TechProGuild held an online chat on October 10, 2000 in which Jim McIntyre discussed Linux file system security. Here's the edited transcript from that chat.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
MODERATOR: Welcome ladies and gents to tonight’s guild meeting!
MODERATOR: Tonight we have the pleasure of joining Mr. Jim McIntyre, who will speak to us about one of my favorite topics—Linux!
JCMCINTYRE: Hi folks. Linux security. I can't think of a broader topic. I'm really looking forward to tonight's meeting.
MODERATOR: Don't forget, this month we are giving away a TR GPS system! Each guild meeting, a winner will be chosen and, at the end of the month, a winner will be pulled from all the winners of the month!
MODERATOR: Confused yet? ;-)
The process begins
JCMCINTYRE: I guess I should start by stating how I view system security. I think the only way to look at system security is to treat it as an ongoing process.
JCMCINTYRE: Security means a lot more than simply installing tripwire tcp-wrappers, etc. and letting them do all the work. Opinions? Questions?
FRANK: Good evening, Jim. Where would one start to build security?
JCMCINTYRE: The first place to start is with user permissions. Simply stated, make sure your users have the least amount of system-access that will allow them to get their work done.
FRANK: Mind you, I'm currently perusing the user administration article you authored.
FRANK: Okay so we create a user using useradd <user> then what?
JCMCINTYRE: I always look at security from the inside out. Most security problems are a result of administrative error, or a user being able to do something he/she should not be capable of doing.
FRANK: Granted that I am a system admin for NT and Novell, how does the security model work?
FRANK: In Linux?
JCMCINTYRE: Linux permissions are not as wide-ranging as you get with NDS. The three basic permissions revolve around read, write, and execute permissions.
FRANK: In octal fashion, am I correct to assume this?
JCMCINTYRE: From there, you look at group access. Then consider adding attributes like the immutable attribute. This prevents the file from being deleted.
JCMCINTYRE: I prefer Octal, but you may also use the rwx format. To give a file owner read, write and execute perms, and give the group and everyone else read permission, use the command: chmod 755 <filename>
FRANK: JCM - just a moment. How does one make a new group and then assign a user to that group, then onto permissions?
JCMCINTYRE: Sorry, I also added execute permission there.
JCMCINTYRE: The first step is to create the group > To create a group called finance, use the command groupadd finance. Then to add the user Frank to the group, use the finance the command useradd Frank -G finance
FRANK: Can Frank be a member of several groups, and what is the relation of UID and GID?
JCMCINTYRE: Another way is to directly edit the /etc/passwd file, and add the names of any additional groups the user needs to be a member of.
FRANK: To the system / user/ group?
HREGAN011: I recently started Solaris/UNIX training about 8 months ago and am about to set up Linux on a server, how different are the 2??
JCMCINTYRE: When a user is created, a default group with the user's name is also created. Yes, a user can be a member of several groups. Edit the /etc/passwd file.
JCMCINTYRE: Linux and Solaris are both UNIX-like. Actually Solaris is Sun's version of UNIX. I would say the biggest difference is that Solaris has better scalability.
Part of the collective
JCMCINTYRE: Let's not start a flame war. That's just one opinion.
JCMCINTYRE: That was a good question about groups. It would be great if we could create group objects in Linux as easily as with NDS.
FRANK: True. How true.
JCMCINTYRE: I'm trying to study Linux workgroups now. It's amazing how little info is out there on the subject.
HREGAN011: But user management and security are pretty much the same? Same file names, etc.? I have been a *gulp* MCSE for years and am finding that I love Solaris. I also have netmax running but am afraid to go live with it. Just don’t know much about it yet.
FRANK: How do you recommend building system security at the file and directory level, and are rights assigned at apparent true and inheritable to a child?
JCMCINTYRE: The whole point of networking is collaboration.
FRANK: System integration is business today. All systems must work together.
JCMCINTYRE: I don't think of it as strict inheritance, but usually subdirectories will have the same rights as the parent.
HREGAN011: Speaking of which, is samba a supported integration technique?
FRANK: Now can those inherited rights be removed by assigning different permissions at a child level?
JCMCINTYRE: Samba is supported pretty much the same way as Linux is. Web sites like techrepublic, mailing-lists, newsgroups, etc.
FRANK: To the same user/group?
HREGAN011: Sorry, I mean is it a widely used solution for companies? Or just something you would have running for small companies/workgroups?
JCMCINTYRE: Yes, if you remove rights at the subdirectory, the parent is unaffected. The subdirs below the point where rights are changed are also unaffected.
FRANK: Big and small companies can take advantage of samba for example and mpe system might need information from an hp-ux box or a Linux server—this is one way for them all to talk the same talk so to speak.
HREGAN011: Thanks Frank.
JCMCINTYRE: With Samba, you're usually dealing with Linux—> NT connectivity, or NT—> Linux.
The path best traveled
FRANK: Do you have a specific filesystem path that you recommend to start building users and groups in to help preserve system security and integrity?
HREGAN011: Does it add security into the file system at all or is that still handled by the OS itself?
JCMCINTYRE: To get multiple *nix boxes to communicate, you would probably want to use NFS, or another shared filesystem.
FRANK: Sorry I forgot that most people use samba to connect to NT networks.
JCMCINTYRE: I normally remove /sbin, and /usr/sbin from the path. This takes away the ability to use system commands. I also make sure su is removed, and use sudo (sue-dew) to provide limited root access to these commands when required. Sudo is beautiful. I think it is a must for any *nix system.
