安全协议与标准07a-Linux安全(内核)

1、12008, 10 2用户与文件从POST到sh 3认证、授权Authentication、AuthorizationPAMPluggable Authentication Modules SUIDPermissionsetuid etc 4认证/鉴别Authentication谁是谁授权Authorization能干什么鉴别手段基于口令/令牌/卡/指纹/声音等信息授权方法访问控制矩阵 ACL/ACM 5传统的AA应用程序自己管理PAM标准库PAM in Linux 6PAM was first proposed by Sun Microsystems in an Open Software

2、Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux 3.0.4 in August 1996. PAM is currently sup

3、ported in the AIX operating system, DragonFly BSD, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. 7Every application required its own security and authenticati

4、on mechanism. 8“is this user authorized to use me?” 9 10PAM is used, for example, to dynamically link system binaries.(Dynamic linking does necessitate a recovery mechanism to address potential problems in the linker or in shared libraries. One way of implementing a recovery mechanism is to supply a

5、 /rescue directory that contains statically linked versions of important system binaries. This method is used in both NetBSD and FreeBSD.) 11第一部分是第一部分是libpam,libpam,是实现是实现PAM APIPAM API的库，的库，第二部分是第二部分是PAMPAM配置文件，配置文件，/etc/pam.conf,/etc/pam.conf,第三部分有一套动态可装载两进位对象组成，常第三部分有一套动态可装载两进位对象组成，常常用来调用一些处理实际鉴别

6、常用来调用一些处理实际鉴别(authentication)(authentication)工作的服务模块。工作的服务模块。最后模块是使用最后模块是使用PAM APIPAM API的系统命令组成，如的系统命令组成，如login,us,login,us, etcetc 12#include #include int pam_start (.);int pam_end (.);const char *pam_strerror (.);pam_set_item(); pam_get_item(); pam_authenticate(); pam_chauthtok(); 13 14 pam_login

7、 is written specificly for PAM authentication. It is based on the version from the util-Linux package, from which all code for non-PAM support was removed. Instead, support for the most important features of the login program from the shadow suite was added. pam_login-3.14.tar.bz2 15X/Open Single Si

8、gn-on Service (XSSO) - X/Open Single Sign-on Service (XSSO) - Pluggable Authentication Modules Pluggable Authentication Modules 16Authorization in Linux based on Exception: rootroot is allowed to do everythingOnce logged in, users cannot change their identityexcept through a SUID program, which allo

9、ws them to run a command as someone else (most often root) 17useruser idgroupgroup id#cat /etc/passwd | shadow#cat /etc/groups 18lindenlocalhost $ lllindenlocalhost $ lltotal 0total 0-rw-rw-r- 1 linden linden 0 2007-12-10 20:28 my.doc-rw-rw-r- 1 linden linden 0 2007-12-10 20:28 my.docd | l | b | crw

10、x | s 19PermFileDirectoryRreadlistWchangechange contentXexecutecan cdSUIDProgram runs with effective N/Auser ID of owner SGIDProgram runs with effectiveFiles created in dir inheritGID of owner the same GID as the dirStickybit N/AOnly the owner of the the owner of the dir may delete files in this dir

11、 20#ls -l #chmod # Setting #chown# change and group#chgrp# change group ownershipumask 21有时，没有被授权的用户需要完成某项任务。一个例子是passwd程序，它允许用户改变口令，这就要求改变/etc/passwd文件的口令域。然而系统管理员决不允许普通用户拥有直接改变这个文件的权利，因为这绝对不是一个好主意。为了解决这个问题，SUID/SGID便应运而生。UNIX允许程序被授权，当程序被执行的时候，拥有超级用户的权限，完成时又回到普通用户的权限。这个主意很好，所以AT&T对它申请了专利。SUID/SGID程

12、序在执行时的Real Uid可以通过函数setuid()改变。 22 23Examples of SUID programs:passwdpasswd: Allows users to update the /etc/shadow filemountmount: Allows users to mount a floppy or CDsusu: Runs a shell as another user, after supplying the passwordsudosudo: Runs a particular command as another userVarious games (to

13、 track highscores)All SUID programs should be known to the administrator and checked/updated for security problems 24查找SUID属性文件#find /usr/bin -type f -perm -2000 -printSGID#find /usr/bin -type f -perm -4000 -print 25任何人(同组)都可写的文件，可能是入侵的遗留#find . -perm -2 -print#find . -perm -20无主文件# find /dev -nouse

14、r -print# find /dev -nogroup -print 26CMOS口令LILO/GRUB口令磁盘/分区加密虚拟磁盘文件权限访问控制特权操作事件审计 27搜索Debian的软件包源码 Fedora 8 Red Hat Enterprise Linux 5 28看源码的工具，首推LXR，其次也可以使用source insight或则source-navigator。LXR可以自己安装也可以使用网上公用的LXR，如。本地临时的LXR(2.6.21.5) outdate 29 30Power ButtonPower OnBIOS Self TestPasswd开机口令 vs. CMO

