Chapter 4 Problem
1, when there chroot principles, such as:
1) Close file descriptor before chroot; 2) in the chroot run in non-root user; 3) the right to "give up" permission; 4) the use of significant chdir type into the jail; 5) make as root jailed file management
issues: understanding the application of the principles chroot, and explain what security issues do not occur if you are the attacker will be how to attack for different situations. Explain how each attacking or what actions can be taken to avoid these problems.
Close file descriptor before (1) chroot.
Each process has a record entry in the process table, each record contains an open file descriptor entry, include: file descriptor flag, a pointer to a file entries.
dup function to copy an existing file descriptor.
By guessing the file descriptor, you can use open files, open files for read, write, execute.
So close the file descriptor, can prevent files from being illegal operation.
(2) non-root user to run chroot environment
because a user may only run chroot root. It should prevent users from a setuid program (such as a false / etc / passwd file) into a special preparation of the chroot environment in order to avoid being cheated to obtain elevated privileges
chroot are not completely safe on all systems. Because chroot environment under root privileges, once the break will affect the root chroot security
(3) the right to "give up" privileges.
Program uses "saved" uid switch non-root user and root user
using an unambiguous function setresuid () seteuid (), setreuid ().
(4) the use of explicit chdir into the jail
does not enter the jail folder, it did not enter the virtual environment. Into the external environment through the virtual root directory.
(5) as far as possible root file management jailed
root file management, system updates, upgrades, the virtual environment can automatically upgrade, or to manually upgrade alone.
a lot of the root user application management, system management methods should be used.
2, compared to chroot ability and root division two management methods, to analyze the scenarios and security. Which way more secure?
Chroot main application startup requires root privileges, do not use or rarely use root after starting the root of the scene. After the service is started, and a main service requires root code permission codes can be peeled apart for use chroot.
root-bit capability, the ability to apply to a bit role clarity, and the ability to place other services very clear distinction scenes. Such as the ability to kill is to kill the process, root can be used to kill other users' ability to kill processes. root process management, still need to pay attention to safety when using document management capability bit.
Chroot the process limit in a limited space, it does not affect other processes. Chroot create a virtual operating system environment. Running multiple virtual servers on a single core, single operating system. After chroot, under the new root to access the root directory structure and file is less than the old system, thus enhancing the security of the system.
Linux kernel root privileges will be divided into multiple capabilities. When the high root privileges granted to a process, you can use the high privilege ordinary user at runtime. Also a great impact on the system.
For example, to / bin / chown procedures for the award cap_chown ability, so the average user can use the / bin / chown program change any file owner.
Therefore, when using the ability to place the root, we must carefully consider what can be granted the ability to place and under what circumstances, minimize the time the average user the ability to use root bit. If the ability to improper root-bit applications, the system will cause more damage.
3, root executable permissions are given the ability of a setuid, and support capability of the system to an executable program, what is the difference between these two methods? You tend to choose which way to set permissions, and explain why.
4, the support capability of the linux system, CAP_SYS_MODULE, function and use CAP_LINUX_IMMUTABLE capacity.
Delete some ability to protect the system when the system boots. For example, to protect the integrity of the system tools and logs.
CAP_LINUX_IMMUTABLE capabilities, and allows you to modify IMMUTABLE APPEND file attribute flags. No system startup CAP_LINUX_IMMUTABLE ability, an attacker can not remove their attack trajectory, can not install a backdoor tool, system log file to "append-only", system tools are not deleted and modified.
CAP_SYS_MODULE capability, allows modification of system kernel. No CAP_SYS_MODULE capacity at system startup, the attacker can not modify the kernel of the system. System kernel has been altered, need to restart the system to use the new kernel. So, for 24-hour online servers running, it is CAP_SYS_MODULE ability to modify the kernel does not require system upgrades and other operations, to remove the system.
5, the ability to set the root support system, a combination of ability, provided several systems to high-level from low-level operation
example:
(1) setting network service capability, the CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST ability to open, network service capability can be obtained.
(2) has a root file management capabilities. Granted CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH ability to
CAP_DAC_OVERRIDE ignored DAC restrict access to files for all 1
CAP_DAC_READ_SEARCH 2 ignore all restrictions to read, search operation
user management capabilities (3) has the root. Granted CAP_SETGID, CAP_FSETID ability.
CAP_FSETID 4 allows setuid bit
CAP_SETGID 6 allows to change the group ID
5, SELinux Authorization System
1) based on the understanding of the system body SELinux authorization process fine-grained manner, and comparative fine-grained authorization based differences and differences Authorization Security object of the coarse-grained;
2) System httpd running a program that allows the user to kill www httpd process, how to fine-grained authorization? And interpreted.
Answer:
1) subject to the authorization process of fine-grained way, is authorized to process the user's permissions process is limited, each process can only perform limited operations, not ultra vires execute permissions.
License coarse-grained object is to grant user permissions, the user with a lot of privileges to the implementation process. If the user is running a setuid root program, you can use root privileges corrupt system files or processes. The fine-grained access control because there is no extra user privileges, the possibility of damage to the system is greatly reduced.
2) allows the user to kill www httpd process
allows the root user (root_t) started calling kill the executable file (kill_t)
the allow root_t kill_t: httpd getattr the Execute {};
It allows the user www (www_t) starts the execve () call to kill the executable file (kill_exec_t)
the allow www_t kill_exec_t: Execute File} {getattr;
Entrance access to kill_t domains:
the allow kill_t kill_exec_t: File EntryPoint;
The original license type (www_t) to a new type (kill_t) for access to the domain transition TRansition
allow www_t kill_t: process transition;
