NOTE TO THE READER When I wrote this book 22 years ago, troff and T X were the two languages of choice for marking up E manuscripts. T X was never my cup of tea, and so I chose to use troff with the –ms macro package, along E with eqn, tbl, and pic to produce the manuscript for this book. The production folks at Addison-Wesley chose to convert my –ms macros to an in-house macro package based on the –mm macros; unfortunately, although I do have a copy of the converted files, present-day versions of troff don’t seem to care much for them. Nothing’s ever easy. This document is the result of importing my original troff manuscript files into Microsoft® Word, and then applying appropriate paragraph styles and fonts to make the text look reasonably similar to the original book (and also make it look similar to the electronic versions of my other two books, Using C on the UNIX System and UNIX Systems Programming for SVR4). The pic figures were redrawn in Microsoft® PowerPoint and then imported as images into the text. With regard to content, the manuscript is unchanged from what appeared in print (although the page numbers are different). The index has been omitted; use the search function. Please note that I have not made any attempt to update the text to match current UNIX (or Linux) systems. While most of the material is still accurate, you should expect to encounter some (usually minor) differences in file locations, command options, and so forth. Some of the commands described in the book are no longer in widespread use, but their modern-day replacements are not described because they hadn’t been invented yet. Most, if not all, of the programs in Chapter 11, Security Software, are probably obsolete, and the distribution sites listed in the chapter no longer exist. Likewise, many of the mailing lists described in Chapter 12, Obtaining Security Information, are now defunct. But, Google may help you find them, or check the CERIAS archives at http://ftp.cerias.purdue.edu. This document is for your personal, non-commercial use only. You may also use it as a bibliographic reference in any works that you are writing. Any commercial use of this document, including printing and distribution to groups of people (such as a classroom) is prohibited without my prior written permission. When this book was written, the Internet still comprised less than a million hosts. The 1988 Morris worm was the biggest security issue we’d seen to date, and it was pretty mild by today’s standards. Internet firewalls had only just been invented, and the only ones that existed were built by hand, there were no commercial ones yet. Nonetheless, there were a few folks working on practical approaches to UNIX security, and the information in this book reflects the state of the art at that time. I hope you find it useful. David A. Curry August 2014 FOR PERSONAL, NON-COMMERCIAL USE ONLY UNIX® System Security FOR PERSONAL, NON-COMMERCIAL USE ONLY Addison-Wesley Professional Computing Series Brian W. Kernighan, Consulting Editor Ken Arnold/John Peyton, A C User’s Guide to ANSI C Tom Cargill, C++ Programming Style David Curry, UNIX System Security: A Guide for Users and System Administrators Scott Meyers, Effective C++: 50 Specific Ways to Improve Your Programs and Designs Radia Perlman, Interconnections: Bridges and Routers W. Richard Stevens, Advanced Programming in the UNIX Environment FOR PERSONAL, NON-COMMERCIAL USE ONLY UNIX® System Security A Guide for Users and System Administrators David A. Curry ADDISON-WESLEY PUBLISHING COMPANY, INC. Reading, Massachusetts Menlo Park, California New York Don Mills, Ontario Wokingham, England Amsterdam Bonn Paris Milan Madrid Sydney Singapore Tokyo Seoul Taipei Mexico City San Juan FOR PERSONAL, NON-COMMERCIAL USE ONLY Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book and Addison-Wesley was aware of a trademark claim, the disgnations have been printed in initial capital letters. The programs and applications presented in this book have been included for their instructional value. They have been tested with care, but are not guaranteed for any particular purpose. The publisher does not offer any warranties or representations, nor does it accept any liabilities with respect to the program or applications. UNIX is a registered trademark of UNIX System Labs, Inc. VAX, VMS, VT, and ULTRIX are trademarks of Digital Equipment Corporation. HP-UX is a trademark of the Hewlett-Packard Company. Sun Microsystems and NFS are registered trademarks of Sun Microsystems, Inc. SunOS, NIS, Sun-3, Sun-4, SPARC, and SPARCstation are trade-marks of Sun Microsystems, Inc. Ethernet is a trademark of the Xerox Corporation. TranScript is a registered trade-mark of Adobe Systems, Inc. Yellow Pages is a registered trademark in the United Kingdom of British Telecommunications, plc. X Window System is a trademark of the Massachusetts Institute of Technology. The publisher offers discounts on this book when ordered in quantity for special sales. For more information please contact: Corporate & Professional Publishing Group Addison-Wesley Publishing Company One Jacob Way Reading, Massachusetts 01867 Library of Congress Cataloging-in-Publication Data Curry, David A. (David Allan), 1962– Unix system security : a guide for uses and system administrators / David A. Curry p. cm. - - (Addison-Wesley professional computing series) Includes bibliographical references (p.) and index. ISBN 0-201-56327-4 (hardcover) 1. Computer security. 2. UNIX (Computer file) I. Title. II. Series QA76.9.A25C87 1992 91-43652 005.4’3- -dc20 CIP Copyright © 1992 by Addison-Wesley Publishing Company, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Published simultaneously in Canada. Internet Download Edition Copyright © 2014 David A. Curry First Internet Download Edition: August 2014 Cover design by Joyce Weston Text design by Webster Design Text set in 11 point Times ISBN 0-201-56327-4 1 2 3 4 5 6 7 8 9-MU-95949392 First printing, May 1992 FOR PERSONAL, NON-COMMERCIAL USE ONLY TABLE OF CONTENTS Preface ......................................................................................................................... vii History ............................................................................................................................................. vii Purpose of the Book ......................................................................................................................... vii Organization of the Book .................................................................................................................viii Conventions ...................................................................................................................................... ix Background ....................................................................................................................................... ix Acknowledgements ........................................................................................................................... ix Chapter 1 UNIX Security Stories ................................................................................. 