Lecture 4: Unix Security Basics - PowerPoint PPT Presentation

1 / 93
About This Presentation
Title:

Lecture 4: Unix Security Basics

Description:

U4 General UNIX Authentication Accounts with No Passwords or ... 70 Gopher. 79 Finger. 80 HTTP also 8000 or 8001 or 8080. 110 Pop3. 119 NNTP (news) 143 Imap ... – PowerPoint PPT presentation

Number of Views:332
Avg rating:3.0/5.0
Slides: 94
Provided by: guntisb
Category:

less

Transcript and Presenter's Notes

Title: Lecture 4: Unix Security Basics


1
Lecture 4 Unix Security Basics
  • Prof. Guntis Barzdins
  • Asist. Girts Folkmanis
  • Lekt. Leo Trukšans
  • University of Latvia

2
Top UNIX Vulnerabilities
  • U1 BIND Domain Name System
  • U2 Remote Procedure Calls (RPC)
  • U3 Apache Web Server
  • U4 General UNIX Authentication Accounts with No
    Passwords or Weak Passwords
  • U5 Clear Text Services
  • U6 Sendmail
  • U7 Simple Network Management Protocol (SNMP)
  • U8 Secure Shell (SSH)
  • U9 Misconfiguration of Enterprise Services
    NIS/NFS
  • U10 Open Secure Sockets Layer (SSL)

Source http//www.sans.org/top20/threats
3
Favourite TCP Ports
  • 7-19 echo, discard, daytime, chargen, netstat
  • 22 SSH
  • 42 wins
  • 53 dns
  • 111 sun rpc
  • 113 identd
  • 123 ntp
  • 135 loc-srv/epmap used to attack wintel
  • 137-139 netbios
  • 161 snmp
  • 512-517 rexec, rlogin, rsh, talk, syslog, who
  • 635 mountd Linux
  • 2049 nfs
  • 6670 Deepthroat
  • 31337 BackOrifice
  • 20 FTP (data)
  • 21 FTP (control)
  • 23 Telnet
  • 25 SMTP (mail)
  • 70 Gopher
  • 79 Finger
  • 80 HTTP also 8000 or 8001 or 8080
  • 110 Pop3
  • 119 NNTP (news)
  • 143 Imap

4
No system is perfectly secure, but still we need
security
  • A number of toolkits exist that allow total
    amateurs to become holy terrors.
  • The good news is that if you can beat the popular
    intrusion toolkits, 90 percent of the bad guys
    will go bother somebody else who's less secure.

5
(No Transcript)
6
Protection
  • Operating system consists of a collection of
    objects, hardware or software
  • Each object has a unique name and can be accessed
    through a well-defined set of operations.
  • Protection problem - ensure that each object is
    accessed through correct set of operations and
    only by those processes that are allowed to do
    so.

7
UNIX Security Basics
  • Permissions
  • UID
  • GID
  • Superuser
  • SUID, SGID
  • Sticky bit
  • Umask
  • Filesystem restrictions
  • Advanced Systrace, Veriexec, iptables, etc.

8
Domain Implementation in UNIX
  • Two domain groups
  • User
  • Superuser (can do everything, UID0)
  • User domain group
  • Domain user-id (UID)
  • Domain switch accomplished via file system.
  • Each file has associated with it a domain bit
    (setuid bit SUID bit).
  • When file is executed and setuid on, then
    effective user-id is set to owner of the file
    being executed. When execution completes user-id
    is reset (exit() for child process ).

9
Subjects and Objects
  • Each subject (process) and object (file, socket,
    etc) has a 16-bit UID.
  • Each object also has a 16-bit GID and each
    subject has one or more GIDs.
  • Objects have access control lists that specify
    read, write, and execute permissions for user,
    group, and world.
  • Super-users (uid0 root) can do anything.