HREGAN011: Yeah I understand, each OS connected to like systems but integration of Linux/Solaris/and NT drives me nuts.
JCMCINTYRE: I haven't had to connect the three yet.
FRANK: And that there are other ways to connect non-like systems.
HREGAN011: Any suggestions Frank?
JCMCINTYRE: Back to filesystems. The goal here is to prevent regular users from getting access to areas where the system may be compromised or damaged, and to prevent outside from getting root access. Root access is what cracking is all about.
FRANK: Send e-mail to email@example.com and we will go on about samba.
JCMCINTYRE: Have you folks disabled telnet on your systems, in favor of ssh?
FRANK: Why disable telnet and what is ssh?
HREGAN011: If you add the console=/dev/console line to the /etc/default/login doesn't that block all root attempts?
JCMCINTYRE: It's a good idea. Telnet, and the 'r' command, rlogin, rsh, etc, send passwords in plain text. It is very easy for a packet sniffer to steal passwords when these programs are used.
HREGAN011: I noticed before that snoop shows you letter for letter what’s being entered. Pretty scary.
HREGAN011: Thanks frank.
FRANK: So what is ssh?
FRANK: Thanks hregan.
HREGAN011: Secure shell for logging in and copying.
RZAM: Did we lose our main speaker?
FRANK: I think we might have?
MODERATOR: Then I'll jump in here.
HREGAN011: Appears that way.
MODERATOR: We all know how ISPs can be. I happen to use secure shell all the time.
FRANK: He’s back...!!!!
MODERATOR: Yay Jim!
HREGAN011: WB Jim.
MODERATOR: And just in time for the 10 minute warning! ;-)
JCMCINTYRE: Sorry about that. My system froze up when I ran a cat command. First time I needed to reboot for something like that.
MODERATOR: I believe we were speaking about ssh.
JCMCINTYRE: Very Windows-like behavior :)
FRANK: Secure shell Jim?
HREGAN011: http://www.ssh.org/ a site on ssh, if you missed it.
MODERATOR: Cat crashed your system? I've heard cat got your tongue but????
JCMCINTYRE: Yes. ssh allows remote connections, but the password is encrypted.
FRANK: Encrypted at what level? 128 bit, less or more?
JCMCINTYRE: I will assume 128-bit. Probably MD5. Don't quote me. It may also be the UNIX standard crypt(3).
RZAM: I am not a pro sysadmin, so I am curious how one goes about staying on top of security issues?
JCMCINTYRE: Study, read, and make sure you know where the good security sites are.
HREGAN011: ssh1 is not but ssh2 is.
JCMCINTYRE: www.bugtrq.com. www.cert.org . www.sans.org, and of course, www.techrepublic.com
FRANK: Details details details ... user lists, group memberships, documentation, resource guides and publications.
JCMCINTYRE: Those are just a few. There are thousands, but these sites act as clearinghouses for security issues. Cert has a very good newsletter.
JCMCINTYRE: In addition, you need to learn as much as you can about TCP/IP.
MODERATOR :4 minutes everyone! Let's hit Jim with those last questions before I announce tonight's winner!
RZAM: But how do you schedule that in? I mean, do you check security on a daily or perhaps weekly basis?
FRANK: Secure shell—is that a security fix-all or just a good start?
JCMCINTYRE: Subscribe to the mailing lists, and make sure you set time aside to surf the bulletins.
JCMCINTYRE: One hour per week can make a big difference.
HREGAN011: Sorry I thought you meant on the system in general.
JCMCINTYRE: Also, there is no way to study security without learning the filesystem along the way.
FRANK: You mean tcp/ip and open ports and sockets and their weaknesses?
MODERATOR: Tonight's WINNER is (#include <drum_roll.h>)..........
JCMCINTYRE: For logging syslogs, and swatch are the main tools, those and logrotate. This is another area where too many admins just don't put in enough time.
HREGAN011: /etc/services contains all well known port #'s
MODERATOR: Frank! Congrats Frank. Please send your contact info to firstname.lastname@example.org. Please make sure to include your real name, username, e-mail, and mailing address.
JCMCINTYRE: If your logging is configured correctly, almost any break-in attempt will be recorded.
A final prognostication
MODERATOR: Well ladies and gents we are down to our last few seconds. Does anyone have a question that is burning a hole in their temporal lobe?
FRANK: Thanks – moderator.
MODERATOR: You're welcome, Frank.
JCMCINTYRE: Well done, Frank.
HREGAN011: Good job!
JCMCINTYRE: Sounds like we've only begun to talk about this issue. Let's do it again in the future.
FRANK: Thanks Jim, love your articles keep up the great work.
MODERATOR: If there are no other questions I'll say, as I always do, if you have any questions about Linux send 'em my way (email@example.com) and I'll make sure they get answered.
FRANK: Let’s do.
HREGAN011: What’s the next meeting?
JCMCINTYRE: Thank you.
MODERATOR: I'm speaking tomorrow at 2pm (EST) on connecting your pilot to Linux. Please attend if you can. ;-)
HREGAN011: Great, I just got one!
FRANK: I wish I had one .. lol.
MODERATOR: Take care all! I hope you've enjoyed. We'll be seein' ya soon. Goodnight and grease for peace!
RZAM: Thanks Jim, thanks everyone. Later.
JCMCINTYRE: Handhelds will replace the PC. And much sooner than later.