Contents:
Dangerous Accounts
Monitoring File Format
Restricting Logins
Managing Dormant Accounts
Protecting the root Account
The UNIX Encrypted Password System
One-Time Passwords
Administrative Techniques for Conventional Passwords
An ounce of prevention . . .
The worst time to think about how to protect your computer and its data from intruders is after a break-in. At that point, the damage has already been done, and determining where and to what extent your system has been hurt can be difficult.
Did the intruder modify any system programs? Did the intruder create any new accounts, or change the passwords of any of your users? If you haven't prepared in advance, you could have no way of knowing the answers.
This chapter describes the ways in which an attacker can gain entry to your system through accounts that are already in place, and the ways in which you can make these accounts more difficult to attack.
Every account on your computer is a door to the outside, a portal through which both authorized and unauthorized users can enter. Some of the portals are well defended, while others may not be. The system administrator should search for weak points and seal them up.
Like the lock or guard on the front door of a building, the password on each one of your computer's accounts is your system's first line of defense. An account without a password is a door without a lock. Anybody who finds that door - anybody who knows the name of the account - can enter.
Many so-called "computer crackers" succeed only because they are good at finding accounts without passwords or accounts that have passwords that are easy to guess.
On SVR4 versions of UNIX , you can scan for accounts without passwords by using the logins command:
# logins -p
You can also scan for accounts without passwords by using the command:
% cat-passwd | awk -F: 'length($2)<1 {print $1}' george dan %
In this example, george and dan don't have passwords. Take a look at their entries in the /etc/passwd file:
% egrep 'dan|george' /etc/passwd george::132:10:George Bush:/usr/wash/george:/bin/csh dan::132:10:Dan Quayle:/u/backyard/dan:/bin/csh %
These two users have probably long forgotten about their accounts on this system. Their accounts should be disabled.
NOTE: The /etc/passwd file may not be the correct file to check for missing passwords on systems that have shadow password files (described later in this chapter) installed. Different shadow password schemes store the actual encrypted passwords in different locations. On some systems, the file to check may be /etc/shadow or /etc/secure/passwd . On some AT&T System V systems, passwords are stored on a user-by-user basis in individual files located underneath the /tcb directory. Check your own system's documentation for details. Also, systems using NIS, NIS+ or DCE may get the passwords from a server; see Chapter 19, RPC, NIS, NIS+, and Kerberos , for details.
Many computer systems are delivered to end users with one or more default accounts. These accounts usually have standard passwords.
For example, many UNIX computers come with a root account that has no password. Vendors tell users to assign passwords to these accounts, but, too often, users do not. ( UNIX is not alone with this problem; other operating systems come delivered with standard accounts like SYSTEM with the password set to MANAGER .)
One way around this problem that has been taken by several UNIX vendors is to have the operating system demand passwords for special accounts such as root when it is first installed. We hope that all vendors will adopt this approach in the future.
Make a list of all of the accounts that came with your computer system. (These accounts are normally at the beginning of the /etc/passwd file and have names like bin , lib , uucp , and news .) Either disable these accounts (as described later in this chapter) or change their passwords.
Some application programs automatically install accounts in the /etc/passwd file with names like demo (used to demonstrate the software). Be sure to delete or disable these accounts after the software is installed. Likewise, computers that are taken to trade shows sometimes have demo accounts created to make demonstrations easier to run. Remember to remove these accounts when the computer is returned. (Even better: erase the hard disk and reinstall the operating system. You never know what a computer might bring back from a trade show.)
Table 8.1 is a list of accounts that are commonly attacked. If you have any of these accounts, make sure that they are protected with strong passwords or that they are set up so they can do no damage if penetrated (see the sections below entitled "Accounts That Run a Single Command" and "Open Accounts").
open |
help |
games |
guest |
demo |
maint |
|
finger |
uucp |
bin |
toor |
system |
who |
ingres |
lp |
nuucp |
visitor |
|
manager |
telnet |
UNIX allows the system administrator to create accounts that simply run a single command or application program (rather than a shell) when a user logs into them. Often these accounts do not have passwords. Examples of such accounts include date , uptime , sync , and finger as shown below:
date::60000:100:Run the date program:/tmp:/sbin/date uptime::60001:100:Run the uptime program:/tmp:/usr/ucb/uptime finger::60002:100:Run the finger program:/tmp:/usr/ucb/finger sync::60003:100:Run the sync program:/tmp:/sbin/sync
If you have these accounts installed on your computer, someone can use them to find out the time or to determine who's logged into your computer simply by typing the name of the command at the login: prompt. For example:
login: uptime Last login: Tue Jul 31 07:43:10 on ttya Whammix V 17.1 ready to go! 9:44am up 7 days, 13:09, 4 users, load average: 0.92, 1.34, 1.51 login:
If you decide to set up an account of this type, you should be sure that the command it runs takes no keyboard input and can in no way be coerced into giving the user an interactive process. Specifically, these programs should not have shell escapes . Letting a user run the Berkeley mail program without logging in is dangerous, because the mail program allows the user to run any command by preceding a line of the mail message with a tilde and an exclamation mark.
