方法。GNU/LINUX自带了一个非常有用的库，使得这个过程变的非常简单。这个工具叫做PLUGGABLEAUTHENTICATIONMODULES，简称PAM，它使得系统管理员完成合适的用户鉴别变的非常简单。很容易看出PAM是如何在一个简单的PAM应用程序上工作的。例104说明了对PAM的使用方法。代码段要完成这个程序，你需要对两个库进行链接LIBPAM库和帮助库LIBPAM_MISCGCCOPAMPAMCLPAMLPAM_MISC这个程序由创建一个PAM对话对象开始。这个对象被PAM库所使用，用来随时的提示用户输入信息。在这个例子中MISC_CONV函数是一个标准的使用了输入输出终端的对话函数。你需要编写你自己的对话框函数，或语音输入输出函数，或者使用其他其他方法来完成输入输出的函数。这个叫做PAM_START的程序。这个函数初始化了PAM库。第一步提示输入的服务器名称。你应该使用一个独特的名字来鉴别你的应用程序。举例来说，如果你的应用程序叫做WHIZBANG，你应该使用同样的名字作为服务器名。但是，除非是系统管理员明确的设定为系统使用你的服务来工作，否则系统将不会工作。所以，在这个例子中，我们使用的SU的服务，它指出我们的程序将使用和SU命令同样的方式来鉴别用户。你不应该在一个真正的程序当中运用此技术。选用一个真正的服务名称，并保存你的原始安装文件来帮助系统管理员为你的程序配置正确的PAM。第二步是输入你想鉴别的用户名。在这个例子中，我们使用于户环境变量的值（通常来说，这是与当前进程的有效用户ID想符的用户名，但事实并不总是如此）在大多数的程序中，你会在这里提示输入一个用户名。第三步简单的描述了先前讨论过的PAM。通过对PAM_START的调用将句柄传递给了第四步，并将这个句柄传递给了PAM的库。接着，程序调用PAM_AUTHENTICATE。第二步使你能够传递各种标志位；0值以为着使用默认的选项。这个函数的返回值意味这用户鉴别是否成功。最后，程序调用PAM_END来清除本地数据结构。让我们假设当前用户的有效密码是“PASSWORD“。那么使用正确的密码运行程序后会出现如下的提示代码段如果你在一台终端设备上运行这个程序的话，输入的密码应该是不会被显示出来的；以防有人在你输入密码时从你的身后偷看。无论如何，如果一个黑客试图使用错误的密码，PAM库会明确的指出失败代码段这里所隐藏的基础对大多数简单的程序来说是足够的。在大多数GNU/LINUX系统中，关于PAM如何运做的全部文档被保存在/USR/DOC/PAM中。106更多安全漏洞尽管这一章中会指出少数平常的安全漏洞，请绝对不要以为这就足以应对所有的安全漏洞。很大一部分的安全漏洞已经被发现，但是还有更多有待于发现的。如果你在尝试编写安全性的代码，没有什么办法会比找一个这方面的专家来审查你的代码更好。1061缓冲超载几乎所有的INTERNET应用程序，包括邮件发送程序，守护进程，对话程序，以及其他，至少会有一处考虑到了缓冲超载的问题。如果你在编写任何将作为ROOT运行的代码，你都必将考虑到这种特殊的安全漏洞。如果你在编写一个带有执行进程间通信的程序，你应该明确的了解这种安全漏洞。如果你在编写一个带有读不属于执行用户的文件的操作（或者是有可能带有此操作）的程序，你也该知道这种安全漏洞。这些规范几乎应用于所有的应用程序。从根本来说，只要你想编写一个GNU/LINUX软件，你就应该知道缓冲超载。造成缓冲超载的方法是试图让程序去执行一段它本不该执行的代码。想要达到这个目的的通常方法，是给程序进程使用的栈加载一部分。程序使用的栈包括，当程序转让控制权的当前函数返回时的内存地址，如果你能将你想执行的代码添加到内存中，然后改变地址，让指针指向你所添加的代码，你可以让程序执行任何你想要的代码。当程序返回的函数正在执行时，它将回跳转到新添加的代码并执行，不论那是什么代码，带着当前进程的特权运行。很显然，如果当前的进程是作为ROOT运行的，这将会是场灾难。如果进程是由其他用户运行的，对这个用户来说这会非常糟糕，同时还有那些需要此用户所拥有的文件的人，等等。如果这个程序是作为一个DAEMON来运行的并监听着网络连接，情况会更糟糕。DAEMON是典型的由ROOT运行的程序。如果它存在缓存超载的BUG，那么任何人都可以通过向DAEMON发送一个恶性的数据顺序，由此通过网络连接到这台计算机上并控制它。一个不需要连接到网络的程序会更安全些，因为只有那些可以在这台计算机上登陆并运行这个程序的人才有机会攻击它。邮件发送程序，守护进程，对话程序都有一个共同的缺陷。它们各使用一个固定长度的字符缓存，这就导致了输入的字符是有长度限制的，但它们又允许网络客户端传给它们大于缓存能容纳最大长度的字符。举例来说，他们包含了类似如下的代码代码段32位缓存与GETS函数的组合造成了缓存溢出。GETS函数读取用户输入时，直到下一个换行符才将整个结果储存到用户名的缓存中。一般来说，在用户名很短的情况下，上面的代码注解是正确的，一般正常的用户不会用一个超过32字节的用户名。但是在你编写一个安全的软件时，你必须考虑到一个恶意的攻击这会做什么。在这种情况下，攻击者很可能会输入一个很长的用户名。本地的诸如用户名一类的变量被储存在栈中，所以通过插入一个过长的数组，是可以在栈里为用户名变量保留的区域之上添加任意字符的。这个用户名会使缓存超载和一部分周围的栈溢出，先前已经描述过