资源描述
2008,10 用户与文件从POST到sh 认证、授权Authentication、AuthorizationPAMPluggable Authentication Modules SUIDPermissionsetuid etc 认证/鉴别Authentication谁是谁授权Authorization能干什么鉴别手段基于口令/令牌/卡/指纹/声音等信息授权方法访问控制矩阵ACL/ACM 传统的AA应用程序自己管理PAM标准库PAM in Linux PAM was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments(RFC)86.0 dated October 1995.It was adopted as the authentication framework of the Common Desktop Environment.As a stand-alone infrastructure,PAM first appeared from an open-source,Linux-PAM,development in Red Hat Linux 3.0.4 in August 1996.PAM is currently supported in the AIX operating system,DragonFly BSD,FreeBSD,HP-UX,Linux,Mac OS X,NetBSD and Solaris.PAM was later standardized as part of the X/Open UNIX standardization process,resulting in the X/Open Single Sign-on(XSSO)standard.Every application required its own security and authentication mechanism.“is this user authorized to use me?”PAM is used,for example,to dynamically link system binaries.(Dynamic linking does necessitate a recovery mechanism to address potential problems in the linker or in shared libraries.One way of implementing a recovery mechanism is to supply a/rescue directory that contains statically linked versions of important system binaries.This method is used in both NetBSD and FreeBSD.)第一部分是第一部分是libpam,libpam,是实现是实现PAM APIPAM API的库,的库,第二部分是第二部分是PAMPAM配置文件,配置文件,/etc/pam.conf,/etc/pam.conf,第三部分有一套动态可装载两进位对象组成,常第三部分有一套动态可装载两进位对象组成,常常用来调用一些处理实际鉴别常用来调用一些处理实际鉴别(authentication)(authentication)工作的服务模块。工作的服务模块。最后模块是使用最后模块是使用PAM APIPAM API的系统命令组成,如的系统命令组成,如login,us,ftp,telnetlogin,us,ftp,telnet etcetc#include#include int pam_start(.);int pam_end(.);const char*pam_strerror(.);pam_set_item();pam_get_item();pam_authenticate();pam_chauthtok();http:/www.thkukuk.de/pam/pam_login/pam_login is written specificly for PAM authentication.It is based on the version from the util-Linux package,from which all code for non-PAM support was removed.Instead,support for the most important features of the login program from the shadow suite was added.X/Open Single Sign-on Service(XSSO)-X/Open Single Sign-on Service(XSSO)-Pluggable Authentication Modules Pluggable Authentication Modules http:/www.opengroup.org/onlinepubs/008329799/tohttp:/www.opengroup.org/onlinepubs/008329799/toc.htmc.htm Authorization in Linux based on file permissionsException:root is allowed to do everythingOnce logged in,users cannot change their identityexcept through a SUID program,which allows them to run a command as someone else(most often root)useruser idgroupgroup id#cat/etc/passwd|shadow#cat/etc/groups lindenlocalhost$lllindenlocalhost$lltotal 0total 0-rw-rw-r-1 linden linden 0 2007-12-10 20:28 my.doc-rw-rw-r-1 linden linden 0 2007-12-10 20:28 my.docd|l|b|crwx|s PermFileDirectoryRreadlistWchangechange contentXexecutecan cdSUIDProgram runs with effective N/Auser ID of owner SGIDProgram runs with effectiveFiles created in dir inheritGID of owner the same GID as the dirStickybitN/AOnly the owner of thefile and the owner of the dir may delete files in this dir#ls-l#chmod#Setting file permissions#chown#change file owner and group#chgrp#change group ownershipumask 有时,没有被授权的用户需要完成某项任务。一个例子是passwd程序,它允许用户改变口令,这就要求改变/etc/passwd文件的口令域。然而系统管理员决不允许普通用户拥有直接改变这个文件的权利,因为这绝对不是一个好主意。为了解决这个问题,SUID/SGID便应运而生。UNIX允许程序被授权,当程序被执行的时候,拥有超级用户的权限,完成时又回到普通用户的权限。这个主意很好,所以AT&T对它申请了专利。SUID/SGID程序在执行时的Real Uid可以通过函数setuid()改变。Examples of SUID programs:passwd:Allows users to update the/etc/shadow filemount:Allows users to mount a floppy or CDsu:Runs a shell as another user,after supplying the passwordsudo:Runs a particular command as another userVarious games(to track highscores)All SUID programs should be known to the administrator and checked/updated for security problems 查找SUID属性文件#find/usr/bin-type f -perm-2000 -printSGID#find/usr/bin-type f -perm-4000 -print 任何人(同组)都可写的文件,可能是入侵的遗留#find.-perm-2-print#find.-perm-20无主文件#find/dev-nouser-print#find/dev-nogroup-print CMOS口令LILO/GRUB口令磁盘/分区加密虚拟磁盘文件权限访问控制特权操作事件审计 搜索Debian的软件包源码http:/www.debian.org/distrib/packages#search_packageshttp:/packages.debian.org/stable/Fedora 8http:/ Hat Enterprise Linux 5http:/ insight或则source-navigator。