![[Previous Section]](b_prev.gif){kind=small}
![[Back to Table of Contents]](b_toc.gif){kind=small}
![[Next Section]](b_next.gif){kind=small}
IRIX Advanced Site and Server Administration Guide |
This chapter deals with maintaining the security of your computer system. It includes:
General security guidelines. See "Security
Guidelines".
How to set a PROM password to restrict access to the Command Monitor.
See "PROM Passwords".
How to set up a dialup password to protect the system from unauthorized
intrusion through your modem. See "Second
(Dialup) Passwords".
How to use passwords to protect user and administrative accounts from
unauthorized use. See "Protecting
the System with Accounts and Passwords".
How to manage passwords to keep them safe. See "Logins
and Passwords".
Steps to lock an account and completely deny access. See "Locking
Unused Logins".
Security issues regarding transparent network access. See "Transparent
Network Access".
Guidelines to prevent the unauthorized use of programs that allow one
user to have the effective permissions as another user (illegitimate use
of set-user-ID and set-group-ID programs). See "Set-UID
and Set-GID Permissions".
A list of files and directories that are universally available for read
and write access as shipped with the default system. You may wish to restrict
permissions on these files. See "Universally
Accessible Files and Directories".
A list of accounts shipped with IRIX that have no password set. See "Accounts Shipped Without Passwords".
A great strength of the IRIX system is the ease with which users can share files and data. However, some of the security guidelines presented in this chapter are at odds with easy system access. It is up to the site administrator to balance the needs and concerns of the user community.
IRIX was never designed to be a truly secure system, but it has several features that allow you to achieve a generally acceptable level of security without adding any new software. Standard security features of IRIX are:
classes of users - called groups - who can access information
that belongs to other members of the same group; access to information
can be granted or denied to members of the group by the user who owns the
information
permissions split into three categories: read, write, and execute
the ability to encrypt data, using the crypt(1) command
individual user accounts, protected by individual, encrypted passwords
tools for monitoring login attempts
tools for monitoring system activity, including:
finding out which processes are running, using the ps(1) command
determining who is logged on the system, using the who(1) command
maintaining logs of system activity, using process accounting commands
Computer security is the responsibility of not only the site administrator, but of everyone who has access to a computer at the site.
System users should safeguard their data by using appropriate file and directory permissions and guarding their account passwords.
Site administrators, and to some extent system users, should be aware of the following:
Anyone with physical access to a computer can simply take it or take
its disk drives(s).
The same caveat applies to backups of the system: keep backups in a
secure place. Anyone with physical access to backup tapes can gain access
to any information stored on them.
Permissions for directories and files should be set to allow only the
necessary access for owner, group, and others. This minimizes the damage
that one compromised account can cause.
All active accounts need passwords, which should be changed regularly. Do not use obvious passwords, and do not store them online in ``plain-text'' format. If you must write them down on paper, store them in a safe place.
Some sites with many workstations keep a log of each workstation's root password in a locked cabinet and limit access to the cabinet.
For information about choosing passwords, see "Choosing
Passwords".
Common-use accounts are a potential security hole. An example of a common-use account is one that is shared by all members of a department or work group. Another example is a standard ``guest'' account on all the workstations at a site. This allows all users at the site access to different workstations without requiring specific accounts on each workstation.
A pitfall of common use accounts is that you cannot tell exactly who is responsible for the actions of the account on any given workstation. Another risk is that anyone trying to break into workstations at your site will try obvious account names such as guest.
Common-use accounts can be helpful, but be aware that they can pose
serious security problems. Needless to say, common-use accounts that do
not have passwords are especially risky.
Accounts that are no longer used should be either locked or backed up and removed, since unused accounts can be compromised as easily as current accounts.
Also, you should change critical passwords, including dial-up passwords,
whenever anyone leaves the organization. Former employees should not have
access to workstations at the site.
Systems with dial-up ports should have special dial-up accounts and passwords. This is very important for sites that have common-use accounts, as discussed above.
However, even with this added precaution, you should not store sensitive
data on workstations that have dial-up access.
If your site allows access to the Internet network (for example, using ftp(1C)), you should take precautions to isolate access to a specific gateway workstation.