15、S口令进入CMOS典型按键：del, f1, f2, tab, esc,BIOS/passwd/CMOS电池 31single mode在/?/lilo.conf中设定口令restrictedrestrictedpassword=a3xsf8dpassword=a3xsf8dlilo口令的作用过程查lilo的源程序 bootsect.S，bsect.c，lilo.clilo_22.6.1.orig.tar.gz 32Grub的口令机制/boot/grub/grub.confpassword -md5 则必须先输入口令才能进一步操作grub或者单独针对某项启用口令password /boot/g

16、rub/menu-admin.lst 还有lock选项可用为了产生md5后的grubmd5cryptgrub_0.97.orig.tar.gz 33Kernel image被lilo/grub（曾经linux有自己的bootsect）读入到内存，解压缩，重定位，跳转到Kernel从start_kernel()被执行 Kernel做了重要的初始化，然后Kernel创建1号内核线程init，其装载/sbin/init（配置文件是/etc/inittab）。 34Kernel然后启动用户进程initstart_kernel(); rest_init(); kernel_thread(init, NU

17、LL, CLONE_KERNEL);= init() run_init_process(/sbin/init); execve(init_, argv_init, envp_init);init读取配置文件inittab/etc/inittab中的几行：# Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty12:2345:respawn:/sbin/mingetty tty23:2345:respawn:/sbin/mingetty tty3 35sysvinit_2.86.ds1.orig.tar.gz 36查m

18、ingetty的来历#rpm -qf /sbin/mingettymingetty-1.06-2Google(“mingetty”)Debian software package directories 下载 mingetty_0.9.4.orig.tar.gz得到唯一的mingetty.cmingetty_1.07.orig.tar.gz 37in mingetty.cdo_prompt();/ show login prompt, optionally preceded by /etc/issue contentsopen_tty (); / set up tty as standard

19、input, output, error while (logname = get_logname () = 0);execl (_PATH_LOGIN, _PATH_LOGIN, -, logname, NULL);说明：从指定的tty获得用户名，并启动login程序 38/dev/tty0/dev/pts/0tty_init vty_init kbd_init2419 static struct cdev tty_cdev, console_cdev;2420 #ifdef CONFIG_UNIX98_PTYS2421 static struct cdev ptmx_cdev;2422 #

20、endif2423 #ifdef CONFIG_VT2424 static struct cdev vc0_cdev;2425 #endif 39in login.c retcode = pam_get_item(pamh, PAM_USER, (const void *) &username);pp = getpass(_(Password: );p = crypt(pp, salt);/ 加密口令得到密文memset(pp, 0, strlen(pp);if (pwd & !strcmp(p, pwd-pw_passwd) / 密文匹配break;用户可以有几次机会输入口令但是会有故意的延

21、迟数次失败，则退出 init会把mingetty再次起动 40 childPid = fork(); if (childPid) wait(NULL); / login进程等着 exit(0); / 下面是子进程（用户的shell） setsid(); opentty(ttyn); setuid(pwd-pw_uid); chdir(pwd-pw_dir); execvp(/bin/sh -sh -c exec %pwd-pw_shell%, .); 41login.c in PAMshadow_4.0.18.1.orig.tar.gz 42setuid()/setgid() sys_setu

22、id()setreuid()/setregid()sys_setreuid()in PCB404 /* process credentials */405 uid_t uid,euid,suid,fsuid;406 gid_t gid,egid,sgid,fsgid;407 int ngroups;408 gid_t groupsNGROUPS;409 kernel_cap_t cap_effective, cap_inheritable, cap_permitted;410 int keep_capabilities:1;411 struct user_struct *user; 43Bas

23、h 44用户使用文件时linux内核是怎样使用权限信息做访问控制的？用户身份 vs. 文件的权限信息典型数据文件：-rw-r-r-，自己可读写，别人只读int fd = open(“my_or_your_”, r|w|x, m);打开文件准备用来读/写/执行如果创建新文件，则mode指示了其权限属性long sys_open(, flags, mode) 45sys_open() filp_open() open_namei() may_open() permission() 46207 int permission(struct inode * inode,int mask, struct

24、nameidata *nd)208 int retval;210 int submask; 212 / Ordinary permission routines do not understand APPEND.213 submask = mask & MAY_APPEND; 215 if (inode-i_op & inode-i_op-permission)216 retval = inode-i_op-permission(inode, submask, nd);217 else218 retval = vfs_permission(inode, submask);219 if (retval)220 return retval; 222 return security_inode_permission(inode, mask, nd);223 47在某个函数中对代码适当修改可以允许特定用户有任意权限? sys_open()? permission()? vfs_permission()? security_inode_permission() 48在/etc/passwd有两个普通用户linden和susanlinden:x:500:500:/home/