安全协议与标准07a-Linux安全(内核)

linfb@sdu.edu.cn2008,10ΓВ用户与文件↓从POST到sh↓ΓВ认证、授权Authentication、AuthorizationPAMPluggableAuthenticationModulesSUIDPermissionsetuidetcΓВ认证/鉴别Authentication•谁是谁授权Authorization•能干什么鉴别手段•基于口令/令牌/卡/指纹/声音等信息授权方法•访问控制矩阵ACL/ACMΓВ传统的AA•应用程序自己管理PAM•标准库PAMinLinuxΓВPAMwasfirstproposedbySunMicrosystemsinanOpenSoftwareFoundationRequestforComments(RFC)86.0datedOctober1995.ItwasadoptedastheauthenticationframeworkoftheCommonDesktopEnvironment.Asastand-aloneinfrastructure,PAMfirstappearedfromanopen-source,Linux-PAM,developmentinRedHatLinux3.0.4inAugust1996.PAMiscurrentlysupportedintheAIXoperatingsystem,DragonFlyBSD,FreeBSD,HP-UX,Linux,MacOSX,NetBSDandSolaris.PAMwaslaterstandardizedaspartoftheX/OpenUNIXstandardizationprocess,resultingintheX/OpenSingleSign-on(XSSO)standard.ΓВEveryapplicationrequireditsownsecurityandauthenticationmechanism.ΓВ“isthisuserauthorizedtouseme?”ΓВΓВPAMisused,forexample,todynamicallylinksystembinaries.•(Dynamiclinkingdoesnecessitatearecoverymechanismtoaddresspotentialproblemsinthelinkerorinsharedlibraries.Onewayofimplementingarecoverymechanismistosupplya/rescuedirectorythatcontainsstaticallylinkedversionsofimportantsystembinaries.ThismethodisusedinbothNetBSDandFreeBSD.)ΓВ第一部分是libpam,是实现PAMAPI的库，第二部分是PAM配置文件，/etc/pam.conf,第三部分有一套动态可装载两进位对象组成，常常用来调用一些处理实际鉴别(authentication)工作的服务模块。最后模块是使用PAMAPI的系统命令组成，如login,us,ftp,telnetetcΓВ#includesecurity/pam_appl.h#includesecurity/pam_misc.hintpam_start(..);intpam_end(..);constchar*pam_strerror(..);pam_set_item();pam_get_item();pam_authenticate();pam_chauthtok();…ΓВΓВpam_loginiswrittenspecificlyforPAMauthentication.Itisbasedontheversionfromtheutil-Linuxpackage,fromwhichallcodefornon-PAMsupportwasremoved.Instead,supportforthemostimportantfeaturesoftheloginprogramfromtheshadowsuitewasadded.pam_login-3.14.tar.bz2ΓВX/OpenSingleSign-onService(XSSO)-PluggableAuthenticationModules•ΓВAuthorizationinLinuxbasedonfilepermissions•Exception:rootisallowedtodoeverythingOnceloggedin,userscannotchangetheiridentity•exceptthroughaSUIDprogram,whichallowsthemtorunacommandassomeoneelse(mostoftenroot)ΓВuseruseridgroupgroupid#cat/etc/passwd|shadow#cat/etc/groupsΓВ[linden@localhost~]$lltotal0-rw-rw-r--1lindenlinden02007-12-1020:28my.docd|l|b|crwx|sΓВPermFileDirectoryRreadlistWchangechangecontentXexecutecan‘cd’SUIDProgramrunswitheffectiveN/AuserIDofownerSGIDProgramrunswitheffectiveFilescreatedindirinheritGIDofownerthesameGIDasthedirStickybitN/AOnlytheownerofthefileandtheownerofthedirmaydeletefilesinthisdirΓВ#ls-l#chmod##Settingfilepermissions#chown##changefileownerandgroup#chgrp##changegroupownershipumaskΓВ有时，没有被授权的用户需要完成某项任务。一个例子是passwd程序，它允许用户改变口令，这就要求改变/etc/passwd文件的口令域。然而系统管理员决不允许普通用户拥有直接改变这个文件的权利，因为这绝对不是一个好主意。为了解决这个问题，SUID/SGID便应运而生。UNIX允许程序被授权，当程序被执行的时候，拥有超级用户的权限，完成时又回到普通用户的权限。这个主意很好，所以AT&T对它申请了专利。SUID/SGID程序在执行时的RealUid可以通过函数setuid()改变。ΓВΓВExamplesofSUIDprograms:•passwd:Allowsuserstoupdatethe/etc/shadowfile•mount:AllowsuserstomountafloppyorCD•su:Runsashellasanotheruser,aftersupplyingthepassword•sudo:Runsaparticularcommandasanotheruser•Variousgames(totrackhighscores)AllSUIDprogramsshouldbeknowntotheadministratorandchecked/updatedforsecurityproblemsΓВ查找SUID属性文件#find/usr/bin-typef-perm-2000-printSGID#find/usr/bin-typef-perm-4000-printΓВ任何人(同组)都可写的文件，可能是入侵的遗留#find.-perm-2-print#find.-perm-20无主文件#find/dev-nouser-print#find/dev-nogroup-printΓВCMOS口令LILO/GRUB口令磁盘/分区加密•虚拟磁盘文件权限访问控制特权操作事件审计ΓВ搜索Debian的软件包源码••Fedora8•RedHatEnterpriseLinux5••ΓВ看源码的工具，首推LXR，其次也可以使用sourceinsight或则source-navigator。LXR可以自己安装也可以使用网上公用的LXR，如。本地临时的LXR(2.6.21.5)••outdateΓВΓВPowerButtonPowerOnBIOSSelfTestPasswd•开机口令vs.CMOS口令进入CMOS•典型按键：del,f1,f2,tab,esc,BIOS/passwd/CMOS电池ΓВsinglemode在/?/lilo.conf中设定口令…restrictedpassword=a3xsf8d…lilo口令的作用过程•查lilo的源程序bootsect.S，bsect.c，lilo.clilo_22.6.1.orig.tar.gzΓВGrub的口令机制/boot/grub/grub.confpassword--md5PASSWD•则必须先输入口令才能进一步操作grub•或者单独针对某项启用口令passwordPASSWD/boot/grub/menu-admin.lst•还有lock选项可用为了产生md5后的PASSWDgrubmd5cryptgrub_0.97.orig.tar.gzΓВKernelimage被lilo/grub（曾经linux有自己的bootsect）读入到内存，解压缩，重定位，跳转到Kernel从start_kernel()被执行••做了重要的初始化，然后Kernel创建1号内核线程init，其装载/sbin/init（配置文件是/etc/inittab）。ΓВKernel然后启动用户进程initstart_kernel();└─rest_init();└─kernel_thread(init,NULL,CLONE_KERNEL);=init()└─run_init_process(/sbin/init);└─execve(init_filename,argv_init,envp_init);init读取配置文件inittab/etc/inittab中的几行：…#Rungettysinstandardrunlevels1:2345:respawn:/sbin/mi