Access from this gateway should be controlled, for example by disallowing
ftp connections between the gateway and other workstations within
the company.
Discourage use of the su(1) command unless absolutely necessary. The su command allows a user to change his or her user ID to that of another user. It is sometimes legitimately necessary to use su to access information owned by another user, but this presents an obvious temptation: the person using su to switch user IDs now knows another person's password and has full access to his or her account.
The file /var/adm/sulog contains a log of all successful and
unsuccessful attempts to use the su command.
Make sure that each user's home account, and especially the shell-startup
files (.profile, or .login and .cshrc) are writable
only by that user. This ensures that ``trojan horse'' programs are not
inserted in a user's login files. (A trojan horse program is a file that
appears to be a normal file, but in fact causes damage when invoked by
a legitimate user.)
Be sure that system directories such as /bin, /usr/bin,
and /etc and the files in them are not writable except by the owner.
This also prevents trojan horse attacks.
Sensitive data files should be encrypted. The crypt(1) command,
together with the encryption capabilities of the editors (ed and
vi), provides protection for sensitive information.
If you must leave your console, workstation, or terminal unattended,
log off the system. This is especially important if you are logged in as
root.
Use only that software that is provided by reputable manufacturers. Be wary of programs that are distributed ``publicly,'' especially already-compiled binaries. Programs that are available on public bulletin board systems (as opposed to BBSs run and sponsored by vendors) and on public computer networks could contain malicious ``virus'' and ``worm'' routines that can violate system security and cause data loss.
Public-domain source code is safer than already-compiled programs, but
only if you examine the code thoroughly before compiling it. Be suspicious
of programs that must be installed set-UID root in order to run.
Safeguard and regularly check your network hardware. One possible way to break into computer systems is to eavesdrop on network traffic using physical taps on the network cable. Taps can be physical connections (such as a vampire tap) or inductive taps.
Run networking cable through secure areas and make sure it is easy to examine regularly. Create and maintain a hardcopy map of the network to make it easier to spot unauthorized taps. Another way to make this sort of attack more difficult is to use fiber-optic (FDDI) network hardware, which will not operate correctly if there is any break in the cable.
System security under IRIX is primarily dependent on system login accounts and passwords. Proper administration, user education, and use of the facilities provided will yield adequate security for most sites. Most security breaches are the result of human error and improper use of the provided security features. No extra measures will yield more security if the basic features are not being used. This discussion of logins and passwords covers the following:
System login options, such as the maximum allowable number of unsuccessful
login attempts, whether to record successful logins, and whether to force
users who do not have passwords to choose them immediately. See "System
Login Options".
Setting the PROM password on your machine. See "PROM
Passwords".
How to assign a system password (called a dialup password). See "Second
(Dialup) Passwords" and "Accounts
and Passwords".
How to move your password file to a ``shadow'' password file to increase
security. See "Creating
a Shadow Password File".
How to set up password aging. See "Password
Aging".
How to lock unused login accounts. See "Locking
Unused Logins".
Information about administrative and special accounts. See "Special
Accounts".
How to protect the system with accounts and passwords. See "Protecting
the System with Accounts and Passwords".
How to choose good passwords. See "Choosing
Passwords".
How to run pwck(1M) to find discrepancies in the password file. See "Using pwck(1M) to Check the Password File".
Managing passwords is also described in Chapter 3, "User Services."
For security, you can set the following login options:
the number of times an attempt to log in can fail before a delay is
introduced in the login process
if the login sequence is delayed, how long before the login process
is resumed
whether to maintain a log of logins and what information to store: all
logins or only those that were unsuccessful
whether to force a user who does not have a password to choose one immediately
upon logging in
whether or not to display, when a user logs in, the date and time that user last logged in
Login options are set in the file /etc/config/login.options, which is a normal text file. The file contains one option specification per line. The options are described in the rest of this section.
These options are important because the login procedure is your system's main defense against unauthorized access. For example, you can determine whether someone is trying to break into your system from a pattern of failed login attempts recorded in /var/adm/SYSLOG (when logging is enabled).
Note that the best way to keep a system secure is to slow down attempts to guess passwords and account names. The login options described in this section add delays to unsuccessful login attempts, which drastically slows down the process of randomly guessing passwords.