LXR可以自己安装也可以使用网上公用的LXR,如http:/lxr.linux.no/linux。本地临时的LXR(2.6.21.5)http:/211.87.235.73/lxr/outdate Power ButtonPower OnBIOS Self TestPasswd开机口令vs.CMOS口令进入CMOS典型按键:del,f1,f2,tab,esc,BIOS/passwd/CMOS电池 single mode在/?/lilo.conf中设定口令restrictedpassword=a3xsf8dlilo口令的作用过程查lilo的源程序bootsect.S,bsect.c,lilo.c Grub的口令机制/boot/grub/grub.confpassword-md5 则必须先输入口令才能进一步操作grub或者单独针对某项启用口令password /boot/grub/menu-admin.lst 还有lock选项可用为了产生md5后的grubmd5crypt Kernel image被lilo/grub(曾经linux有自己的bootsect)读入到内存,解压缩,重定位,跳转到Kernel从start_kernel()被执行http:/lxr.linux.no/linux/init/main.c#L513http:/211.87.235.73/lxr/http/source/init/main.c#L502 Kernel做了重要的初始化,然后Kernel创建1号内核线程init,其装载/sbin/init(配置文件是/etc/inittab)。Kernel然后启动用户进程initstart_kernel();rest_init();kernel_thread(init,NULL,CLONE_KERNEL);=init()run_init_process(/sbin/init);execve(init_filename,argv_init,envp_init);init读取配置文件inittab/etc/inittab中的几行:#Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty12:2345:respawn:/sbin/mingetty tty23:2345:respawn:/sbin/mingetty tty3 http:/packages.debian.org/etch/sysvinit 查mingetty的来历#rpm-qf /sbin/mingettymingetty-1.06-2Google(“mingetty”)Debian software package directorieshttp:/packages.debian.org/stable/admin/mingetty 下载mingetty_0.9.4.orig.tar.gz得到唯一的mingetty.c in mingetty.cdo_prompt();/show login prompt,optionally preceded by/etc/issue contentsopen_tty();/set up tty as standard input,output,error while(logname=get_logname()=0);execl(_PATH_LOGIN,_PATH_LOGIN,-,logname,NULL);说明:从指定的tty获得用户名,并启动login程序 /dev/tty0/dev/pts/0tty_init vty_init kbd_init2419 static struct cdev tty_cdev,console_cdev;2420#ifdef CONFIG_UNIX98_PTYS2421 static struct cdev ptmx_cdev;2422#endif2423#ifdef CONFIG_VT2424 static struct cdev vc0_cdev;2425#endif in login.c retcode=pam_get_item(pamh,PAM_USER,(const void*)&username);pp=getpass(_(Password:);p=crypt(pp,salt);/加密口令得到密文memset(pp,0,strlen(pp);if(pwd&!strcmp(p,pwd-pw_passwd)/密文匹配break;用户可以有几次机会输入口令但是会有故意的延迟数次失败,则退出init会把mingetty再次起动 childPid=fork();if(childPid)wait(NULL);/login进程等着 exit(0);/下面是子进程(用户的shell)setsid();opentty(ttyn);setuid(pwd-pw_uid);chdir(pwd-pw_dir);execvp(/bin/sh-sh-c exec%pwd-pw_shell%,.);http:/packages.debian.org/etch/loginPAM setuid()/setgid()sys_setuid()setreuid()/setregid()sys_setreuid()in PCB404 /*process credentials*/405 uid_t uid,euid,suid,fsuid;406 gid_t gid,egid,sgid,fsgid;407 int ngroups;408 gid_t groupsNGROUPS;409 kernel_cap_t cap_effective,cap_inheritable,cap_permitted;410 int keep_capabilities:1;411 struct user_struct*user;Bashhttp:/packages.debian.org/etch/bash 用户使用文件时linux内核是怎样使用权限信息做访问控制的?用户身份vs.文件的权限信息典型数据文件:-rw-r-r-,自己可读写,别人只读int fd=open(“my_or_your_file_name”,r|w|x,m);打开文件准备用来读/写/执行如果创建新文件,则mode指示了其权限属性long sys_open(filename,flags,mode)sys_open()filp_open()open_namei()may_open()permission()207 int permission(struct inode*inode,int mask,struct nameidata*nd)208 int retval;210 int submask;212 /Ordinary permission routines do not understand APPEND.213 submask=mask&MAY_APPEND;215 if(inode-i_op&inode-i_op-permission)216 retval=inode-i_op-permission(inode,submask,nd);217 else218 retval=vfs_permission(inode,submask);219 if(retval)220 return retval;222 return security_inode_permission(inode,mask,nd);223 在某个函数中对代码适当修改可以允许特定用户有任意权限?sys_open()?permission()?vfs_permission()?security_inode_permission()在/etc/passwd有两个普通用户linden和susanlinden:x:500:500:/home/linden:/bin/bashsusan:x:501:501:/home/susan:/bin/bash在permission()开头添加一行:if(current-uid=500)return 0;/add by linden#make/速度很快的#make modules_install#make install#reboot 用linden登录,发现linden有访问如何文件的特权vi/etc/shadow/!对比,用susan登录,susan还是受限用户问题如何500linden读/etc/passwd如何临时禁止该特性改/etc/passwd中关于linden的uid比如500502 把if(current-uid=500)return 0;改成if(current-uid=501)return 0;编译内核不会很慢的 临时改变成另外用户的身份#which su/bin/su#rpm-qf/bin/sucoreutils-5.0-24Google(“coreutils”)http:/www.gnu.org/software/coreutils/http:/ftp.gnu.org/pub/gnu/coreutils/coreutils-5.2.1.tar.bz2 su.c 缩写setgid(pw-pw_gid);setuid(pw-pw_uid);shell=xstrdup(pw-pw_shell);run_shell(shell,command,additional_args);execv(shell,(char*)args);#ls-s/bin/su-rwsr-xr-x 分析 SUID是怎样起作用的?http:/lxr.linux.no/linux 备注(1)备注(2)休息时间到!Lin Fengbo
展开阅读全文