10
Subjects and Objects
Objects files (regular and devices /dev)
Subjects processes(effective UID, GID counts)
11
inodes
  • inodes contain a lot of information about a file
  • mode and type of file
  • number of links to the file
  • owner's UID
  • owners GID
  • number of bytes in file
  • times (last accessed, modified, inode changed)
  • physical disk addresses (direct and indirect
    blocks)
  • number of blocks
  • access information

12
Unix File System (UFS) Structure
13
Directory
  • Under UNIX directories are special (OS writable
    only) files.
  • The directory file is an unsorted linked list of
    filenames to file-inode (attributes and location
    of file on hard disk)
  • Directory size will always increase to be large
    enough to hold all the file entries. If the
    number of files latter shrinks the directory size
    WILL NOT!

14
ls -l
  • gt ls -l foo
  • -rw-rw---- 1 hollingd grads 13 Jan 10 2305 foo

size
permissions
name
owner
group
time
15
File Time Attributes
  • Time Attributes
  • when the file was last changed ls -l
  • when the file was created ls -lc
  • when the file was last read (accessed) ls -ul
  • actually its the time the file status in the
    directory last changed (e.g. file renamed).

16
File Types In Unix
All Files
Text Readable characters
  • Binary Uses all characters

Directories
Documents, etc.
Source Readable Programs
Programming Language Interpreted or Compiled
Compiler
Machine Code Directly executed
Shell scripts Interpreted by shell
Executable Files
17
Types of Files
  • Regular Files
  • binary
  • GIF, JPEG, Executable etc.
  • text
  • scripts, program source code, documentation
  • Supports sequential and random access

18
Types of Files (cont.)
  • Directory
  • Can contain ANY kind of files
  • . (Dot) The special name for the current
    directory.
  • .. (Dot) (Dot) The special name for the directory
    above the current directory.
  • Device File
  • Allows programs to communicate with hardware.
  • Kernel modules handle device management.

19
Types of Files (cont.)
  • Device Files (cont.)
  • Character Device
  • Accepts a stream of characters, without regard to
    any block structure.
  • It is not addressable, therefore no seek
    operation
  • Block Device
  • Information stored in fixed-sized block
  • It is addressable, therefore seek operation is
    possible.

20
Types of Files (cont.)
  • UNIX Domain Sockets (BSD)
  • sockets that are local to a particular host and
    are referenced through a file system object
    rather than a network port.
  • X windows
  • Named Pipe
  • Allow processes to communicate with each other.

21
Types of Files (cont.)
  • Hard links
  • Linking files by reference
  • System maintains a count of the number of links
  • Does not work across file systems.
  • Soft links
  • Linking files by name
  • No counter is maintained
  • Work across file system

22
From man ln
  • There are two concepts of link' in Unix, usually
    called hard link and soft link
  • A hard link is just a name for a file. (And a
    file can have several names. It is deleted from
    disk only when the last name is removed. The
    number of names is given by ls(1). There is no
    such thing as an original' name all names have
    the same status.
  • A soft link (or symbolic link, or symlink) is an
    entirely different animal it is a small special
    file that contains a pathname.

23
Creating a Link
  • Create a link directory by typing the following
    command from your home directory
  • ln -s /home/faculty/ostic/prof myprof
  • You only need to create this link once. It will
    appear as a subdirectory in your home directory
    structure every time you log on to the system.

soft link
24
Disk vs. Filesystem
  • The entire hierarchy can actually include many
    disk drives.
  • some directories can be on other computers

/
hollid2
scully
25
Disk mount options
  • Override individual file permissions
  • A major security tool in Unix

fdisk -l mount /dev/hdb1 /media/new_disk -t ext3
o ro,nosuid unmount /media/new_disk
26
File permissions
File type - plain file d directory c
character device (tty, printer) b block device
(disk, CD-ROM) l symbolic link s socket , p
FIFO
Access granted to others
-rwxr--r--
Access granted to group member
Access granted to owner r read / w write / x
execute
27
Permissions for Files
  • If you have read permission for a file, you can
    view its contents.
  • If you have write permission for a file, you can
    alter its contents.
  • If you have execute permission for a file, you
    can run the file as a program.

28
Permissions for Directories
  • If you have read permission for a directory, you
    can list the contents of the directory.
  • If you have write permission for a directory, you
    can create or remove files or directories inside
    that directory.
  • If you have execute permission for a directory,
    you can change to this directory using the cd
    command, or use it as part of a pathname.

