cit 470: advanced network and system administration

CIT 470: Advanced Network and System Administration Slide #1

CIT 470: Advanced Network and System Administration

Access Control


Access Control

Limiting access toFiles

Networks

Hosts

Services

Center of gravity of computer securityWhy do we authenticate users?

What security features do OSes provide?

What’s the purpose of cryptography?


Access Control is Pervasive

1. ApplicationComplex, custom security policy.Ex: Amazon account: wish list, reviews, CC

2. MiddlewareDatabase, system libraries, 3rd party softwareEx: Credit card authorization center

3. Operating SystemFile ACLs, IPC

4. HardwareMemory management, hardware device access.


Access Control Matrix

objects

subj

ects

s1

s2

…

sn

o1 … om s1 … sn

Objects O = { o1,…,om }All protected entities.Files, hosts, ports, etc.

Subjects S = { s1,…,sn }Active entities, S Users, processes, hosts.

Rights R = { r1,…,rk }

Entries A[si, oj] R

A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj


UNIX Access Control Model

OS checks EUID + EGID on object access.

Usually: EUID=UID, EGID=GID.

setuid/setgid programs run with different EUID/EGID, allowing you privileged access

Setuid programs run with EUID of file owner.

ex: crontab, login, lp, passwd, su

Target for attackers wanting elevated privilege.


UNIX File Permissions

Three sets of permissions:User owner

Group owner

Other (everyone else)

Three permissions per groupread

write

Execute

UID 0 can access regardless of permissions.

Files: directories, devices (disks, printers), IPC


UNIX File Permissions

Best-match policyOS applies permission set that most closely matches.

You can be denied access by best match even if you match another set.

Directoriesread = listing of directory

execute = traversal of directory

write = add or remove files from directory


Special File PermissionsEach object has set of special permission bits

stickyOn a directory, means users can only delete files that they own (ls shows sticky bit with a t instead of x).

setuidExecute program with EUID = owner’s UID

setgidExecute program with EGID = owner’s GID

On directories, causes default group owner to be that of directory owner’s GID.


Changing Permissions: chmod

Permission set specifiersu = user

g = group

o = other

Permissionsr = read

w = write

x = execute

# remove other accesschmod o-rwx *.c

# add group r/w accesschmod g+rw *.c

# allow only you accesschmod u=rwx *


Octal Permission Notation

Each permissionset (u,g,o) is an octal digit.

Each permission (r,w,x) is one bit of that digit.

ex: chmod 0644 fileu: rw, g: r, o: r

ex: chmod 0711 binu: rwx, g: x, o: x

4 read setuid

2 write setgid

1 execute sticky


Changing Ownership

newgrpGroup owner of files is your default group.Changes default group to another group to which

you belong.chgrp

Changes group owner of existing file.chmod

Changes owner of existing file.Only root can use this command.


Default Permissions: umask

Determines access permissions given to newly created files

Three-digit octal numberPrograms default to 0666

Umask modifies to: 0666 & ~umask

ex: umask=022 => file has mode 0644

ex: umask=066 => file has mode 0600


Limitations of Classic ACLs

ACL control list only contains 3 entriesLimited to one user.

Limited to one group.

Root (UID 0) can do anything.


POSIX Extended ACLs

Supported by most UNIX/Linux systems.Slight syntax differences may exist.

getfaclsetfacl

chmod 600 file

setfacl -m user:jsmit:r-- file

File unreadable by other, but ACL allows jsmit


Host-based Access Control/etc/hosts.allow and /etc/hosts.deny

used by tcpd, sshd, xinetd, other servers

Identify subjects byhostname

IP address

network address/mask

Allow before Denyuse last rule in /etc/hosts.deny to deny all


Configure Firewall

Defence in DepthUse host firewall + network firewall.

Failsafe DefaultsDisable all access by default on each host.

Enable necessary services.

Protects againstInsider attacks.

