Very Computer

Hello, I'm looking for any security information I can find about Linux security.
This is what I'm trying to do: I want to connect several Linux machines to
a existing network of Sun's and PC's running NFS.  This network is very secure, and
I don't want the linux machines to compromise that, does anyone have any ideas, or pointers to where I should look??
Thanks

--
Shawn
---

Michigan technological University   Rm S004     (906) 487-2901

: Hello, I'm looking for any security information I can find about Linux security.
: This is what I'm trying to do: I want to connect several Linux machines to
: a existing network of Sun's and PC's running NFS.  This network is very secure, and
: I don't want the linux machines to compromise that, does anyone have any ideas, or pointers to where I should look??
: Thanks

Look at http://bach.cis.temple.edu:80/linux/linux-security/

You may also want to subscribe to the linux-security mailing list (see
address above).

Jakob

--
Jakob Schiotz              !  Fax:    +1 (314) 935 6219
Department of Physics      !  Phone:  +1 (314) 935 4968

St. Louis, MO 63130, USA   !  WWW:    http://nils.wustl.edu/schiotz.html

I am not aware of any special considerations that you need to be aware of
for Linux specifically.  It has the same weaknesses as any UNIX system.
O'Reilly's "Practical Unix Security" is a fine book full of security info
for UNIX systems in general.

One thing I just thought of now is that anyone can download boot/root
disks from the net and reboot your system as root.  Is this true for other
unix variants?

-mat

Quote:> Hello, I'm looking for any security information I can find about Linux

security....

--

sys admin, berkeley systems inc

While major commercial UNIX variant providers are not in the habit of
providing boot/root recovery diskettes "on the net," I believe "yes" is
the correct response to the spirit of your question.

Physical security is more important (imho) than logical security (but
not by much :) ) since every software security measure (and many
hardware security devices) can be defeated once physical access is
attained.

Jon
--

: I am not aware of any special considerations that you need to be aware of
: for Linux specifically.  It has the same weaknesses as any UNIX system.

Just to relay something I heard in my mail:

make sure 'minicom' isn't setuid root (or find out more if you really
want non root users to use it).

Which perhaps brings up another point - if you are really paranoid about
security it might be an idea to go through all the setuid's and decide
whats needed and what isn't (although the same applys to all unix's of
course).

Linux has always seemed quite well set up to me BTW, well at least the
version I installed does (slackware version 2.0).  Although I heard
somebody mention about some incorrect permissions on a particular cd-rom
distribution.  Oh yeah and a minor problem with wu-ftp has also been
mentioned (just a matter of a mistake in the default setup I think).
(I've also noticed that '/var/spool/mail' should NOT be world writable
on my version.  Not that it is by default, but I'm sure somebody in the
world has made the mistake of setting it drwxrwxrwt like it is on SunOS
etc).

I'm sure a few other little problems have cropped up in the past.  The
advantage with linux of course is that they probably get fixed in the
next (free) version.

(I certainly *don't* have any extensive knowledge of linux bugs BTW).

Shouldn't worry about it too much, certainly seems better than other
OS's in this respect IMO.

Cheers,

--
<A HREF="http://scitsc.wlv.ac.uk/~cs6171/hack/index.html">unix/net/hack page</A>
<A HREF="http://scitsc.wlv.ac.uk/~cs6171/home.html">Arny's Home Page</A>

Not necessarily.. I have my system setup so that one must have a password
to:

1. boot from floppy (setup in the BIOS)
2. boot any kernel image other than the default (LILO)
3. boot any kernel with non-default options (LILO)

That way, nobody can boot from floppy or into single user mode.

-kevin-

  http://www.winternet.com/~kbrint/
  winternet staff - email for info

Reading a book on Unix security is a good idea.

Quote:>One thing I just thought of now is that anyone can download boot/root
>disks from the net and reboot your system as root.  Is this true for other
>unix variants?

Gaining root with boot/root disks isn't always possible for several
reasons.

1 -     It is very easy to disable booting from floppy by setting up
        the BIOS so that floppy is disabled during bootup.

2 -     The BIOS can be password protected to prevent alteration.

3 -     Physical security is difficult once someone has access to your
        system.  Since if someone wants to badly enough, one could
        simply get out the axe and start hacking away (bad pun).

4 -     It isn't necessary to use the boot/root disks from Slackware
        to even enter single user mode.  It is possible to enter
        single user mode using LILO, but that also may be password
        protected.

5 -     Another several reasons, but I've forgotten them now  :( :(.

Other Unix variants have their own method for getting into single user
mode, for some, it's the Sun boot -s thingy.  For others ... I dunno.
--
--
pub  2047/848251A1 1995/08/01 Perry Francis Nguyen <Huy / ABV>
        Key fingerprint =  9F A5 F1 29 0B EF 3A 1A  3D D4 8C B1 36 13 71 C1

: > One thing I just thought of now is that anyone can download boot/root
: > disks from the net and reboot your system as root.

: Not necessarily.. I have my system setup so that one must have a password
: to:

: 1. boot from floppy (setup in the BIOS)
: 2. boot any kernel image other than the default (LILO)
: 3. boot any kernel with non-default options (LILO)

: That way, nobody can boot from floppy or into single user mode.

Until they pop your case open and reset the CMOS.
The only guts this requires is the self-confidence
to be able to guess/read/determine the hard disk
configuration.

As always, physical access to the machine can be
parlayed into root access to the software.  The only
way I know to violate this rule is to have an encrypted
filesystem with pass-phrase provided by the operator
at boot/mount time (like CFS).