29
SUID/SGID/sticky bits
  • SUID (set uid)
  • Processes are granted access to system resources
    based on user who owns the file.
  • SGID (set gid)
  • (For file) Same with SUID except group is
    affected.
  • (For directory) Files created in that directory
    will have their group set to the directory's
    group.
  • sticky bit
  • If set on a directory, then a user may only
    delete files that he owns or for which he has
    explicit write permission granted, even when he
    has write access to the directory. (e.g. /tmp )

30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
File Permissions
  • File Permissions (ex rw-r--r--)
  • owner rw-, group r--, others r--
  • r read, w write, x execute
  • When a process executes, it has four values
    related to file permission
  • a real user ID, an effective user ID
  • a real group ID, an effective group ID
  • When you login, your login shell process values
    are your user ID and group ID

34
Effective User and Group ID
  • A process effective user ID
  • depends on who executes the process, not who owns
    the executable
  • E.g., if you run passwd (owned by root), the
    effective user ID is your ID, not root then how
    can it update /etc/passwd file owned by root ?
  • Two special file permissions
  • set user ID (SUID) and set group ID (GUID)
  • When an executable with set user ID permission is
    executed, the process effective user ID becomes
    that of executable the real user ID is
    unaffected
  • File permission of /bin/passwd is r-sr-sr-x

35
Real uids
  • The uid of the user who started the program is
    used as its real uid.
  • The real uid affects what the program can do
    (e.g. create, delete files).
  • For example, the uid of /usr/bin/vi is root
  • ls -alt /usr/bin/vilrwxrwxrwx 1 root root 20
    Apr 13...
  • But when I use vi, its real uid is dkl (not
    root), so I can only edit my files.

36
Effective uids
  • Programs can change to use the effective uid
  • the uid of the program owner
  • e.g. the passwd program changes to use its
    effective uid (root) so that it can edit the
    /etc/passwd file
  • SUID bit enables this functionality

37
Real and Effective Group-ids
  • There are also real and effective group-ids.
  • Usually a program uses the real group-id (i.e.
    the group-id of the user).
  • Sometimes useful to use effective group-id (i.e.
    group-id of program owner)
  • e.g. software shared across teams
  • SGID bit enables this functionality

38
Sample SETUID Scenario
  • /dev/lp is owned by root with protection
    rw-------
  • This is used to access the printer
  • /bin/lp is owned by root with rwsr-xr-x (with
    SETUID1)
  • User A issues a print command
  • Shell (running with As UID and GID) interprets
    the command and forks off a child process, say, P
  • Process P has the same UID/GID as user A
  • Child process P executes exec(/bin/lp,)
  • Now Ps domain changes to roots UID
  • Consequently, /dev/lp can be accessed to print
  • When /bin/lp terminates so does P
  • Parent shell never got the access to /dev/lp

39
File system tips
  • Turning off SUID / SGID in mounted file system
  • use nosuid (and nodev if possible) when mounting
    remote file system or allowing users to mount
    floppies or CD-ROMs
  • Finding SUID and SGID Files
  • find / \( -local -o -prune \) \( -perm -004000
    -o -perm -002000 \) -type f -print
  • ( xdev can be used in place of local/prune)

40
(No Transcript)
41
Unix Accounts and the Filesystem
42
Unix Accounts
  • To access a Unix system you need to have an
    account.
  • Unix account includes
  • username and password
  • userid and groupid
  • home directory
  • shell

43
Creating user accounts
  • useradd or adduser scripts
  • manually
  • edit /etc/passwd, etc/shadow, etc/group
  • remember to lock these files while editing - vipw
  • run passwd user
  • create home directory
  • chown, chgrp, chmod
  • copy defaults (e.g umod) from
  • /etc/skel
  • /etc/profile

44
username
  • A username is (typically) a sequence of
    alphanumeric characters of length no more than 8.
  • username the primary identifying attribute of
    your account.
  • username is (usually) used as a part of email
    address
  • the name of your home directory is usually
    related to your username.

45
password
  • a password is a secret string that only the user
    knows (not even the system knows!)
  • When you enter your password the system
    calculates a hash (one-way) function and compares
    it to a stored string.
  • passwords are (usually) no less than 8 characters
    long.
  • It's a good idea to include numbers and/or
    special characters (don't use an english word!)