See also the login(1) and login(4) reference pages.
Setting this parameter slows attempts by unauthorized persons to break into a system. A common method of breaking into a system is to try to guess the password of a known account. This method is most successful if the person trying to break in knows the names of as many accounts as possible, and can make guesses very quickly. If you introduce a delay in the login process after a certain number of failed login attempts on the same tty line, you can make it much more time-consuming to guess a correct password.
To set the maximum number of login attempts, edit the file /etc/config/login.options. Place a line similar to this in the file:
maxtries=3
This sets the maximum number of login attempts to three. The system default, without this option set, is five.
When the maximum number of login attempts is exceeded, the login program sleeps for a certain number of seconds, thus preventing further login attempts on that line for a while. The system default is twenty seconds.
Use this option along with the maxtries option. To set the number of seconds after a certain number of unsuccessful login attempts that a line is disabled, edit the file /etc/config/login.options and add a line similar to this:
disabletime=30
This disables a line for thirty seconds. You can choose any value you consider appropriate for your system. The system default is twenty seconds.
You can log both successful and unsuccessful login attempts in the file /var/adm/SYSLOG. To log all attempts to log in, place this line in the file /etc/config/login.options:
syslog=all
To log only unsuccessful attempts, place this line in the login.options file:
syslog=fail
A large number of failed logins, especially with the same account name, may indicate that someone is trying to break into the system.
Note that the visual login process pandora(1) does not provide these security options. To use the login security functions, you must turn off pandora and use the standard login processes, getty(1) and login(1). Use chkconfig to turn off the visuallogin and xdm configuration variables. See "Altering the System Configuration" and the visuallogin(4) reference page for information about turning the visual login process on and off. You may also use chkconfig to set the noiconlogin variable to disallow logging in using the user icons in pandora.
To force users who do not have passwords for their accounts to choose their passwords immediately, add this line to the file /etc/config/login.options:
passwdreq
Users can help maintain system security by noticing unauthorized use of their accounts. To help them, you can configure login to display the date and time when they last logged in successfully.
To do this, edit the file /etc/config/login.options, and add this line:
lastlog
This displays the most recent login date, time, and the name of the terminal line (tty name) or remote host from which the user logged in. This login attempt information is recorded in files, one per user account and with the same name as the account, in the directory /var/adm/lastlog.
Your system may have a facility that allows you to require a password from users who attempt to gain access to the Command (PROM) Monitor. This allows you to exercise greater control over who may perform system administration tasks and affords you some protection against severe ``denial of service'' attacks from malicious intruders. These attacks are designed not to steal your information, but to make your system useless to you.
Traditionally, if an intruder gains access to your system hardware, there is little you can do to maintain system security. In the simplest case, the intruder switches off the system, then turns it on again, and instructs the system from the console to boot a program other than your usual operating system. Alternately, the intruder could simply remove the hard disk from your machine and install it on another machine and read your files. While there is nothing you can do with system software to prevent physical theft of the hardware, you can limit the ability of intruders to boot their programs or to otherwise damage your system at its lowest levels with a PROM password.
To determine if your system supports PROM passwords, use the nvram(1M) command. Issue the command with no arguments and observe the output. The output shows the current settings of all non-volatile memory variables. If the variable passwd_key is present, your system supports PROM passwording. Alternately, you can select option 5 from the System Maintenance Menu to enter the Command Monitor. You see the Command Monitor prompt:
Command Monitor. Type "exit" to return to the menu. >>
Enter the command:
help
The system prints a list of available commands for the Command Monitor. If the passwd command is among those listed, your system supports the PROM password. If it is not listed, your system hardware does not support passwording. If you would like to upgrade your system to support passwording, please contact your sales representative.
To set the PROM password using the nvram(1M) command, perform the following steps:
Log in as root.
Give the following command:
nvram passwd_key "new_password"
In this example, only the term new_password should be replaced; the quotation marks must be used to contain the password text. Your PROM password is now set.
Note that if you forget your PROM password, but you still know your root password, you can reset the PROM password on some machines through the nvram command. If you cannot successfully reset the PROM password, you must remove the PROM or a jumper from your CPU board. See your Owner's Guide for information on this procedure.
