-->

Previous | Table of Contents | Next

Page 407

To set the suid and the sgid using the numeric system, use these two commands:


$ chmod 2### <filename>

$ chmod 4### <filename>

In both instances, the ### is replaced with the rest of the values for the permissions. The additive process is used to combine permissions; therefore, the following command would add suid and sgid to a file:


$ chmod 6### <filename>

NOTE

A sticky bit is set using chmod 1### <filename>. If a sticky bit is set, the executable is kept in memory after it has finished executing. The display for a sticky bit is a t, placed in the last field of the permissions. Therefore, a file that has been set to 7777 would have the following permissions: -rwsrwsrwt.

The Default Mode for a File or Directory

The default mode for a file or directory is set with the umask. The umask uses the numeric system to define its value. To set the umask, you must first determine the value that you want the files to have. For example, a common file permission set is 644. The owner has read and write permission, and the rest of the world has read permission. After the value is determined, then it is subtracted from 777. Keeping the same example of 644, the value would be 133. This value is the umask value. Typically, this value is placed in a system file that is read when a user first logs on. After the value is set, all files created will set their permissions automatically using this value.

Passwords—A Second Look

The system stores the user's encrypted password in the /etc/passwd file. If the system is using a shadow password system, the value placed in this field will be x. A value of * blocks login access to the account, as * is not a valid character for an encrypted field. This field should never be edited (after it is set up) by hand, but a program such as passwd should be used so that proper encryption takes place. If this field is changed by hand, the old password is no longer valid and, more than likely, will have to be changed by root.

NOTE

If the system is using a shadow password system, a separate file exists called /etc/shadow that contains passwords (encrypted, of course).

Page 408

A password is a secret set of characters set up by the user that is known only by the user. The system asks for the password, compares what is inputted to the known password, and, if there is a match, confirms that the user is who she says she is and lets her access the system. It cannot be said enough—do not write down your password! A person who has a user's name and password is, from the system's perspective, that user, with all the rights and privileges thereof.

Related WWW Sites

Table 20.7 shows the more standard locations to find some of the tools discussed in this chapter. Other Web sites have these tools as well, but these were chosen because they will probably still be around when this book is published and you are looking for the information.

Table 20.7. WWW sites for tools.

Tool Address
cops ftp://ftp.cert.org/pub/tools/cops
crack ftp://ftp.cert.org/pub/tools/crack
deslogin ftp://ftp.uu.net/pub/security/des
findsuid.tar.Z ftp://isgate.is/pub/unix/sec8/findsuid.tar.Z
finger daemon http://www.prz.tu-berlin.de/~leitner/fingerd.html
freestone ftp.soscorp.com/pub/sos/freestone
freestone ftp://ftp.cs.columbia.edu/pub/sos/freestone
gabriel ftp://ftp.best.com/pub/lat
ipfilter http://cheops.anu.edu.au/~avalon/ip-filter.html
ipfirewall ftp://ftp.nebulus.net/pub/bsdi/security
kerberos http://www.contrib.andrew.cmu.edu/usr/db74/kerberos.html
merlin http://ciac.llnl.gov/
npasswd ftp://wuarchive.wustl.edu/usenet/comp.sources.unix/ volume25/npasswd
obvious-pw.tar.Z ftp://isgate.is/pub/unix/sec7/obvious-pw.tar.Z
opie ftp://ftp.nrl.navy.mil/pub/security/nrl-opie/
pcheck.tar.Z ftp://isgate.is/pub/unix/sec8/pcheck.tar.Z
Plugslot Ltd http://www.var.org/~greg/PCPPSP.html
rsaeuro tp://ftp.ox.ac.uk/pub/crypto/misc/
rscan http://www.umbc.edu/rscan/
satan http://www.fish.com/satan
Secure Telnet ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz

Page 409

Tool Address
ssh http://www.cs.hut.fi/ssh/
tcp wrappers ftp://ftp.win.tue.nl/pub/security/
telnet (encrypted) ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp/
tiger ftp://wuarchive.wustl.edu/packages/security/TAMU/
tis firewall toolkit ftp://ftp.tis.com/pub/firewalls/toolkit/
tripwire ftp://wuarchive.wustl.edu/packages/security/tripwire/
xp-beta ftp://ftp.mri.co.jp/pub/Xp-BETA/
xroute ftp://ftp.x.org/contrib/utilities/

Summary

Security is only as good as the users' willingness to follow the policies. This is, on many systems and in many companies, where the contention comes in. The users just want to get their job done. The administrators want to keep the undesirables out of the system. The corporate management wants to keep the corporate secrets secret. Security is, in many ways, the hardest area to get users to cooperate, but is, in fact, the most important. Users who write down or share passwords, poorly written software, and maliciousness are the biggest security problems.

For the administrator in charge of the system, the only advice that can be offered is this: The best user will only follow the policies that you follow. If you have poor security habits, they will be passed along. On the other hand, people generally rise to the minimum level they see exhibited or see as expected. It is the job of the administrator to go beyond the call of duty and gently point out improvements while at the same time fighting the dragons at the back gate trying to get into the system.

Page 410

Previous | Table of Contents | Next