% mail Sarah Subject: test message ~!date Wed Aug 1 09:56:42 EDT 1990
Allowing programs like who and finger to be run by someone who hasn't logged in is also a security risk, because these commands let people learn the names of accounts on your computer. Such information can be used as the basis for further attacks against your computer system.
NOTE: If you must have accounts that run a single command, do not have those accounts run with the UID of 0 ( root ) or of any other privileged user (such as bin , system , daemon , etc.)
Many computer centers provide accounts on which visitors can play games while they are waiting for an appointment, or allow visitors to use a modem or network connection to contact their own computer systems. Typically these accounts have names like open , guest , or play . They usually do not require passwords.
Because the names and passwords of open accounts are often widely known and easily guessed, they are security breaches waiting to happen. An intruder can use an open account to gain initial access to your machine, and then use that access to probe for greater security lapses on the inside. At the very least, an intruder who is breaking into other sites might direct calls through the guest account on your machine, making their calls difficult or even impossible to trace.
Providing open accounts in your system is a very bad idea. If you must have them, for whatever reason, generate a new, random password daily for your visitors to use. Don't allow the password to be sent via electronic mail or given to anyone who doesn't need it for that day.
The System V UNIX shell can be invoked to operate in a restricted mode that can be used to minimize the dangers of an open account. This mode occurs when the shell is invoked with a -r command-line option, or with the command named rsh (restricted shell)[1] - usually as a link to the standard shell. When rsh starts up, it executes the commands in the file $HOME/.profile . Once the .profile is processed, the following restrictions go into effect:
[1] Not to be confused with rsh , the network remote-shell command. This conflict is unfortunate.
The user can't change the current directory.
The user can't change the value of the PATH environment variable.
The user can't use command names containing slashes.
The user can't redirect output with > or >>.
As an added security measure, if the user tries to interrupt rsh while it is processing the $HOME/.profile file, rsh immediately exits.
The net effect of these restrictions is to prevent the user from running any command that is not in a directory contained in the PATH environment variable, to prevent the user from changing his or her PATH , and to prevent the user from changing the .profile of the restricted account that sets the PATH variable in the first place.
You can further modify the .profile file to prevent the restricted account from being used over the network. You do this by having the shell script use the tty command to make sure that the user is attached to a physical terminal and not a network port.
Be aware that rsh is not a panacea. If the user is able to run another shell, such as sh or csh , the user will have the same access to your computer that he or she would have if the account was not restricted at all. Likewise, if the user can run a program that supports shell escapes, such as mail , the account is unrestricted (see below).
Under Berkeley-derived UNIX , you can create a restricted shell by creating a hard link to the sh program and giving it the name rsh . When sh starts up, it looks at the program name under which it was invoked to determine what behavior it should have:
% ln /bin/sh /usr/etc/rsh
This restricted shell functions in the same manner as the System V rsh described above.
Note that a hard link will fail if the destination is on a different partition. If you need to put rsh and sh on different partition, try a symbolic link, which works on most systems. If it does not, or if your system does not support symbolic links, then consider copying the shell to the destination partition, rather than linking it.
You should be careful not to place this restricted shell in any of the standard system program directories, so that people don't accidentally execute it when they are trying to run the rsh remote shell program.
The Korn shell ( ksh ) can be configured to operate in a restricted mode as well, and be named rksh or krsh so as not to conflict with the network remote shell rsh . If ksh is invoked with the -r command-line option, or is started as rsh , it also executes in restricted mode. When in restricted mode, the Korn shell behaves as the System V restricted shell, except that additionally the user cannot modify the ENV or SHELL variables, nor can the user change the primary group using the newgrp command.
The ( bsh) shell from the Free Software Foundation does not have a restricted mode.
To set up a restricted account that uses rsh , you must:
Create a special directory containing only the programs that the restricted shell can run.
Create a special user account that has the restricted shell as its login shell.
NOTE: The setup we show in the following example is not entirely safe, as we explain later in this chapter.
For example, to set up a restricted shell that lets guests play rogue and hack , and use the talk program, first create a user called player that has /bin/rsh as its shell and /usr/rsh/home as its home directory:
player::100:100:The Games Guest user:/usr/rshhome:/bin/rsh
Next, create a directory for only the programs you want the guest to use, and fill the directory with the appropriate links:
# mkdir /usr/rshhome /usr/rshhome/bin # ln /usr/games/hack /usr/rshhome/bin/hack # ln /usr/games/rogue /usr/rshhome/bin/rogue # ln /usr/bin/talk /usr/rshhome/bin/talk # chmod 555 /usr/rshhome/bin # chmod 555 /usr/rshhome
Finally, create a .profile for the player user that sets the PATH environment variable and prints some instructions:
# cat > /usr/rshhome/.profile /bin/echo This guest account is only for the use of authorized guests. /bin/echo You can run the following programs: /bin/echo rogue A role playing game /bin/echo hack A better role playing game /bin/echo talk A program to talk with other people. /bin/echo /bin/echo Type "logout" to log out. PATH=/usr/rshhome/bin SHELL=/bin/rsh export PATH SHELL ^D # chmod 444 /usr/rshhome/.profile # chown player /usr/rshhome/.profile # chmod 500 /usr/rshhome
Be especially careful when you use rsh , because many UNIX commands allow shell escapes, or means of executing arbitrary commands or subshells from within themselves. Many programs that have shell escapes do not document this feature; several popular games fall into this category. If a program that can be run by a "restricted" account has the ability to run subprograms, then the account may not be restricted at all. For example, if the restricted account can use man to read reference pages, then a person using the restricted account can use man to start up an editor, then spawn a shell, and then run programs on the system.