If you wish to set your PROM password from within the Command Monitor, perform the following steps:
Log in as root and shut the system down.
When you see the message:
Starting up the system... To perform system maintenance instead, press <Esc>
press the <Esc> key to see the System Maintenance
Menu.
Select option 5 from the System Maintenance Menu to enter the Command Monitor. You see the Command Monitor prompt:
>>
Issue the passwd command and press <Return>:
passwd
You see the prompt:
Enter new password:
Enter the password you want for your machine and press <Return>. You see the following prompt:
Confirm new password:
Enter the password again, exactly as you typed it before. If you typed the password the same as the first time, you will see the Command Monitor prompt again.Your password is now set. Whenever you access the Command Monitor, you will be required to enter this password.
If your system requires additional protection, you can establish a system password. If you do this, users who log in on specific ports (ttys) are prompted for a system password in addition to their account passwords. This feature cannot be imposed on the system console, or any terminal where pandora or xdm is used.
System passwords are normally used only on dialup lines and are often referred to as dialup passwords. You can use them on standard lines, but this is usually not necessary.
To establish a system password, follow these steps:
Log in as root.
Edit the file /etc/dialups.
Place in the file a list of ports (ttys) that require the second password.
For example:
/dev/ttyd1 /dev/ttyd2 /dev/ttyd3
Write the file and exit the editor.
Decide on the desired password or passwords. System passwords are assigned
on a shell-by-shell basis. You can assign the same password for all the
possible shells on the system, assign different passwords for each shell,
or use some combination of approaches.
Encrypt the desired password. You must use the passwd program to perform the encryption. You cannot use the crypt(1) command for this purpose.
To encrypt the password, simply change the password of some account (for example the bin account) to the password you wish to use in /etc/d_passwd. Before you do this, note what the existing password is (or if the account is locked). You should return the account to this state when you are finished assigning a system password.
For example, to change the password of the bin account to ``2themoon'' you enter:
passwd bin
You see:
New password:
Now enter the string ''2themoon'' and then press <Return>.The string ``2themoon'' is not displayed as you type it. Next you see:
Re-enter password:
Enter the string ''2themoon'' again and then press <Return>. The string is still not displayed as you type it.
Examine the entry for the bin account in the file /etc/passwd. You should see something like this:
bin:SaXub4uaL5NP:2:2:System Tools Owner:/bin
The second field (between the first and second colons) is the encrypted
version of the password ``2themoon.''
Edit the file /etc/d_passwd. In the file, place lines of this form:
shell:password:
shell is the command interpreter (shell) you wish to have a password, and password is the encrypted password.
For example, this assigns the password ``2themoon,'' which you encrypted in the previous step, to all C shell users who log in on the ttys specified in /etc/dialups:
/bin/csh:SaXub4uaL5NP2:
You must place a colon at the end of the encrypted password, and you must enter the shell program pathname exactly as it appears in /etc/passwd.
Write the file and exit from the editor.
Make sure the files have appropriate permissions by issuing the command:
chmod 640 /etc/d_passwd /etc/dialups
Remove the password you assigned to the system account in step 4. To do this, edit the file /etc/passwd and remove the string of characters in the second field. Return this field to the same state as when you began this procedure.
Now, whenever C shell users log in on the ttys specified in /etc/dialups, they are prompted for the system password ``2themoon'' in addition to their account password.
A ``shadow'' password file is simply a copy of the standard password file, but it is not accessible by non-privileged users. In the standard configuration, the /etc/passwd file is publicly readable. Since the /etc/passwd file contains the encrypted versions of the users' passwords, anyone can make a copy and attempt decryption of the passwords for malicious purposes. By invoking a shadow password file, you prevent intruders from attempting to decrypt your passwords.
The shadow password file is called /etc/shadow. Once shadow passwords have been initialized, the password field in each /etc/passwd entry is replaced by an ``x'' character.
To initialize /etc/shadow (and thus invoke shadow passwords), run the pwconv(1M) command. Once this command has been run, shadow passwords will be in effect. All standard password tools work transparently with shadow passwords. The difference should not be noticeable to your users, except that they will not be able to see the encrypted passwords in the /etc/passwd file.