Running vulnerable services by mistake.


iptables

iptables [-t table] cmd [matches] [target]

Commands:-A chain rule-spec: Append rule to chain.

-D chain rule-spec: Delete a rule from chain

-L chain: List all rules in chain.

-F chain: Flush all rules from chain.

-P chain target: Set default policy for chain.

-N chain: Create a new chain.

-X chain: Remove a user-defined chain.


iptables Matches

-p protocol: Specify protocol to match.tcp, udp, icmp, etc.

-s address/mask: Source IP address to match.

-d address/mask: Dest IP address to match.

--sport: Source port (TCP/UDP) to match.

--dport: Dest port (TCP/UDP) to match.


iptables Extended Matches

-m match: Specify match module to use.

Example: limitOnly accept 3 ICMP packets per hour.

-m limit --limit 3/hour -p icmp -j REJECT

Example: stateUseful stateful packet filtering.

-m state --state NEW: match only new conns

-m state --state ESTABLISHED: match only established connections.


iptables Targets

-j ACCEPTAccept packet.

-j DROPDrop packet w/o reply.

-j REJECTDrop packet with reply.

-j RETURNReturn from this chain to calling chain.

-j LOGLog packet; chain processing continues.


Chain Targets

-p ICMP -j DROP

-p TCP -j test

-p UDP -j DROP

INPUT

-s 192.168.1.1

test

-d 192.168.1.1


Creating a Packet Filter

1. Create a security policy for a service.ex: allow only outgoing telnet service

2. Specify security policy in terms of which types of packets are allowed/forbidden

3. Write packet filter in terms of vendor’s filtering language


Example: outgoing telnet

TCP-based serviceOutbound packets

– Destination port is 23– Source port is random port >1023– Outgoing connection established by first packet with no

ACK flag set– Following packets will have ACK flag set

Incoming packets– Source port is 23, as server runs on port 23– Destination port is high port used for outbound packets– All incoming packets will have ACK flag set


Example: outgoing telnet

Dir Src Dest Proto S.Port D.Port ACK? Action

Out Int Any TCP >1023 23 Either Accept

In Any Int TCP 23 >1023 Yes Accept

Either Any Any Any Any Any Either Deny

1. First rule allows outgoing telnet packets

2. Second rule allows response packets back in

3. Third rule denies all else, following Principle of Fail-Safe Defaults


Implementing the Filter with iptables

# iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT

# iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT

# iptables -A INPUT -j REJECT


Why is Access Control hard?

• Objects are complex– Identifying objects of interest (subnet, host, port)– Hierarchical structure like filesystem.

• Subjects are complex– Identifying subjects of interest.– What are the relationships between subjects?

• Access Control states change.

• Security objectives often unclear.


Key Points• Center of gravity of security; pervasive.

• Access Control Matrix simplest abstraction mechanism for representing protection state.

• UNIX Access Control– UIDs vs EUIDs, setuid– POSIX ACLs

• Network Access Control– TCP Wrappers– iptables


References1. Ross Anderson, Security Engineering, Wiley, 2001.2. Michael D. Bauer, Linux Server Security, 2nd edition, O’Reilly, 2005.3. Matt Bishop, Introduction to Computer Security, Addison-Wesley,

2005.4. Aeleen Frisch, Essential System Administration, 3rd edition, O’Reilly,

2002.5. Simson Garfinkel, Gene Spafford, and Alan Schartz, Practical UNIX

and Internet Security, 3rd edition, O’Reilly & Associates, 2003.6. Evi Nemeth et al, UNIX System Administration Handbook, 3rd

edition, Prentice Hall, 2001.7. RedHat, Red Hat Enterprise Linux 4 Reference Guide, http

://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.

8. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/



cit 470: advanced network and system administration

Documents

ipccomputer security

xcomputer security

directorycomputer security

security features

object ojcomputer security

euid of file owner

custom security policy

object access