150 likes | 298 Views
CSC 405 Introduction to Computer Security. Lab session . Roadmap. Lab 2 Set-UID Why do we need set-uid program? (prob. 1) Set-uid program How is set-uid implemented in Minix (prob. 2) When we run set-uid in Minix and Linux, why do we get different results ? (prob. 3 & 5)
E N D
CSC 405Introduction to Computer Security Lab session By Yuzheng Zhou
Roadmap • Lab 2 Set-UID • Why do we need set-uid program? (prob. 1) • Set-uid program • How is set-uid implemented in Minix (prob. 2) • When we run set-uid in Minix and Linux, why do we get different results ? (prob. 3 & 5) • Set-uid vulnerability: PATH environment variable (prob. 4) • Use setuid() carefully (Prob. 6) • Lab 3 Set-RandomUID grading policy By Yuzheng Zhou
passwd, chsh, su • passwd • Allow users to change their passwords • Users’ passwords are stored in /etc/shadow, which is neither readable nor writable to normal • su • Allows user to become the super-user • User must pass super-user’s password as an argument. • chsh • Allow users to change their login shells • Users’ login shell are stored in /etc/passwd, which is neither readable nor writable to normal By Yuzheng Zhou
passwd, chsh, su (Cont’d) • passwd, chsh, su • Runnable by anybody • Need to access files (etc/shadow, etc/passwd) which are neither readable nor writable to normal user • How to achieve the goal? Need to be set-root-UID programs By Yuzheng Zhou
Set-UID Programs • real user ID(real uid, or ruid): • identifies the owner of the process • effective user ID(effective uid, or euid) • used in most access control decisions • Set-UID program • at login time, real uid = effective uid = user login ID • when a Set-UID program is executed, • real uid doesn’t change • effective uid owner of the set-uid program • Access control is based on effective uid By Yuzheng Zhou
How to turn on Set-UID bit • The meaning of the permission bits in Unix. • 9 normal bits: 755 : 111 101 => -rwxr-xr-x • Owner (u), Group (g), and Others (o). • Readable (r), Writable (w), and Executable (x). • 3 special bits (sticky key hasn’t been used): • bit 11: set UID; bit 10: set Group ID; bit 9: sticky key. • Turn on the Set-UID bit • chmod 4755 [set bit 11]: 100 111 101 101 => -rwSr-xr-x^ the eXecute "x" is replaced by an "s" By Yuzheng Zhou
How is Set-UID implemented in Minix? • Fproc structure • /* Defined in /usr/src/fs/prot.h, this is the per-process information */ EXTERN struct fproc { …… uid_t fp_realuid; /* real user id */ uid_t fp_effuid; /* effective user id */ gid_t fp_realgid; /* real group id */ gid_t fp_effgid; /* effective group id */ • Read source code for details • do_exec routine in /usr/src/mm/exec.c • forbidden routine in /usr/src/fs/protect.c By Yuzheng Zhou
Run Set-UID Programs • In Minix • Login as root. % cp /bin/sh /tmp/ % chmod 4755 /tmp/sh % exit • Login as yuzheng (normal user) $ /tmp/sh $ id $ uid=10 (yuzheng) gid=3(other) euid=0(root) suid=10(yuzheng) $ vi /etc/passwd (can open it !!!) By Yuzheng Zhou
Run Set-UID Programs (cont.) • But in Fedora 5 (No change!!!) $ uid=501 (yuzheng) gid=501(yuzheng) groups=501(yuzheng) • Why? • In Fedora 5, /bin/sh (actually bash) ignores the Set-UID bit option. • Check shell.c in bash-*.tar.gz (http://ftp.gnu.org/gnu/bash/) • The following code in bash drops the Set-UID bit if (running_setuid && privileged_mode == 0) disable_priv_mode (); …… void disable_priv_mode () { setuid (current_user.uid); setgid (current_user.gid); current_user.euid = current_user.uid; current_user.egid = current_user.gid; By Yuzheng Zhou
PATH Environment Variable • system("ls") invoke the /bin/sh program, and then let the shell program to execute ls. • the shell searches for ls using the PATH environment variable. • The attacker can change PATH and cause ls in the current directory to be executed. $ export PATH =.:$PATH • Do you get root privilege? In Minix: yes; In Fedora: No By Yuzheng Zhou
system() and execve() • System() invokes /bin/sh first. • In Fedora, it execv /bin/sh with arguments"sh", "-c" and the user provided string. • In Fedora 5, /bin/sh (actually bash) ignores the Set-UID bit option. • Why system() is more secure than execve in Linux • So, for problem 5 (a), we get “permission denied” message in Linux. • Want to read source code ? • download glibc-*.tar.gz from http://ftp.gnu.org/gnu/glibc/ • search system and execve By Yuzheng Zhou
Use setuid() carefully • void main() { ….. /* check access permission here */ fd = open("/etc/zzz", O_RDWR | O_APPEND); setuid(500); if (fork()) { /* In the parent process */ ….. } else { /* in the child process */ /* The child process inherit opened file from its parent, and Linux will not check access permission again */ write (fd, "Malicious Data", 14); close (fd); } By Yuzheng Zhou
Lab3 Set-RandomUID Grading (I) • Project Design (40 pts, due by Nov. 20) • Idea: your design idea, how you implement the system (15pts) • Introduction of the project (what can your program do) (2 points) • How do you design your program? (Show us the program modules) (8 points) • Why does your program work? (5 points) • Knowledge: your understanding of each functions, components (15pts) • List and explain all the related functions and files. (5 points) • Comment all the related functionsand files to let us understand your program. (bonus: 5 points) • You need to attach your code, but you can still change and debug your code until the demo. • Answer question 3 (5 points) • Answer question 4 (5 points) By Yuzheng Zhou
Lab3 Set-RandomUID Grading (II) • Skill: your communication skills to convince us to buy it (10pts) • Does our system more secure by using your program? Why or why not? (5 points) • Any other reasons we will buy your program, Ex. is your program easy to install to current system? (5 points). • Project Demo (1 or 2 days during Nov.27-30) • Check TA’s faq page around Nov. 20. • Everyone has 10-15 minutes • Show your own test case • Run TA’s test case • Be ready for the questions about the project design and implementation. • Bonus (submit online, due by Nov.26) • Award up to 50 bonus points to the identified loopholes, 10 points for each. By Yuzheng Zhou