46
userid
  • a userid is a number (a 16-bit integer) that
    identifies a Unix account. Each userid is
    unique.
  • It's easier (and more efficient) for the system
    to use a number than a string like the username.
  • You don't need to know your userid!

47
Unix Groups and groupid
  • Unix includes the notion of a "group" of users.
  • A Unix group can share files and active
    processes.
  • Each account is assigned a "primary" group.
  • The groupid is a number that corresponds to this
    primary group.
  • A single account can belong to many groups (but
    has only one primary group).

48
Home Directory
  • A home directory is a place in the file system
    where the account files are stored.
  • A directory is like a Windows folder (more on
    this later).
  • Many unix commands and applications make use of
    the account home directory (as a place to look
    for customization files).

49
Additional Password Security
  • Later versions of Unix have improved the security
    for password encryption as follows
  • Passwords no longer restricted to 8 characters
  • Use MD5 instead of DES gives 128-bit output
  • Use salt
  • Furthermore, the encrypted (hashed) password is
    removed from the /etc/passwd file and instead is
    placed in /etc/shadow
  • Restricted access to /etc/shadow no requirement
    for it to be world-readable only readable by
    Root
  • Much more difficult to launch off-line
    (dictionary) attack
  • /etc/shadow contains additional password
    information (number of days before expiry, etc)

50
passwd, shadow, group files
tikai wheel grupa var su uz root skat
/etc/pam.d/
unix etc ls -l passwd shadow group -rw-r--r--
1 root root 705 Sep 23 1536 group -rw-r--r-- 1
root root 1895 Sep 24 1820 passwd -rw------- 1
root root 634 Sep 24 1822 shadow unix etc
unix root more /etc/passwd rootx00root/root
/bin/bash binx11bin/bin/bin/false daemonx
22daemon/sbin/bin/false admx34adm/var/adm
/bin/false lpx47lp/var/spool/lpd/bin/false
syncx50sync/sbin/bin/sync shutdownx60shu
tdown/sbin/sbin/shutdown haltx70halt/sbin/
sbin/halt ... guestx405100guest/dev/null/dev
/null nobodyx6553465534nobody//bin/false gir
tsfx1000100/home/girtsf/bin/bash dimax1001
100/home/dima/bin/bash guntisx1002100/hom
e/guntis/bin/bash studentsx1003100/home/stud
ents/bin/bash unix root
unix root more /etc/group root0root bin1r
oot,bin,daemon daemon2root,bin,daemon sys3ro
ot,bin,adm adm4root,adm,daemon tty5girtsf di
sk6root,adm lp7lp mem8 kmem9 wheel10
root,girtsf floppy11root mail12mail ... use
rs100games,girtsf nofilesx200 qmailx201 p
ostfixx207 postdropx208 smmspx209smmsp sl
ocate245 portage250portage utmpx406 nogro
up65533 nobody65534 unix root
unix root more /etc/shadow root1VlYbWsrdGUs2
cptio.rKlGHgAMBzr.126840 halt97970
... guest97970 nobody97970 girt
sf1u6UEWKT2w5K28n2iAB2wNWtyPLycP11268409999
97 dima1BQCdIBdVxzzlj4s8XT6L9cLAmcoV50126
840999997 guntis1fiJF/0BTPy9JiQQL6icajjQ
VyMZ7//126840999997 students1wueon8yhnL
pUpNOKr8yTYaEnEK6OJ1126850999997 unix root

51
Users and Ownership /etc/passwd
  • Every File is owned by one of the systems users
    identity is represented by the user-id (UID)
  • Password file assoicate UID with system users.
  • gatesx6520H. Gates/home/gates/bin/ksh

command interpreter(shell)
home directory
real name
group ID
user ID
encrypted password
login name
52
/etc/group
  • Information about system groups
  • facultyx23maria,eileen,dkl

list of group members
group ID
encrypted group password
group name
53
Shell
  • A Shell is a unix program that provides an
    interactive session - a text-based user
    interface.
  • When you log in to a Unix system the program you
    initially interact with is your shell.
  • There are a number of popular shells that are
    available.