One difference in system operation is that older applications will not get the proper value of pw_passwd from the getpwent(3C) and getpwnam(3C) library calls. This primarily affects ``screen saver'' programs.
The password aging mechanism forces users to change their passwords periodically. It also prevents a user from changing a new password before a specified time interval. You can also force a user to change his or her password immediately.
Realistically, password aging forces users to adopt at least two passwords for their accounts. This is because, when password aging is enforced, most users alternate between two passwords that they find easy to remember rather than inventing brand new passwords every time their old ones expire. IRIX does not provide a utility that determines whether users are choosing between a set of passwords and that forces them to choose completely different passwords.
To set the maximum number of days that can elapse before a user must change his or her password, use the passwd(1) command.
For example, this command forces user alice to change her password every two weeks (14 days):
passwd -x 14 alice
If you set -x to 0, the user must change her password when it next expires, but thereafter password aging is not in effect for her. If you set -x to -1, password aging is turned off immediately for that user.
You can also set the minimum time that must elapse before users are allowed to change their passwords. This is useful to prevent users from changing their passwords, then changing them back to their old passwords immediately. For example:
passwd -x 14 -n 7 ralph
This forces user ralph to change his password every fourteen days and prevents him from changing it more frequently than once every seven days. Note that if you set the minimum value greater than the maximum value, the user may not ever change his or her password.
To force users to change their passwords immediately, use the -f option. For example:
passwd -f trixie
Another way to enforce password aging is to edit the /etc/passwd file and insert the appropriate information after the password fields in the desired account entries.
Password aging information is appended to the encrypted password field in the /etc/passwd file. The password aging information consists of a comma and up to four bytes (characters) in the format:
,Mmww
The meaning of these fields is as follows:
All times are specified in weeks (0 through 63) by a 64-character alphabet. The following chart shows the relationship between the numerical values and character codes. Any of the character codes can be used in the four fields of the password aging information. Table 12-1 lists the password aging codes and their meanings.
| Character | Number of Weeks |
|---|---|
| . (period) | 0 (zero) |
| / (slash) | 1 |
| 0 through 9 | 2 through 11 |
| A through Z | 12 through 37 |
| a through z | 38 through 63 |
Two special cases apply for the character codes:
If M and m are equal to zero, the user is forced to change the password
at the next login. No further password aging is then applied to that login
account.
If m is greater than M, only root is able to change the password for that login account.
The following shows the password aging information required to establish a new password every two weeks (0) and to deny changing the new password for one week (/) for user ralph:
ralph:RSOE2m.E,0/:100:1:Ralph P.Cramden:/usr/people/ralph:
After ralph's first login following the change, the system automatically adds the two-character, ``last-time-changed'' information to the password field:
ralph:RSOE2m.E,0/W9:100:1:Ralph P. Cramden:/usr/people/ralph:
In this example, ralph changed his password in week W9. To force ralph to change his password at the next login (and to cause this only once), you can add the code ,.. to the password field:
ralph:RSOE2m.E,..:100:1:Ralph P.Cramden:/usr/people/ralph:
After ralph changes his password, the system automatically removes the aging code (,..) from the password field. To prevent ralph from changing his password, use the code ,./. Edit the /etc/passwd file and add a comma, period, and slash to the password field:
ralph:RSOE2m.E,./:100:1:Ralph P. Cramden:/usr/people/ralph:
Now only root can change the password for the ralph account. If ralph tries to change the password, he sees the message ``permission denied.''
If a login is not used or needed, you should disable (lock) the login. You should not remove the account, though, because of the danger of re-using the UID in the future. User ID numbers are meant to be permanently associated with the person who used the account. If you re-use the UID number, the new user may find files that belonged to the previous owner of the ID number. These files may contain ``trojan horse'' programs that could do damage to your system. If you are extremely short on disk space, you may remove the user's home directory and files (after making a backup), but you should never remove an entry from your /etc/passwd file.
There are two ways to lock an account. The first is using the passwd command with the -l option. For example:
passwd -l norton
This command changes the password field of the entry in /etc/passwd for account norton to *LK*.
