linux and unix overview

Linux and UNIX Overview 1

Linux and UNIX Overview


Linux and UNIX Linux and UNIX OSs are…

o Often targets for attackso Often used for launching attacks

So we need to understand basics


UNIX A “beautiful but strange beast”

o Developed as research project by AT&T

o More than 35 years oldo Internet was built on UNIXo Recently, popular for desktops, etc.


UNIX It’s beautiful because…

o It’s powerful Millions of people have worked on it

o Huge numbers of useful toolso “Been around the block” more than

onceo Closely associated with open sourceo Admins can find lots of useful tools


UNIX Strange because so many UNIX OSs Popular variants include

o Solaris by Suno MacOS by Appleo HP-UX by HPo IRIX by sgio AIX by IBMo FreeBSD, free open sourceo OpenBSD, “the #1 most secure” OS


UNIX Differences between UNIX variants

o File systems organizationo System calls, commands, command

options, etc. Two main “lines” of UNIX

o AT&T and BSD But some UNIXs are combinations


Linux Developed by Linus Torvalds

o Technically, not a variant of UNIXo Created without using any of the underlying

UNIX codeo A “UNIX-like environment”o Strictly speaking, “Linux” is just the kernelo Many Linux “distros”: Debian, Gentoo,

Mandrake, Red Hat, Slackware, SuSE, etc.


UNIX Here, generic UNIX/Linux concepts

o Things that apply to most UNIX/Linux UNIX also strange because

o Not designed for ease of useo Think command line, not GUIo Ironically, much simpler than Windows…

If you think Windows is easier, you don’t know Linux…

…and you don’t know Windows


UNIX Here, we focus on generic “UNIX”

o Things that apply to most variants Book use “UNIX”, “Linux”

interchangeably Here, we only scratch the surface For more info

o Linux Administration Handbook, by Nemetho Man pages


Architecture File system

o Like traveling thru a city…o Directories are like signs leading you

to “buildings” (files) Many things treated as files

o Devices, elements of processes, files


File System Top is root directory: / == “slash”

o “cd /” takes you to rooto For example: /home/fred/hack.txt

File hack.txt in directory /home/fred


Important Directories / == root (top level), called “slash” /bin, /sbin == critical system exe’s /dev == devices, terminal, CD, etc. /etc == system config files

o Accounts, pwds, network addresses, etc.

/home == user directories


Important Directories /lib == shared libraries for programs /mnt == exported file systems temporarily

mounted, removable devices (e.g., USB) /proc == images/data of current processes

o Not on hard drive---can see what kernel is doing /tmp == temporary files /usr == critical system files (utilities, man

pages, …) /var == stores various types of files, often for

administration (log files)


Important Directories “.” is current directory “..” is parent directory

o One level up “ls” lists all files in directory “ls -a” lists “.” and “..” too


Kernel UNIX and Linux are modular The core is the kernel

o Heart and brains of OSo Deals with critical system functionso E.g., hardware interactions, resource

allocation, … o Programs call on kernel for these

things


Processes For program, kernel starts a process

o Process is like a “bubble that contains the guts of a running program”

o Kernel creates bubble, inflates it and tries to keep bubbles from popping each other

User programs, admin tools, services (e.g., Web, email) are processeso May be 100s to 1000s of active processeso Kernel juggles these into CPU, manages

memory


Processes High level

view of architecture


Processes Many processes run in background Perform system-critical functions

o Printing, network activity, etc. Known as “daemons”

o Pronounced “day-muns” or “dee-muns”

o Named based on their functiono E.g., SSH daemon is sshd


Automatic Processes Booting: kernel starts init daemon

o Finishes boot process Init starts many network processes

o Httpd --- Web server, for http/httpso Sshd --- SSH serviceo Sendmail --- common UNIX email

servero NFS --- Network File System for

sharing files between UNIX systems


Network Services Network service listens to network

o Web server listens on TCP port 80o Email server listens on TCP port 25

Wait for incoming traffic Lots of email/Web traffic, so they

listen constantly What about, say, FTP?


Network Services To improve efficiency… “Internet daemon” listens for

uncommon serviceso inetd (“I-Net-D”) or xinetd

When traffic arrives, inetd activates appropriate service

Uncommon services: echo, chargen, ftpd, telnetd, rsh, rlogin, TFTP, …


inetd File /etc/inetd.conf tells inted what

services to listen for: must specifyo Service name --- e.g., telnet (defined in

/etc/services)o Socket type --- type of connection?o Protocol --- usually tcp or udpo Wait status --- process handles multiple

connection or noto User Name --- name services should run aso Server program and arguments

inetd.conf is target of attacks


inetd Relationship

between inetd and other daemons


cron Cron daemon

o Schedule programs to run at predetermined times

o For example, backup files at 3am Attackers also like cron

o E.g., shut down critical service at a particular time as part of back door


Processes Can also start processes manually “path” is searched for command To see path: echo $path

o Dangerous to have “.” in patho Why?