Yeah, but if you boot (either from floppy or using LILO), but mount a
prepared floppy (ie. with a root password you know) as root partition,
you can then just mount the /dev/hda1 or whatever, access all the
data, splatter /etc/passwd, whatever you like.

Quote:> Hello, I'm looking for any security information I can find about Linux security.
> This is what I'm trying to do: I want to connect several Linux machines to
> a existing network of Sun's and PC's running NFS.  This network is very secure, and

No Network with attached PCs is very secure!
Users can start or boot any software on PCs, e.g. packet sniffers.

-----BEGIN PGP SIGNED MESSAGE-----

        well, bios protection is more or less useless except to deter the
most casual of intruders. as you've mentioned, once someone has physical
access to your box, all bets are off. lilo does indeed have password
protection - at least, to the extent that one needs the password to boot
into single user mode (or off an alternate root device, for example). i
can't offhand remember whether or not there is an option to require a
password upon bootup - i believe there is.
        the other point is, off course, that the password is stored in your
lilo.conf. accidentally leaving it world readable could be a mistake.
um. there's also the point that anyone who's root on your box can read
your lilo.conf, and with sufficient knowledge may be able to read out
your cmos password. then again, if they have root, the whole point
becomes rather academic.

mjh

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQDVAwUBMF7h6dv7NcoSvbspAQGc7AX8DP1ewtA/I7ciV1RqfiwuUHyJICm5mjN3
ilyGkl3oKIxo6tGpo2hLGFrS83EZEfPm4A6lt2a38wsn3tp94vVOPjbI3Mv9J7ux
nKd0U8/ohPtaAiaXPH9UWyN5zHV2q9ee/i7fiE0hRyqdqFVhoLU3EBrn2Oc5Y65P
jHPL0eEAO8QQVdq9ZGai0151Kh0+yAX7pE8DPf71nQV6POkdPY519dyMzgYDy1mL
NrxvdvhPOBknZYhUNB9vvBTdgc7EY2td
=bQwe
-----END PGP SIGNATURE-----

: : I am not aware of any special considerations that you need to be aware of
: : for Linux specifically.  It has the same weaknesses as any UNIX system.

: Just to relay something I heard in my mail:

: make sure 'minicom' isn't setuid root (or find out more if you really
: want non root users to use it).

: Which perhaps brings up another point - if you are really paranoid about
: security it might be an idea to go through all the setuid's and decide
: whats needed and what isn't (although the same applys to all unix's of
: course).

: Linux has always seemed quite well set up to me BTW, well at least the
: version I installed does (slackware version 2.0).  Although I heard
: somebody mention about some incorrect permissions on a particular cd-rom
: distribution.  Oh yeah and a minor problem with wu-ftp has also been
: mentioned (just a matter of a mistake in the default setup I think).
: (I've also noticed that '/var/spool/mail' should NOT be world writable
: on my version.  Not that it is by default, but I'm sure somebody in the
: world has made the mistake of setting it drwxrwxrwt like it is on SunOS
: etc).

I didn't really notice when I installed Slackware on my own computer,
because I was completely new to UNIX.

However, after watching my roommate install Slackware on *his* computer,
I realized that Slackware just really isn't all that security-conscious.
It has *everything* turned on in inetd.  Lots of things are setuid
root.  And the permissions on the virtual consoles are world-writable.

A couple of things to think about on a net-accessible Slackware Linux box
when you get it (if it isn't net accessible, most of this doesn't
matter so much, since physical access really does beat all):

        1) go through inetd.conf and turn off everything you don't
           need.

        2) Change lpd et al to not be setuid root, but instead
           to be either setuid lp or setgid lp (where lp is some
           special user or group you create).  Then chown or chgrp
           everything in /usr/spool/lp* .

        3) Go through /etc/rc.d/rc.inet2, and comment out services
           you don't use.  In particular, comment out nfsd and mountd.
           If you don't have a printer, comment out lpd.

        4) The /dev/tty? permissions are really a problem, because anyone
           who can open a virtual console can do * things like
           change the key map.  To change the permissions, though, you
           need a new getty, login, write, mesg, and probably a few
           others.  So I'm not sure exactly what to do for this problem,
           unless you seriously have something to hide from the other
           users on your system.

        5) Yeah, I HATE the setuid flag on minicom.  I like minicom,
           but don't like at all the way it tries to manage security
           itself -- it should just trust in access permissions.  Or
           it should be *really* careful about what it does with its
           superuser privileges!  The bug mentioned in the mailing list
           is ridiculous -- allowing arbitrary shell escapes!  I agree
           with Arny -- it would probably be a good idea to scan
           the filesystem for setuid files and see what you think of
           each one.

Another problem I noticed is that syslogd is wide open to the
world -- anyone can log a message to your computer; I don't know
at all how to fix this problem, though.

Slackware comes with a lot of features ready-to-use, but it doesn't
come all that secure.

Lex

: One thing I just thought of now is that anyone can download boot/root
: disks from the net and reboot your system as root.  Is this true for other
: unix variants?

Quote:>Well, if you boot from the floppy, and then try to mount the main
>partition, you will also mount /etc/passwd, and you get teh whole system
>back the way it was.. beyond that, I dunno.

True, if you boot the boot (recovery) disk, it'll switch to your HD for
the root. If however you boot the (standard install) boot, it uses the
root diskette as its root. Then you can mount /dev/hda1 on /mnt for
example and edit /mnt/etc/passwd.

Rob
--
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~

NOTE: my opinions are strictly my own and not those of my employer