Page 407
To set the suid and the sgid using the numeric system, use these two commands:
$ chmod 2### <filename> $ chmod 4### <filename>
In both instances, the ### is replaced with the rest of the values for the permissions. The additive process is used to combine permissions; therefore, the following command would add suid and sgid to a file:
$ chmod 6### <filename>
| NOTE |
|
The default mode for a file or directory is set with the umask. The umask uses the numeric system to define its value. To set the umask, you must first determine the value that you want the files to have. For example, a common file permission set is 644. The owner has read and write permission, and the rest of the world has read permission. After the value is determined, then it is subtracted from 777. Keeping the same example of 644, the value would be 133. This value is the umask value. Typically, this value is placed in a system file that is read when a user first logs on. After the value is set, all files created will set their permissions automatically using this value.
The system stores the user's encrypted password in the /etc/passwd file. If the system is using a shadow password system, the value placed in this field will be x. A value of * blocks login access to the account, as * is not a valid character for an encrypted field. This field should never be edited (after it is set up) by hand, but a program such as passwd should be used so that proper encryption takes place. If this field is changed by hand, the old password is no longer valid and, more than likely, will have to be changed by root.
| NOTE |
|
Page 408
A password is a secret set of characters set up by the user that is known only by the user. The system asks for the password, compares what is inputted to the known password, and, if there is a match, confirms that the user is who she says she is and lets her access the system. It cannot be said enough—do not write down your password! A person who has a user's name and password is, from the system's perspective, that user, with all the rights and privileges thereof.
Table 20.7 shows the more standard locations to find some of the tools discussed in this chapter. Other Web sites have these tools as well, but these were chosen because they will probably still be around when this book is published and you are looking for the information.
Table 20.7. WWW sites for tools.
| Tool | Address |
| cops | ftp://ftp.cert.org/pub/tools/cops |
| crack | ftp://ftp.cert.org/pub/tools/crack |
| deslogin | ftp://ftp.uu.net/pub/security/des |
| findsuid.tar.Z | ftp://isgate.is/pub/unix/sec8/findsuid.tar.Z |
| finger daemon | http://www.prz.tu-berlin.de/~leitner/fingerd.html |
| freestone | ftp.soscorp.com/pub/sos/freestone |
| freestone | ftp://ftp.cs.columbia.edu/pub/sos/freestone |
| gabriel | ftp://ftp.best.com/pub/lat |
| ipfilter | http://cheops.anu.edu.au/~avalon/ip-filter.html |
| ipfirewall | ftp://ftp.nebulus.net/pub/bsdi/security |
| kerberos | http://www.contrib.andrew.cmu.edu/usr/db74/kerberos.html |
| merlin | http://ciac.llnl.gov/ |
| npasswd | ftp://wuarchive.wustl.edu/usenet/comp.sources.unix/ volume25/npasswd |
| obvious-pw.tar.Z | ftp://isgate.is/pub/unix/sec7/obvious-pw.tar.Z |
| opie | ftp://ftp.nrl.navy.mil/pub/security/nrl-opie/ |
| pcheck.tar.Z | ftp://isgate.is/pub/unix/sec8/pcheck.tar.Z |
| Plugslot Ltd | http://www.var.org/~greg/PCPPSP.html |
| rsaeuro | tp://ftp.ox.ac.uk/pub/crypto/misc/ |
| rscan | http://www.umbc.edu/rscan/ |
| satan | http://www.fish.com/satan |
| Secure Telnet | ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz |
Page 409
| Tool | Address |
| ssh | http://www.cs.hut.fi/ssh/ |
| tcp wrappers | ftp://ftp.win.tue.nl/pub/security/ |
| telnet (encrypted) | ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp/ |
| tiger | ftp://wuarchive.wustl.edu/packages/security/TAMU/ |
| tis firewall toolkit | ftp://ftp.tis.com/pub/firewalls/toolkit/ |
| tripwire | ftp://wuarchive.wustl.edu/packages/security/tripwire/ |
| xp-beta | ftp://ftp.mri.co.jp/pub/Xp-BETA/ |
| xroute | ftp://ftp.x.org/contrib/utilities/ |
Security is only as good as the users' willingness to follow the policies. This is, on many systems and in many companies, where the contention comes in. The users just want to get their job done. The administrators want to keep the undesirables out of the system. The corporate management wants to keep the corporate secrets secret. Security is, in many ways, the hardest area to get users to cooperate, but is, in fact, the most important. Users who write down or share passwords, poorly written software, and maliciousness are the biggest security problems.
For the administrator in charge of the system, the only advice that can be offered is this: The best user will only follow the policies that you follow. If you have poor security habits, they will be passed along. On the other hand, people generally rise to the minimum level they see exhibited or see as expected. It is the job of the administrator to go beyond the call of duty and gently point out improvements while at the same time fighting the dragons at the back gate trying to get into the system.
Page 410