The second way to lock an account is by editing the password file directly. Change the password field to any string of characters that is not used by the password encryption program to create encrypted passwords. The passwd command with the -l option uses the string *LK*.
You can use other strings to lock accounts. For example, you can use a descriptive phrase such as ``LOCKED;'' to remind you that the account was deliberately disabled:
ralph:LOCKED;:100:1:Ralph P. Cramden:/usr/people/ralph:
The semicolon is not used in an encrypted password and causes the account to be locked. The text ``LOCKED'' is merely to remind you that the account is locked.
Another common method of disabling a password is to put an asterisk (*) in the password field. The default IRIX /etc/passwd file disables unused logins in this manner.
Special accounts are used by daemons to perform system functions, such as spooling UUCP jobs and print requests. Because key files are owned by these accounts, someone who obtained access to one of the accounts, or was able to start a daemon on your system, could not completely breech security. Ownership of the various system files is distributed among the special accounts.
Guard access to all the special accounts as you would the root account. We recommend you either assign passwords to these accounts, or lock them using one of the methods described in previous sections.
The following is a list of all the administrative and special accounts on the system and what they are used for.
There are several ways accounts and passwords protect the system:
By requiring users to log in with specific accounts, you can determine
who is responsible for specific actions on the system.
Using the IRIX system of file permissions, users can keep data reasonably
secure. Other users on the system are less likely to accidentally view
confidential material.
If all accounts have passwords, the chance of an unauthorized person accessing the system is greatly reduced. However, the possibility of unauthorized access increases if users are lax about changing their passwords regularly and choosing good passwords. The next section describes how to choose good passwords.
A system is most secure if nobody can access the system without an account and password, and if all the passwords on the system are difficult to guess and obtain. Surprisingly, many users choose passwords that are easy for potential intruders to guess, or write their passwords down on paper and leave them near their workstations and terminals.
Many site administrators use the same password for multiple administrative accounts. This is not a good practice. Do not deliberately use the same password for more than one account.
Good passwords are:
long, up to eight characters
multiple words that are combined or arranged in an unusual manner
words from multiple languages, combined in a unique way
composed of different kinds of characters, such as digits and punctuation
Bad passwords are:
short
single words that are in a dictionary
the same as the account name, or the account name spelled backward
the name of the user's department or project
the user's name or initials
the license number of the user's car, a spouse or friend's name, the user's home address, phone number, age, or some other obvious information
From time to time, you should run the pwck(1M) utility to scan
the password file. This program reads the file and checks each entry for
completeness and
notes any inconsistencies. The password checks include validation of the following items:
the number of fields in each entry
the login name
the user ID number
the group ID number
the login directory
the executed program
The default password file to be checked is /etc/passwd. If shadow passwords (described in "Creating a Shadow Password File") are enabled, the /etc/shadow file is checked.
Similarly, the grpck(1M) command verifies all entries in the /etc/group file. The default group file to be checked is /etc/group. With either command, an alternate file may be specified on the command line.
Unless drastic steps are taken to ensure security, networks are generally quite open and thus, insecure. This section touches on some aspects of network security in addition to keeping the physical network cable safe from tampering and eavesdropping. For more information on network security, see "Planning for Network Security".
There are three files that help you control access to a host across the network:
These three files control whether access is granted or denied when a remote host issues an rlogin(1C), rcp(1C), rdist(1C), or rsh(1C) request.
When a request for access is received, the file hosts.equiv is checked, and if the host is listed in that file, and the target user account is listed in /etc/passwd, no further checking is performed and remote access is allowed. In this case, a remote user with a local user ID has equivalent access from a remote host.
Users can expand this equivalence by listing hosts and specific accounts in .rhosts files in their home directories. The root login bypasses the /etc/hosts.equiv file and typically uses only the /.rhosts file in the root directory for equivalence checking. If there is an entry in the /.rhosts file for root, the root user on the remote system will have root privilege on your system. For obvious reasons, this is not a secure practice. It is much more secure to handle file transfers through the non-privileged guest account.
The owner of the .rhosts file must be either the user in whose home directory it resides, or the superuser, root. If it is owned by another user, or if the file permissions allow anyone who is not the owner of the file to modify it, the contents of a user's .rhosts file are disregarded as a security practice.