Interacting with Processes Each process has process ID (PID) To get info on current processes

o “ps -aux” (all running processes)o “lsof” (list of open files)

Can send a signal to a processo TERM to terminate, HUP to “hang up”

(often rereads config), kill, killall, etc.


Accounts Need an account to log in A process runs with permissions of a

given account /etc/passwd file

o One line for every account, e.g.,o sshd:*:75:75:sshd Privilege

separation:/var/empty:/usr/bin/false


Passwd File Each line contains

o Login nameo Hashed/encrypted passwordo UID number --- number assigned to account,

used to determine permissions of processeso Default GID --- default group numbero GECOS info --- not used by system, names,

etc.o Home directory --- directory after logino Login shell --- sh, bash, csh, ksh, or another

program


Passwd File Passwd file is world readable

o Attackers like to know hashed passwordso Used for password guessing

Most modern UNIX systems do not include hashed passwords in passwd fileo Instead, in “shadow” passwd file,

/etc/shadowo Requires super-user privilege to access

So passwd file contains no passwords…


Password File After much searching… Found my OS X hashed password

iso 0x3BBC2A94D59EB1D5D3452EA6FA47399B2A25664C

Where SHA1 hash is used, with salt o 0x8429A223

Extra credit: Find my password!


Groups Group users together Assign permission to the group Stored in file /etc/group, format is

o Group nameo Hashed group password --- never usedo GID number --- used by the system instead

of group nameo Group members --- by login names


Root Root account is all-powerful user Maximum privilege --- can read, write any

file Root == superuser or “God” UID == 0

o “root” could be called anything, provided UID is 0

o Can be multiple root accounts


Permissions Every file has an owner and group Owner (or root) sets permissions

o Permissions: owner, group, everybodyo For each of the 3, read, write, executeo Use “ls -l” to see permissions-rw-r--r-- 1 markstam markstam 767 Feb 6 19:31 cs286.txt

drwxr-xr-x 40 markstam markstam 1360 Jan 25 17:33 docs


Permissions


Permissions Change permissions using chmod

o “change modes” Give new permissions in octal

o For example: chmod 745 fooo This corresponds to: rwxr--r-x


SetUID Sometimes user needs to access file

and they do not have permissionso Example: to change password (assuming

hashes stored in shadow file) SetUID == Set User ID Use this so program will execute with

permission of it’s ownero As opposed to permission of user executing

ito Password changing program: SetUID root


SetUID Gives “common” users lots of power

o OK if used in controlled way for specific tasks SetUID permissions appear before 9

standard permission bitso In fact, 3 additional bitso SetUID, SetGID, “sticky bit”o For example: chmod 4745 fooo Shows up in “ls -l” as an s: -r-sr-xr-x 1 root wheel 75636 Jan 11 2007 /usr/bin/passwd


SetUID Attackers like SetUID programs

o May be possible to exploit flaws in code (buffer overflow) to elevate privilege

New/modified SetUID programs may be evidence of attack


Trust Relationships That is, trust between machines

o Can specify which machines to trust

BobtrustsAlice


Trust Relationships Unauthenticated access by users from

trusted machineo Since trusted machine (presumably) already

authenticated the user If trusted, the r-commands (rlogin, rsh,

rcp) require no passwordo Also, r-commands do not encrypt

How does Bob know trusted Alice is Alice?


Logs and Audit Created by syslog daemon

(syslogd) Typical log files

o Secure --- logins, successful and failedo Message --- catch-all system logo Individual app logs --- for specific

apps


Logs and Audit Forensic info also logged Attackers like to cover their tracks To do so, may need to manipulate…

o utmp --- who is logged ino wtmp --- record of all logins and

logoutso lastlog --- time and location of each

user’s most recent login


Common Network Services Telnet --- command line remote access

o No encryption, session can be hijacked, … FTP --- file transfer

o Insecure, like telnet SSH --- encrypted “tunnel”

o Then safe to use unsafe serviceso SSH version 1 insecure, version 2 is good


Common Network Services HTTP --- Web

o Source of many attacks Email --- sendmail, several security

issues r-commands --- rlogin, rsh, rcp

o Considered very insecure DNS --- domain names to IP addresses

o Critical service, good one for attackers…


Common Network Services NFS --- transparently access files across

networko NFS server “exports” directory infoo Local machine can “mount” these, so files appear to

be locally accessibleo Like FTP without all of the trouble of FTP-ingo Of course, exporting too much may be bad

X-Window System --- X11 (or just “X”)o The underlying GUI service in UNIXo X server controls screen, provides serviceo Must limit who can display/access your screen


Conclusion UNIX/Linux Popular OSs More than 30 years old Fundamental part of Internet Widely used OSs Platform of choice for many attackers


Summary

linux and unix overview

Documents