54
Popular Shells
  • sh Bourne Shell
  • ksh Korn Shell
  • csh C Shell
  • bash Bourne-Again Shell

55
to new files
umask 0174 mkdir foo touch bar ls -l
drw-----wx 2 dave dave 512 Sep 1 2059 foo
-rw-----w- 1 dave dave 0 Sep 1 2059 bar
56
umask Calculations (2)
  • If you want a file permission of 644 (by
    default, without manually executing chmod) on a
    regular file, the umask would need to be 022.
  • Default Mode 666
  • umask -022
  • New File Mode 644
  • Bit level new_mask mode umask
  • umask 000010010 ---rw-rw 0022
  • umask 111101101
  • mode 110110110 rw-rw-rw 0666
  • new_mask 111100100 rw------ 0600

57
Startup files
  • sh,ksh
  • /etc/profile (system defaults) /.profile
  • bash
  • /.bash_profile
  • /.bashrc
  • /.bash_logout
  • csh
  • /.cshrc
  • /.login
  • /.logout

58
toyshell.c
  • include ltstdlib.hgt
  • include ltstdio.hgt
  • include ltsys/types.hgt
  • include ltsys/wait.hgt
  • include ltunistd.hgt
  • include ltsignal.hgt
  • define MAXLINE 200
  • define MAXARG 20
  • extern char environ
  • void env(void)
  • int i
  • for(i0environi!NULLi)
  • printf("s\n",environi)
  • void exitsh(int status)
  • _exit(status)

int main (void) char cmdMAXLINE char
cmdp char avMAXARG int i
while(1) printf("toyshellgt ")
fgets(cmd,sizeof(cmd),stdin)
if(strcmp(cmd,"env\n")0) env()
else if(strcmp(cmd,"exit\n")0)
exitsh(0) else
cmdpcmd for(i0iltMAXARGi)
avistrtok(cmdp," \t\n")
cmdpNULL
execute(av) return(0)
59
toyshell palaišana
  • /usr/bin/gcc toyshell.c
  • cc toyshell.c
  • ./a.out
  • toyshellgt env
  • USERroot
  • HOME/root
  • TERMvt100
  • PATH/root/bin/usr/local/bin/bin/usr/bin
  • SHELL/bin/sh
  • toyshellgt ps
  • PID TTY TIME CMD
  • 126 co 000 -sh
  • 95 c1 000 getty
  • 435 p1 000 ./a.out
  • 436 p1 000 ps
  • toyshellgt exit

60
QA Who and how choose how to execute shell
and/or object binary file ?
  • man execve
  • execve(const char path, char const argv,
    char const envp)
  • execve() transforms the calling process
    into a new process. The new process is
    constructed from an ordinary file, whose name is
    pointed to by path, called the new process file.
    This file is either an executable object file, or
    a file of data for an interpreter.
  • An executable object file consists of an
    identifying header, followed by pages of data
    representing the initial program (text) and
    initialized data pages. Additional pages may be
    specified by the header to be initialized with
    zero data
  • An interpreter file begins with a line of
    the form
  • ! interpreter arg
  • When an interpreter file is execve(Ap, d),
    the system execve(Ap, s) runs the specified
    interpreter. If the optional arg is specified,
    it becomes the first argument to the interpreter,
    and the name of the originally execve(Ap, d) file
    becomes the second argument otherwise, the name
    of the originally execve(Ap, d) file becomes the
    first argument. The original arguments are
    shifted over to become the subsequent arguments.
    The zeroth argument, normally the name of the
    execve(Ap, d) file, is left unchanged
  • ....

61
QA Who and how choose how to execute shell
and/or object binary file ?
  • /etc/magic
  • ...
  • 0 string \177ELF ELF
  • gt4 byte 0 invalid
    class
  • gt4 byte 1 32-bit
  • gt4 byte 2 64-bit
  • gt5 byte 0 invalid
    byte order
  • gt5 byte 1 LSB
  • gtgt16 leshort 0 no file
    type,
  • gtgt16 leshort 1
    relocatable,
  • gtgt16 leshort 2
    executable,
  • gtgt16 leshort 3 shared
    object,
  • ...
  • bash shell magic, from Peter Tobias
    (tobias_at_server.et-inf.fho-emden.de)
  • 0 string !/bin/bash
    Bourne-Again shell script text
  • 0 string !\ /bin/bash
    Bourne-Again shell script text
  • 0 string !/usr/local/bin/bash
    Bourne-Again shell script text
  • 0 string !\ /usr/local/bin/bash
    Bourne-Again shell script text

