va-scancopyright 2002, marchany unit 6 – solaris file security randy marchany va tech computing...
TRANSCRIPT
va-scan Copyright 2002, Marchany
Unit 6 – Solaris File Unit 6 – Solaris File SecuritySecurity
Randy Marchany
VA Tech Computing Center
va-scan Copyright 2002, Marchany
Regular Expressions - grep
The grep command searches its target for a specific string. It is a very powerful tool.
Regular expression are used in combination with grep and other commands to do pattern matching.
* - allows selection of 0 or more characters– Example: *.doc selects anything that end
with .doc
va-scan Copyright 2002, Marchany
Regular Expressions
? – allows selection of any single character.– ?J will select any occurrence of the letter J.
. – following any character will match that character.– X. will match the X followed by any character.
^ - matches the characters that follow it if they are at the beginning of a line.– ^J selects any line that begins with a J
$ - matches the characters that follow it if they are at the end of the line.– J$ selects any line that ends with a J
va-scan Copyright 2002, Marchany
Grep Options
-b – prints the block number where the pattern was found
-c – prints the count of lines matching the pattern -i – matches upper or lower case -l – prints only the filename of those matching
the pattern. -n – prints the line number where the pattern was
found.
va-scan Copyright 2002, Marchany
Grep Options
-v – suppresses lines that match the pattern. In other words, search for everything BUT the pattern
-w – search for the pattern as if it were a word
va-scan Copyright 2002, Marchany
ls Command Options
The ls command lists the contents of a directory. There are several options that are very useful
when examining possible security issues. -l – list the long format, access permission,
owner, group, date modified, etc. -a – list all hidden files -t – sort by time stamp, latest first -i – list by inode
va-scan Copyright 2002, Marchany
chmod Command
The chmod command modifies the permissions of a file or directory.
I use the numeric method of denoting the permission
7 = rwx, if a directory, the X bit set allows searching in the directory
777 = rwx rwx rwx (owner, group, other) 1000 – sticky bit 2000 – SGID bit 4000 – SUID bit
va-scan Copyright 2002, Marchany
Sticky Bit
Purpose is to prevent files in a directory from being removed, renamed or deleted.
One of the following conditions must be met before a user can delete the file:– The user must own the file– The user must own the directory– The file must be writable by the user– The user is root
va-scan Copyright 2002, Marchany
umask Command
The umask command sets the default permissions for new files.
Umask values are usually set in /etc/profile. Umask values are a little strange. They are the
1’s complement of the the permission you want. Subtract the umask value from the default permissions to see what your target value is.
va-scan Copyright 2002, Marchany
umask
File Directory
Default Value 666 777
Umask 022 022
Target Permission value
644 755
va-scan Copyright 2002, Marchany
Access Control Lists
Solaris allows more granular access control on files and directories.
This is an Access Control List (ACL). Example: you can specify a certain group
ownership for a file but you can allow multiple groups to have lesser permissions on the same file. Not possible under the standard group permissions. ACLs make it possible.
va-scan Copyright 2002, Marchany
ACL
To display the File System ACLs:– getfacl –ad file
• -a – display the filename, owner, group owner and the ACL of the file
• -d – display the filename, owner, group owner and default ACL if it exists.
– You can assign multiple users different permissions on the file.
va-scan Copyright 2002, Marchany
ACL
Getfacl output– ACLs are displayed in the order in which they
are evaluated when an access check is done.– User entry – user::perm means the permissions
are granted to the owner only. User:randy:perm would mean user ‘randy’ has the following permissions.
– Group entry - similar to user but it applies to groups.
va-scan Copyright 2002, Marchany
ACL
Getfacl output– Mask entry indicates the max permissions
allow to any user except the owner of the file and to any group owner including the file group owner. This mask restricts the permissions you can give out.
– Example: mask is set to RW, you try to specify RWX for a user, the mask will allow you to set it to RW only.
va-scan Copyright 2002, Marchany
setfacl
Setfacl sets the permissions for ACL. syntax:
– setfacl acl_entries file Setfacl will do one of the following
– Replace the entire ACL including the default ACL for a directory
– Add, modify or delete one or more ACL entries including default entries