Re: [SLUG] Default access rights.... (questions from a newbie - continued)

From: steve (steve@itcom.net)
Date: Mon Dec 24 2001 - 10:41:02 EST


On Monday 24 December 2001 08:13 am, you wrote:
> Thanks this will give good information on direction. What about .jsp or
> .php should they be granted execute rights? I am a bit embarrassed to
> admit that I don't fully understand Unix implementation of file security.
> I understand the basic (how to read it ls -lF, just not the affects of file
> security on other apps , such as apache.) I presume that server-side
> scripting would need "x" rights.
>
> Thanks for reference to the "Howto"
>

This is how you tell.

What is using the file? Is it a script? If so it would have the first line;
#!/bin/sh or similar, or
#!/usr/bin/perl f. ex.

That is saying execute with the above.

Now, if you have a server that is reading your instructions, like apache, it
is doing the executing. Notice a html file does not start with #!. Nor does
php or jsp.

Apache has the modules to know how to deal with them. It then creates web
pages that are returned to the browser on the other end.

Unix was intended to be open. Everything is a file. Thus allowing anything
talk to anything. You can pipe the output from one into another. Basically
the idea was that you'd write small programs good at doing one thing. Then
take the output from that and send it to the next as needed.

Basically it works except some programs can be "violated" because they have
design flaws that allows others to take advantage of them and gain access not
intended.

F. ex. sendmail was never intended to be a anything but a proof of concept
for smtp. Turns out it stuck. Quite popular. (Also long before criminals got
online.) So you have this program, not really written to be used in a
production environment. Which has grown and grown with many new features.
Meanwhile it had internal flaws that allowed someone to gain root access
through it, as sendmail was running as root. (There is a feature that allows
a file (program) to be owned by one normal user but execute as root, called
setuid or set user id.)

The beauty with unix is that you cannot gain access unless something is
listening to a port. Like Apache on port 80. It sits there waiting for a
request (it can recognize) to come in on port 80. If it does - it replies.

Now the more ports you listen through with different services (like ftp,
telnet, mail etc.) the more programs you need to keep an eye out on in case
there's a design flaw that can let a cracker (criminal hacker) through.

Since that is pretty hard work you limit a server to only listen to what you
need. Remember, with all the nice features you find in MS Outlook - it is a
security nightmare. Too powerful. It will run all sorts of things that is
being used by crackers to do ANYTHING they want to. Sorry, but HTML does not
belong in e-mail due to this.

It's really neat to have a program pop up and play you a video greeting or
some programs you have on your harddisk through e-mail. Surprise your wife or
girlfriend, or customers. But beware, it also let's most viral s/w in.

Take ICQ. Great tool. Very insecure! So only allow what you can manage.

Security is not understood by many. They will tell you: What do I have that
they could be interested in? I don't care I have no secrets!

We all have something every cracker out there wants, an identity other than
his! Something to use to break into someone elses computer with. Especially
those of us with permanent connections. Sitting ducks we are unless properly
defended.

One of the popular things to do is to leave "tools of the trade" on our
computers for later use. Or a pgm set to attack (en masse) someone.

This is why I NEVER EVER will support the use of MS products on the Internet.
No win O/S can be defended against a man in the middle attack. (I have not
tested XP yet.) When you communicate between two computers it is generally
described to be a number of packets that are sent between the two. A packet
is like a truck. Up front is the driver with a paper that says where he's
coming from and where he's going. It also says what he is carrying. These
packets has to be assembled in the proper sequence. To accomplish this a
sequence number is used. It is supposed to be random so that it cannot be
guessed. I tested w98, NT and W2K. They came up with a random number that
went from just above 10 to around 24. On an old Linux kernel it was some
500,000. Current ones are in the millions. Try guessing that!

Now once you've guessed it you can steal the traffic by pretending to be the
recipient. You could simply "listen in" and forward all communication in
interrupted. Or take over as the other server. Anything you typed would be
known. Unless you used encryption. And the "man-in-th-middle did not know how
to unravel it.

Scared enough?

I saw a win98se box with the latest antivirus s/w let a virus damage a
computer before it was stopped. Even though it had the "correct" version to
handle that virus.

Unix does not let a virus damage something a user does not have the rights
to. It is easier to defend and maintain due to the active community we have.
That is why you always run as a user and not root for your day to day
activities.

Well that's a whole lot more than I intended but you kinda get going as so
many things tie in, and the better concept you have the easier it is to work
with it.

When a great new program comes out I always find out where it's security
allows it to be used.

Anyho, dive into the HOWTO's and if you have any specifics I'll try to answer
you.

Steve



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:21:33 EDT