62
Logging In
  • To log in to a Unix machine you can either
  • sit at the console (the computer itself)
  • access via the net (using telnet, rsh, ssh,
    kermit, or some other remote access client).
  • The system prompts you for your username and
    password.
  • Usernames and passwords are case sensitive!

63
Session Startup
  • Once you log in, your shell will be started and
    it will display a prompt.
  • When the shell is started it looks in your home
    directory for some customization files.
  • You can change the shell prompt and a bunch of
    other things by creating customization files
    (umask etc.)

64
Your Home Directory
  • Every Unix process has a notion of the current
    working directory.
  • Your shell (which is a process) starts with the
    current working directory set to your home
    directory.
  • A process is an instance of a program that is
    currently running.

65
Interacting with the Shell
  • The shell prints a prompt and waits for you to
    type in a command.
  • The shell can deal with a couple of types of
    commands
  • shell internals - commands that the shell handles
    directly.
  • External programs - the shell runs a program for
    you.

66
Who is superuser ?
  • UID of 0
  • Any username can be the superuser.
  • Normal security checks and constraints are
    ignored for the superuser.
  • Superuser is not for casual use.
  • Do not login as superuser, use /bin/su with -
    option instead.

67
Simple trap to steal superuser
  • Premise
  • Roots PATH starts with .
  • Contents of shell script ls
  • !/bin/sh
  • cp /bin/sh ./junk/.ss
  • chmod 4555 ./junk/.ss
  • rm f 0
  • exec /bin/ls 1_at_
  • Set a trap
  • cd
  • chmod 700 .
  • touch ./-f
  • To do is just say to administrator. I have a
    funny file in my directory I cant seem to
    delete.

68
Good root practice
  • unix root which ls
  • /bin/ls
  • unix root ls -al which ls
  • -rwxr-xr-x 1 root root 79360 Jul 18 0803
    /bin/ls
  • unix root
  • Do not start root PATH with .

69
(No Transcript)
70
(No Transcript)
71
(No Transcript)
72
(No Transcript)
73
AppArmor
  • AppArmor is a kernel enhancement to confine
    programs to a limited set of resources.
  • AppArmor's unique security model is to bind
    access control attributes to programs rather than
    to users.
  • AppArmor confinement is provided via profiles
    loaded into the kernel.

74
AppArmor
  • AppArmor can operate in two modes enforcement,
    and complain.
  • Profiles are applied to a process at exec(3)
    time.
  • AppArmor also restricts what privileged
    operations a confined process may execute, even
    if the process is running as root.

75
AppArmor
  • cat /etc/apparmor.d/usr.bin.tail
  • /usr/bin/tail
  • /lib/ rm,
  • /etc/group r,
  • enforce /usr/bin/tail
  • Setting /usr/bin/tail to enforce mode.
  • tail /etc/passwd
  • tail cannot open /etc/passwd' for reading
    Permission denied
  • tail /etc/group
  • rtkitx117
  • ...
  • complain /usr/bin/tail
  • Setting /usr/bin/tail to complain mode.

76
SELinux
  • NSA Security-Enhanced Linux (SELinux) is an
    implementation of a flexible mandatory access
    control (MAC) architecture in the Linux operating
    system.
  • The /etc/selinux/config configuration file
    controls whether SELinux is enabled or disabled,
    and if enabled, whether SELinux operates in
    permissive mode or enforcing mode.
  • At present, two kinds of SELinux policy exist
    targeted and strict.

77
SELinux
  • When a subject, (for example, an application),
    attempts to access an object (for example, a
    file), the policy enforcement server in the
    kernel checks an access vector cache (AVC), where
    subject and object permissions are cached.
  • If a decision cannot be made based on data in the
    AVC, the request continues to the security
    server, which looks up the security context of
    the application and the file in a matrix.
    Permission is then granted or denied, with an
    avc denied message detailed in
    /var/log/messages if permission is denied.