1 1.1 The Internet Worm ............................................................................................................... 1 1.2 The Wily Hacker .................................................................................................................. 3 1.3 A True UNIX Trojan Horse .................................................................................................. 5 1.4 Attacking UNIX With Viruses .............................................................................................. 7 1.5 Summary .............................................................................................................................. 9 Chapter 2 Account Security ....................................................................................... 11 2.1 Passwords ........................................................................................................................... 11 2.2 Expiration Dates ................................................................................................................. 23 2.3 Guest Accounts................................................................................................................... 25 2.4 Well-Known Accounts ........................................................................................................ 26 2.5 Group Accounts vs. Groups ................................................................................................ 27 2.6 Protecting an Account ......................................................................................................... 28 2.7 Super-User ......................................................................................................................... 30 2.8 Monitoring Account Security .............................................................................................. 30 2.9 Summary ............................................................................................................................ 35 Chapter 3 File System Security .................................................................................. 37 3.1 File Permissions ................................................................................................................. 37 3.2 The umask Value ................................................................................................................ 43 3.3 The write System Call ..................................................................................................... 43 3.4 The Sticky Bit on Directories .............................................................................................. 43 3.5 The Set-Group-Id Bit on Directories.................................................................................... 44 3.6 Set-User-Id and Set-Group-Id Shell Scripts ......................................................................... 44 3.7 Devices .............................................................................................................................. 44 FOR PERSONAL, NON-COMMERCIAL USE ONLY iii 3.8 Backups .............................................................................................................................. 45 3.9 Monitoring File System Security ......................................................................................... 47 3.10 Summary ............................................................................................................................ 53 Chapter 4 Network Security ....................................................................................... 55 4.1 Trusted Hosts ..................................................................................................................... 55 4.2 The inetd Program .......................................................................................................... 57 4.3 The File Transfer Protocol (FTP) ........................................................................................ 58 4.4 Electronic Mail ................................................................................................................... 61 4.5 Finger ................................................................................................................................. 64 4.6 Forgery and Spoofing ......................................................................................................... 64 4.7 Network Configuration ....................................................................................................... 65 4.8 Sophisticated Network Attacks............................................................................................ 67 4.9 Monitoring Network Security .............................................................................................. 68 4.10 Summary ............................................................................................................................ 72 Chapter 5 NIS, NFS, and RFS .................................................................................... 75 5.1 The Network Information Service (NIS) .............................................................................. 75 5.2 The Network File System (NFS) ......................................................................................... 80 5.3 The Remote File Sharing Service (RFS) .............................................................................. 85 5.4 Summary ............................................................................................................................ 89 Chapter 6 Workstations ............................................................................................. 91 6.1 Single-User Mode ............................................................................................................... 91 6.2 Super-User Access .............................................................................................................. 92 6.3 Network Access .................................................................................................................. 