For instance, in our above example, all of the commands linked into the restricted bin will spawn a subshell when presented with the appropriate input. Thus, although the account appears to be restricted, it will actually only slow down users who don't know about shell escapes.
Another way to restrict some users on your system is to put them into a restricted filesystem. You can construct an environment where they have limited access to commands and files, but can still have access to a regular shell (or a restricted shell if you prefer). The way to do this is with the chroot () system call. chroot () changes a process's view of the filesystem such that the apparent root directory is not the real filesystem root directory, but one of its descendents.
SVR4 has a feature to do this change automatically. If the shell field (field 7) for a user in the /etc/passwd file is a "*" symbol, then the login program will make a chroot () call on the home directory field (field 6) listed in the entry. It will then reexecute the login program - only this time, it will be the login program in the reduced filesystem, and will be using the new passwd file found there (one that has a real shell listed, we would expect). If you do not have this feature in your version of UNIX , you can easily write a small program to do so (it will need to be SUID root for the chroot () call to function), and place the program's pathname in the shell field instead of one of the shells.
The restricted filesystem so named must have all the necessary files and commands for the login program to run and to execute programs (including shared libraries). Thus, the reduced filesystem needs to have an /etc directory, a /lib and /usr/lib directory, and a /bin directory. However, these directories do not need to contain all of the files and programs in the standard directories. Instead, you can copy or link only those files necessary for the user.[2] Remember to avoid symbolic links reaching out of the restricted area, because the associated directories will not be visible. Using loopback mounts of the filesystem in read-only mode is one good way to populate these limited filesystems as it also protects the files from modification. Figure 1.1 shows how the restricted filesystem is part of the regular filesystem.
[2] This may take some experimentation on your part to get the correct setup of files.
There are at least two good uses for such an environment.
You may have occasion to give access to some users for a set of limited tasks. For instance, you may have an online company directory and an order-tracking front end to a customer database, and you might like to make these available to your customer service personnel. There is no need to make all of your files and commands accessible to these users. Instead, you can set up a minimal account structure so that they can log in, use standard programs that you provide, and have the necessary access. At the same time, you have put another layer of protection between your general system and the outside: if intruders manage to break the password of one of these users and enter the accounts, they will not have access to the real /etc/passwd (to download and crack), nor will they have access to network commands to copy files in or out, nor will they be able to compile new programs to do the same.
Another use of a restricted environment is to test new software of perhaps questionable origin. In this case, you configure an environment for testing, and enter it with either the chroot () system command or with a program that executes chroot () on your behalf. Then, when you test the software you have obtained, or unpack an archive, or perform any other possibly risky operation, the only files you will affect are the ones you put in the restricted environment - not everything in the whole filesystem!
NOTE: Be very, very careful about creating any SUID programs that make a chroot () call. If any user can write to the directory to which the program chroot's , or if the user can specify the directory to which the chroot () occurs, the user could become a superuser on your system. To do this, he need only change the password file in the restricted environment to give himself the ability to su to root , change to the restricted environment, create a SUID root shell, and then log back in as the regular user to execute the SUID shell.
A group account is an account that is used by more than one person. Group accounts are often created to allow a group of people to work on the same project without requiring that an account be built for each person. Other times, group accounts are created when several different people have to use the same computer for a short period of time. In many introductory computer courses, for example, there is a group account created for the course; different students store their files in different subdirectories or on floppy disks.
Group accounts are always a bad idea, because they eliminate accountability. If you discover that an account shared by 50 people has been used to break into computers across the United States, tracking down the individual responsible will be nearly impossible. Furthermore, a person is far more likely to disclose the password for a group account than he is to release the password for an account to which he alone has access. An account that is officially used by 50 people may in fact be used by 150; you have no way of knowing.
Instead of creating group accounts, create an account for each person in the group. If the individuals are all working on the same project, create a new UNIX group in the file /etc/group , and make every user who is affiliated with the project part of the group. This method has the added advantage of allowing each user to have his own start-up and dot files.
For example, to create a group called spistol with the users sid , john , and nancy in it, you might create the following entry in /etc/group :
spistol:*:201:sid,john,nancy
Then be sure that Sid, John, and Nancy understand how to set permissions and use necessary commands to work with the group account. In particular, they should set their umask to 002 or 007 while working on the group project.
NOTE: Some versions of UNIX limit the number of characters that can be specified in a single line. If you discover that you cannot place more than a certain number of users in a particular group, the above restriction might be the cause of your problem. In such a case, you may wish to place each user in the group by specifying the group in the user's /etc/passwd entry. Or, you may wish to move to a network configuration-management system, such as NIS + or DCE , which is less likely to have such limitations.