For complete information about the /etc/hosts.equiv and .rhosts files, see the hosts.equiv(4) reference page.
With the X Window System (TM) , workstations can run client programs transparently on other hosts on the network. This access is completely independent of such controls as login accounts and passwords and is done through X protocols.
By default, IRIX workstations are configured to allow complete, transparent access for all workstations on the network that use the X Window System. You can change this using the xhost(1) server access control program and the configuration file /etc/X*.hosts. In the configuration file name, the asterisk (*) corresponds to the number of the server on the local host. This is usually 0, so for most workstations the file is /etc/X0.hosts.
When the X server starts, it checks the file /etc/X*.hosts. For example, server 0 checks for /etc/X0.hosts, server 1 checks for /etc/X1.hosts, and so forth. If the file is missing, or is empty, no remote hosts are allowed access to the server. If the file contains a single plus sign (+), all remote hosts are allowed access.
Next, the xhost command is run from the file /usr/lib/X11/xdm/Xsession. In the default Xsession file, xhost is used to allow access to all remote hosts. To change the default server-access permissions, you must change how the xhost command is run from the Xsession file. Then, you can customize the /X*.host file.
The xhost program modifies the internal state of the X server. Using xhost, you can allow or deny server access for specific hosts, or for all hosts. Note that the xhost options that affect access control can be run only from the same workstation as the server.
To completely deny access to all hosts on your network through X protocols, use this command:
xhost -
To allow complete access to all hosts on your network, use this command:
xhost +
To selectively grant or deny access, specify the name of the specific host or hosts on the command line. For example, this command grants access to a host named brooklyn:
xhost +brooklyn
When granting access, the plus sign (+) is optional.
This command denies access to both brooklyn and bronx:
xhost -brooklyn -bronx
To see which hosts are currently allowed access to the server, run xhost from the command line with no options:
xhost
You can selectively allow access to remote hosts by listing their names in the /etc/X*.host file. For example, if the file /etc/X0.hosts contains the following
line, the remote hosts bronx and brooklyn are the only workstations allowed to access the local server for server 0:
bronx
In the above example, all other hosts are denied access to the local server.
The xhost command overrides the configuration file X*.host. To alter the default system configuration, you must not only modify the configuration file, but also change the xhost command in the /usr/lib/X11/xdm/Xsession file.
Note: Do not link the file X*.hosts to any other network host database, such as /etc/hosts or /etc/hosts.equiv. When the X server starts, it attempts to establish a connection to all hosts that are allowed access permission in the X*.hosts file. If this file contains a large number of hosts that are allowed access to the server, you will have to wait until connections are established with each of the hosts before the server is started.
For more information about X security and authorization, see the xhost(1), xauth(1), xserver(1), and X(1) reference pages.
The set user identification (set-UID) and set group identification (set-GID) permission bits must be used very carefully. When a user runs an executable file that has either of these permission bits set, the system gives the user the permissions of the owner of the executable file. You can add these permissions to any executable file with the chmod(1) command.
Set-UID and set-GID programs have legitimate uses, but because they are potentially harmful, there should be very few of them on your system. Beware of programs in publicly writable directories (such as /tmp, /usr/tmp.O, /var/tmp, and /usr/spool/uucppublic) that have the same name as common systems files (such as vi and rm). One reason the PATH environment variable of the root account does not include the current directory (as does the default PATH of most other users) is so that root won't accidentally execute such ``booby-trap'' programs.
System security can be compromised if a user copies another program onto a file with -rwsrwxrwx permissions. To take an extreme example, if the su command has the write access permission allowed for others, anyone can copy the shell onto it and get a password-free version of su.
The following sections provide some example commands that identify files on the system with set-UID permissions. For more information about the set-UID and set-GID bits, see the chmod(1) and chmod(2) reference pages.
The following command line lists all set-UID files owned specifically by root:
find / -user root -perm -4000 -print
The results of this command are printed on the screen. All paths are checked starting at /, including all mounted directories. A great number of files will be found. It is up to you to scan these files for any unusual names. One possibility is to direct the output of this program to a file soon after installation and compare the results with later outputs. If this command reports any unusual files, you should investigate them immediately.
A suspicious file might turn up like this:
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab -r-sr-xr-x 1 root bin 27748 Aug 10 16:16 /usr/bin/shl ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched ---s--x--- 1 root jbond 45376 Aug 18 15:11 /usr/jbond/bin/sh -r-sr-xr-x 1 root sys 11416 Aug 11 01:26 /bin/mkdir -r-sr-xr-x 1 root sys 11804 Aug 11 01:26 /bin/rmdir -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /bin/su
In this example, the user jbond has a personal copy of /bin/sh and has made it set-UID to root. This means that jbond can execute /usr/jbond/bin/sh and become the superuser.
The following command line reports all files with a set-UID for the root file system (not just those owned by root):
ls -l `/etc/ncheck -s /dev/root | cut -f2 | grep -v dev`
The ncheck(1M) command, by itself, can be used on a mounted or unmounted file system. Only the superuser may use ncheck. The normal output of the ncheck -s command includes special files.
Here, the grep command removes device files from the output. This filtering is applicable only for the root file system. The output of the modified ncheck is then used as an argument to the ls command. The file system must be mounted for the ls command to succeed. In this example output, nothing looks suspicious:
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /bin/df -rwxr-sr-x 1 root sys 32272 Aug 10 15:53 /bin/ipcs -r-xr-sr-x 2 bin mail 32852 Aug 11 01:28 /bin/mail -r-sr-xr-x 1 root sys 11416 Aug 11 01:26 /bin/mkdir -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /bin/passwd -r-xr-sr-x 1 bin sys 27964 Aug 11 01:28 /bin/ps -r-xr-sr-x 2 bin mail 32852 Aug 11 01:28 /bin/rmail -r-sr-xr-x 1 root sys 11804 Aug 11 01:26 /bin/rmdir -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /bin/su -r-xr-sr-x 1 bin sys 21212 Aug 10 16:08 /etc/whodo
This example uses the ncheck command to examine the usr file system (/dev/usr, assuming a single-disk system with default partitioning) for files that have set-UID permissions:
/etc/ncheck -s /dev/usr | cut -f2
In this partial example below, complete pathnames for the files start with /usr. /usr is not part of the ncheck output.
In this sample output, the program /usr/jbond/bin/sh should be investigated. This program is the only one in the listing of set-UID programs that is not found in a system directory. It is a command shell residing in a user's home directory. Users should, in general, not possess of set-UID binaries.
/dev/usr: /bin/at /bin/uux /bin/crontab /lib/mv_dir /bin/shl /lib/expreserve /bin/sadp /lib/exrecover /bin/timex /lib/accept /bin/cancel /lib/lpadmin /bin/disable /lib/lpmove /bin/enable /lib/lpsched /lib/reject /lib/lpshut /lib/sa/sadc /bin/lp /lib/uucp/uucico /bin/lpstat /lib/uucp/uusched /bin/ct /bin/uucp /bin/cu /bin/uuname /lib/uucp/uuxqt /bin/uustat /jbond/bin/sh
The following files and directories are universally available for read and write access. Depending on your site requirements, you may wish to change the permissions on these files to be more restrictive. Remember, though, that restricting permissions on historically open directories, such as /tmp, /usr/tmp.O, and /var/tmp (linked to /usr/tmp), can cause serious malfunctions in many programs, applications, and system utilities that write temporary files on behalf of users in these directories.
/tmp
/usr/demos/.xsession
/usr/Insight/tmp
/usr/Insight/tmp/ebtpriv
/usr/Insight/tmp/ebtpub
/usr/Insight/tmp/install.insight.log
/usr/lib/emacs/maclib
/usr/lib/showcase/fonts
/usr/lib/showcase/images
/usr/lib/showcase/models
/usr/lib/showcase/templates
/usr/tmp.O
/var/spool/locks
/var/spool/uucppublic
/var/tmp
The following accounts in your default /etc/passwd file are shipped without passwords. You should create passwords for these accounts immediately.
demos
guest
lp
nuucp
root
tour
tutor
4Dgifts
|
|
Copyright © 1997, Silicon Graphics, Inc. All Rights Reserved. Trademark Information