93 6.4 The PROM Monitor ............................................................................................................ 95 6.5 Screen Access ..................................................................................................................... 96 6.6 Summary ............................................................................................................................ 97 Chapter 7 Terminals, Modems, and UUCP ............................................................... 99 7.1 Terminals ........................................................................................................................... 99 7.2 Dial-Up Modems .............................................................................................................. 101 7.3 Terminal Servers .............................................................................................................. 103 7.4 The UNIX-to-UNIX Copy Program (UUCP) ..................................................................... 104 7.5 Summary .......................................................................................................................... 108 Chapter 8 Responding to Attacks..............................................................................109 8.1 Detection .......................................................................................................................... 109 FOR PERSONAL, NON-COMMERCIAL USE ONLY iv 8.2 Response .......................................................................................................................... 112 8.3 Notification ...................................................................................................................... 115 8.4 Summary .......................................................................................................................... 117 Chapter 9 Encryption and Authentication ...............................................................119 9.1 Encryption ........................................................................................................................ 119 9.2 Authentication .................................................................................................................. 127 9.3 Encrypting and Authenticating Electronic Mail ................................................................. 131 9.4 Summary .......................................................................................................................... 133 Chapter 10 Security Policies ......................................................................................135 10.1 Establishing Policies and Why .......................................................................................... 135 10.2 Access to the System ........................................................................................................ 136 10.3 Password Policies ............................................................................................................. 137 10.4 Proper Use ........................................................................................................................ 138 10.5 System Staff Rights and Responsibilities ........................................................................... 140 10.6 Copyrights and Licenses ................................................................................................... 140 10.7 Ethics ............................................................................................................................... 141 10.8 Guidelines for the Secure Operation of the Internet............................................................ 141 10.9 Summary .......................................................................................................................... 142 Chapter 11 Security Software ...................................................................................143 11.1 Obtaining Fixes and New Versions ................................................................................... 143 11.2 Publicly Available Software .............................................................................................. 146 11.3 RSA Privacy-Enhanced Mail ............................................................................................ 150 11.4 The National Computer Security Center ............................................................................ 150 11.5 Summary .......................................................................................................................... 153 Chapter 12 Obtaining Security Information ............................................................155 12.1 Computer Security Incident Response Capabilities ............................................................ 155 12.2 Forming a CSIRC ............................................................................................................. 157 12.3 Vendor Security Notification ............................................................................................ 158 12.4 Mailing Lists .................................................................................................................... 159 12.5 USENET Newsgroups ...................................................................................................... 160 12.6 Suggested Reading ........................................................................................................... 161 12.7 Summary .......................................................................................................................... 162 FOR PERSONAL, NON-COMMERCIAL USE ONLY v Glossary ......................................................................................................................163 References ..................................................................................................................169 Appendix A A Password Cracker .............................................................................175 Appendix B A File System Checker ..........................................................................180 Appendix C Kerberos Dialogue .................................................................................183 Appendix D A Complete Security Policy ..................................................................199 Appendix E UNIX Security Checklist .......................................................................209 FOR PERSONAL, NON-COMMERCIAL USE ONLY vi
Description: