Shawn Mckay's Perspective on Computer Security

Basic security problems with various mostly UNIX systems

Overuse of SETUID root programs
Overuse of SETGID root programs
Failing to use "groups" more in file permissions
Making privileged system binary files world readable
Leaving read permission enabled when its not required
Placing limits on group memberships, making them hard to use
Forcing the sysadmin to use root when its not required
Anonymous FTP problems and notes
Refusing to learn from the past and older systems
Refusing to use good ideas from others in your field
A Basic lack of imagination from both sysadmins and vendors
Poor network security

Some more general topics

The Central Cracking Intelligence Agency

I will attempt to give examples for the above problems as they relate to some popular operating systems currently on the market. However I wont mention any by name (You know who you are).

Overuse of SETUID root programs

In general you should find very few reason to be root, for the most part the more root programs you have the more likely one of them has a bug that someone can exploit to get root permissions.

The vast majority of system tasks can be handed out based on group permission or special directory / file permissions. A well designed UNIX should have a handful of setuid root programs. But if you use a commercial product, I am willing to bet you have some extra setuid bits floating around.

If you wish to find out how much extra, Try the following command on your UNIX:

   find / -name "*" -type f -user root -perm -4000 -exec ls -ls {} \;

If you wish to discover how many files you saw fly by, then try adding the line:

  | wc -l

to the end of the above command and try again.
Its very hard to ensure each of this many programs is really "safe". Its much better to limit the use of setuid permissions whenever possible. Sadly, few people spend the few extra steps to avoid setuid/setgid use. They use it because its easy, not because its the right thing to do in most cases.

Overuse of SETGID root programs

Ok, now try changing the mode above from "-4000" to "-2000" and try again. This should list the files on your system that are "setgid" to root. In general there is VERY little reason to do this. Usually a separate group could easily be created for the given function but usually its not.

Failure to use "groups" more in file permissions

On most UNIX products you will find a handful of groups listed in /etc/group, there are many reasons for this in general, but few of them are really valid. The most serious problem with having lots of groups is with some versions of NFS, which limit the number of groups a user may belong to. I also seem to remember some versions of UNIX with the initgroups(3) call also limit the group membership.

Never the less this remains a powerful tool to be used by the educated. An example might be with one specific type of UNIX that restricts the use of the dump(8) command. They require that you must be root to perform a system backup.

This is crazy, you do not. But using their software they require it. I have yet to see a version of UNIX where the following wont work if done with care:

Create a group called something like "rawdsk"
Change the mode on the "raw" disk devices in /dev to this group
Grant the group "rawdsk" read-only permission to these files
Create a special user (with a password) in this same group
Use the "shell" field of the passwd file to force this user to use a special shell when they login. Then have that shell script perform the dumps and exit ONLY if the user is coming in from a secure terminal ("/dev/console" is usually a good choice).

There are a number of variants on the above, non of which involve root access. But I think you can see root is not generally required.

Making system binary files world readable

Sometime try using the strings(1) command on every file in /bin, or /usr/bin, or /etc and imagine the wealth of information a cracker could get from doing this. No system is totally secure, but giving away this much of the system is also not a good idea. One of the most powerful commands to violate UNIX system security works just fine for any user on most UNIX systems:

		strings /bin/* | grep '/' | more

Its good for finding paths to "secret" system databases and private areas. Its very easy to protect against this abuse and yet so few sites / vendors do.

Some have raised the good point that this restricts legitimate users from being able to force secrets they need from various system programs which might be poorly documented. I tend to agree, but would rather have good manual pages and limit my security problems as much as possible.

You could however meet half way and just do this with setuid/setgid programs, anyone who has to debug on of these can probably bypass the read protection.

On most modern UNIX systems, programs (binaries) need only have the "x" bit set to be used by people. Hence the permission of:

  11 ---x--x--x  1 shawn    staff           11264 Aug 24 12:37 /bin/foo

will protect /bin/foo and yet will not allow random users to "pump" it for information.

This does not always however work on shell scripts, so be careful.

Failing to remove read permission when its not needed

You would do well to consider all system files and areas to be on a need to know access basis. In some cases you will find both security and privacy reasons for this. Here is a dual example.

On most UNIX systems there is a directory called /var/adm. Within its confines you will usually find system accounting data and log files of system activity. In general you will also find it protected poorly with even worse protections inside.

Some of the files within are poorly protected for good reason, but a few simple steps could render it much more secure:

Create a group called "admgrp" and change /var/adm to this group
Change the permission on /var/adm to something like 771

What you end up with is a directory everyone may access (and non-setuid programs may access without the user knowing the exact filename when needed) and yet is not casually searchable by the user. Combined with good system binary protection this makes a very good log area.

I would also go one step beyond with the system accounting data by giving it a mode of say 440 and a group all its own. Using these few tools and basic philosophy you may now grant access on an "as needed" basis and greatly limit your risk of mistakes by authorized users and security violations.

In general when you create a system file, directory or special area you should take a moment to think "Who needs access to this area?" "Why?" and can I resolve the access issues with a group and clever use of file permissions?

What about RCS and people who forget to use the right permissions?

There is a thing called a "firewall" which may be used to address this issue, here we like to be able to edit the /etc/printcap file.. To do this we have done the following:

Create a directory /usr/eecs/etc/printcap.d (group "lprcap", mode 775)
Create a directory /usr/eecs/etc/printcap.d/RCS (group "lprcap" mode 775)
Relocate (using mv(1)) /etc/printcap to /usr/eecs/etc/printcap.d/printcap
Create a symbolic link from /etc/printcap to /usr/eecs/etc/printcap.d/printcap
Using rcs, check in (using "ci -u") this new printcap file

Using the above we now have a printcap everyone in the "lprcap" group may edit using RCS an which is still referenced "correctly" by the system. You could go one step beyond and make the directory mode 770 if you wanted to protect the printcap file from general access, or 771 if you didnt want people to randomly read other files within. If more people did this, I think we would have much less reliance on setuid programs.

Placing limits on group memberships, making them hard to use

By limiting the number of possible groups a user may belong to, you curtail the number of different types of "special access" the system manager can deal out. This causes some to give up and give out "root" access. This is much like giving a child a loaded gun, its almost always a poor idea. And the cases where root access are really needed are few and far between.

Forcing the sysadmin to use root when its not really required

I think you will find the dump example above is typical. Here, when the vendor had the choice of making the program "normal" and creating a special group of users with read-only access to the special resource in question, they chose the easy yet dangerous solution instead. If you look at the manual page for restore(8) in the manual you will also find that the dump command is a resource for the average user on some systems. Depending on the type of UNIX it can be used like the tar(1) command. Yet you would hardly require a user to be root to use tar(1).

The power of root

Sometimes we forget the power of the root user. Its not uncommon for even a seasoned system manager to blow away major parts of the system with a slightly mis-typed command. Yet on some systems this hazard is given away casually. The root user is a time-bomb and should be only used with the greatest of reservation. In general only a few things really require you to be root:

Killing runaway processes
Shutdown of the system itself
Editing of /etc/passwd and /etc/group
Changing file ownership / mode (so root is less needed)
Restarting fallen system daemons / programs
System debugging / tuning

Of the above listed items, ONLY

System debugging / tuning

cannot easily be avoided. Many programs are available in the public domain to handle the other functions either in a single setuid root program or a few cautious setuid programs.

A word on setuid permissions

In general when people write a program to be setuid they put all of the protection for it "within" the confines of the program. With a historical perspective on UNIX security its easy to see where this "all or nothing" philosophy comes from but its a general weakness that needs to go away.

The typical setuid program internally checks a few things:

If its really setuid root when run
If its running from a trusted location (a real terminal, etc)
If its being used by someone it trusts or should be using it

They also do a few things like protect themselfs from unexpected failures and signals the user might use against them to cause a security breach. Then they are installed onto the system in some cases as:

   288 -r-sr-xr-x   1 root      bin  139264 Dec 21  1992 /bin/su

I would propose an alternative protection of:

   200 -r-s--x---  1 root     binsu  192512 Sep 10  1991 /usr/bin/su

I would consider removing the world-read permission in the first example to be a bare minimum for such an important and powerful program.

In my alternative you will notice that only people who belong to the "binsu" group may run the /bin/su program. You could make it a little broader by say changing the group name to something like "setuid" and making the permissions on MOST setuid programs as above. Thus only a small group of users may even try to run the software in question.

This is what is sometimes called defense in depth, its a concept from emergency management and is very valid in computer security. Its also something found in many non-unix systems of the past.

Anonymous FTP problems and notes

Select with care the version of ftpd you are going to use if you will be offering anonymous ftp. Never under estimate the power of logging.

Also, the "ls" program that anonymous ftp users have access to use should NEVER return real user id/group id information. Always have it return dummy info in these areas.

This should remove the need for you to maintain a copy of ~ftp/etc/passwd and it should thus be removed along with the ~ftp/etc/group file. You should of course NEVER use a real passwd file in this location.

The ever insecure sendmail program

Anything below sendmail v8.6.9 should be used with great care. You might also consider if you can run MMDF IIb, which is a much more security (yet complex) mail system.

A word about cron and a new way to use it

The cron clock daemon runs as root on most UNIX systems, and has no real method to permit users access to it except the at(1) command. Here is an example of how to grant multiple levels of access to cron without having to change much in the system, yet yielding a much more flexible layout.

Imagine if you will the following lines in /etc/crontab:

0 * * * * /bin/su daemon /usr/eecs/lib/cron/daemon.hourly.sh
0 0 * * * /bin/su daemon /usr/eecs/lib/cron/daemon.daily.sh
0 1 * * 1 /bin/su daemon /usr/eecs/lib/cron/daemon.weekly.sh
0 2 1 * * /bin/su daemon /usr/eecs/lib/cron/daemon.monthly.sh
0 3 1 1 * /bin/su daemon /usr/eecs/lib/cron/daemon.yearly.sh

Then, also imagine the following directory structure in /usr/eecs/lib/cron:

total 11
   1 drwxrwxr-x  4 shawn    crncap        512 May 27 19:27 .
   1 drwxrwxr-x 32 shawn    ecfmaint     1024 Jul 18 14:00 ..
   1 -rwxrwxr-x  1 shawn    crncap        335 Oct  2  1991 0-README-0
   1 drwxrwxr-x  2 shawn    crncap        512 May 27 19:27 RCS
   2 -r-xr-xr-x  1 shawn    crncap       1080 Oct 24  1993 daemon.daily.sh
   1 -r-xr-xr-x  1 shawn    crncap        403 May 27 19:26 daemon.hourly.sh
   1 -r-xr-xr-x  1 shawn    crncap        351 Sep  2  1993 daemon.monthly.sh
   1 -r-xr-xr-x  1 shawn    crncap        426 Sep  2  1993 daemon.weekly.sh
   1 -r-xr-xr-x  1 shawn    crncap        346 Sep  2  1993 daemon.yearly.sh
   1 drwxrwxr-x  2 shawn    crncap        512 Jan  1  1994 run

Now, instead of having to issue root privilegeds to people using cron you can simply have them added to the "crncap" group and they may now use cron as the user "daemon" (or you could make a user called "cron").

This change can be made to any UNIX cron facility, though its less useful on System-V based UNIX systems as the cron system in use there has a more general usage model already.

The "run" directory simply contains a file updated with the touch(1) command to verify when each of the above scripts ran.

Poor Network Security

If you are on a network there are a few things you should consider hard and long:

Am I sending clear text passwords over the net?
Can I trust people on the network to come into my host?
Do I have ftp enabled on my system?
Do I have lpd enabled on my system?
Is NFS exporting more than I know about?
Does anyone use rlogin on my system?
Does my system support Kerberos?

I like to describe the Internet as the great frontier, with about the security of the Old West. Though there are marshals out there, they by no means outnumber the bad guys and the bad guys have the edge on most folks.

At the moment, most sites have taken the approach of locking their doors to the outside world and only using one way traffic. The problem with this approach is that if we all used it we wouldnt need a net anymore.

Things like Kerberos, and Prospero with Kerberos can help a great deal, and if people would start to uniformly embed Kerberos into their applications it would mean much less to suffer a break in.

Of course, this means little if the operating system fails to include Kerberos at virtually all its levels as well. This is a lot of work, and is probably not the perfect solution. But its proven, and will work to make things MUCH safer.

The Central Cracking Intelligence Agency

We need an agency / group that can really help get a handle on the long and short term issues of system and network security.

This group might provide:

Notices of recent violations (when, where, and how)
Notices of important OS security related patches
Notices of new tactics in use by crackers (when seen)
Notices of new tool kits in use by crackers (and pointer to where to get a copy for analysis)
Notices of new general security related problems
Regular Statistics of criminal / cracking activity
Regular Statistics of activity of undetermined purpose
A rating system of operating system security (available to the public - Motivation for vendors)
A central contact registry for computer system staff
Recent trend analysis with recommendations
Provide a central security tools registry
Provide a central security resources registry
Pointers to good training for security professionals
Pointers to good security related books / trade information
A regular publication with some of the above information
Guidance for lawmakers not in the atari generation
Interact with the UN to help guide world wide security policy
Publish documents for the public at large
Interact with news media agencies about security issues

There are a lot of agencies that do some of the above, but none that I have seen do most / all of the above. It would take a lot of resources to provide such a service but I dont expect the need for such a thing to go away any time soon. With the size of the net growing daily and the dependence on it also growing in all parts of the world to not have such a thing is a bit risky.

If I were to pick, I'd say here is a good "peacetime" use of the CIA (are you listening Langley?) if it could be modified somewhat. The need is for world wide coverage and interaction / aid. And could provide a reason to exist for a really long time. Although its very unclear how good they are at SHARING the information they gather :-).

The Cyber world, its the next battle front. Lets get going before we end up wondering "what happened?".

I will add things here as time permits

Please send your comments to shawn@eddie.mit.edu
Page Last Updated: 94-11-25