Security 101

Authentication in unix

Todo

Discuss how authentication works. Touch on /etc/(passwd|group|shadow), hashing. What are groups? Lead in to the users/groups permissions model and how permissions are based on the user/group/other bits.

Adding and deleting users and groups

Standard unix filesystem permissions

The simplest way of displaying filesystem permissions is by typing:

$ ls -l
drwxr-xr-x   2 john  company  68  3 Oct 10:34 files
-rwxrwxrwx   1 john  company    0  3 Oct 10:29 hello_world.txt

The left column is a 10-character string that indicates the permissions for a file. It consists of the symbols d, r, w, x, -.

  • Directory (d) - This is the first character in the permissions string. This indicates a directory. Otherwise, the first character is a - to indicate that it is not a directory.

  • Read (r) - The read permission allows the user to read the contents of the file or list the files in the directory.

  • Write (w)- The write permission allows the user to write or modify a file. In the case of directories, the use may delete files from the directory or move files into the directory.

  • Execute (x) -The execute permission allows the user to execute a file or access the contents of a directory. In the case of directories, this indicated that the user may read files in the directory, provided that the user has read permission on an individual file.

The 9 remaining characters are split into 3 sets to represent the access rights based on 3 groups of users. Take the “files” directory above as an example, we can split the characters like this: [d][rwx][r-x][r-x]

  • The first character, as explained above, indicates a directory or a file

  • The first group gives the file permissions for the owner of the file or directory. This means that the user “john” has read/write/execute permissions to the directory.

  • The second group gives the file permissions for the group of users to whom the file or directory belongs to. This means that anyone who is under the group “company” has read/execute permissions to the directory.

  • The third group gives the file permissions for other users. Basically anyone who are not the owner or a part of the user group. This means that everyone else has read/execute permissions to the directory.

Some more examples of permissions:

  • -rwxrwxrwx is a file everyone can read, modify (including delete), and execute.

  • -rw------- is a file only the user can read and modify.

PAM

Chroot, jails and containers

Sudo (or, “Why you should not log in as root”)

History and Lore

The Morris Worm

http://www.snowplow.org/tom/worm/worm.html

/bin/false is not security

https://web.archive.org/web/20150907095805/http://www.semicomplete.com/articles/ssh-security