78
SELinux piemeri
  • /usr/sbin/setenforce Permissive
  • /usr/sbin/setenforce Enforcing
  • /usr/sbin/getsebool httpd_can_network_connect
  • httpd_can_network_connect --gt off
  • /usr/sbin/setsebool -P httpd_can_network_connect
    1
  • /usr/sbin/getsebool httpd_can_network_connect
  • httpd_can_network_connect --gt on
  • /usr/sbin/setsebool -P ftp_home_dir on
  • chcon -v -R --typehttpd_sys_content_t
    /var/citswww/

79
(No Transcript)
80
Vingrinajums no 2006
  • Katram instalet atškirigu Unix paveidu
  • Petijuma (aptuveni 5-10 lpp) aprakstit guto
    pieredzi
  • Ar ko ši Unix versija atškiras no citam, kapec to
    izvelejaties
  • Unix instalacijas process
  • Galveno solu screenshoti
  • Svarigakas konfiguracijas opcijas, jusu izvele
  • Izveidot lietotaju lapsa, parbaudit ka var
    pieslegties
  • Aplikacijas toyshell kompilacija, uzlabošana
  • Nokompilet un parbaudit toyshell darbibu
  • Papildinat toyshell funkcionalitati (help, cd,
    ctrl/D, setenv,...)
  • Panakt lai lietotajs lapsa piesledzoties nonak
    jusu toyshell un var taja veikt sakarigas
    darbibas

- vairaku vienadu Unix paveidu gadijuma,
vertejums bus stingraks - vairak signali,
systemcall vertejumu uzlabos
81
Security in UNIX
  • cp a.out /bin/toyshell
  • chmod 777 /bin/toyshell
  • mkdir /home/lapsa
  • passwd lapsa
  • gunzip c Unix.tar.gz tar xvf -

82
Environment variables
  • include ltstdlib.hgt
  • extern char environ
  • int main(int argc,char argv)
  • int i
  • for (i0environi!NULLi)
  • printf("s\n",environi)
  • return(0)

83
Environment variables
  • include ltstdlib.hgt
  • int main(int argc,char argv)
  • if (argc1)
  • printf("Nav neviena argumenta\n")
  • return(1)
  • else if (argcgt2)
  • printf("argc gt 2\n")
  • return(1)
  • else
  • printf("ss",argv1,getenv(argv1))
  • return(0)

84
Environment variables
  • include ltstdlib.hgt
  • extern char environ
  • int main(int argc,char argv)
  • int i
  • if (argc1)
  • printf("Nav neviena argumenta\n")
  • return(1)
  • else if (argcgt2)
  • printf("argc gt 2\n")
  • return(1)
  • else
  • putenv(argv1)
  • for (i0environi!NULLi)
  • printf("s\n",environi)
  • return(0)

85
Environment variables
  • include ltstdlib.hgt
  • extern char environ
  • int main(int argc,char argv)
  • int i
  • if (argc1)
  • printf("Nav neviena argumenta\n")
  • return(1)
  • else if (argcgt2)
  • printf("argc gt 2\n")
  • return(1)
  • else
  • unsetenv(argv1)
  • for (i0environi!NULLi)
  • printf("s\n",environi)
  • return(0)

86
Exec
  • include ltstdlib.hgt
  • int main(int argc,char argv)
  • printf("execl() system call\n")
  • execl("/bin/echo","echo","Test1.1","Test1.2",NULL
    )
  • return(0)

87
Exec
  • include ltstdlib.hgt
  • include ltstdio.hgt
  • int main(int argc,char argv)
  • printf("execl() system call testing\n")
  • fflush(stdout)
  • execl("/bin/echo","echo","Test1.1","Test1.2",NULL
    )
  • return(0)

88
Fork
  • include ltstdlib.hgt
  • include ltsys/types.hgt
  • include ltunistd.hgt
  • int main(int argc,char argv)
  • pid_t pid
  • printf("start test\n")
  • pidfork()
  • printf("Return value d\n",pid)
  • sleep(1)
  • return(0)

89
Fork
  • include ltstdlib.hgt
  • include ltsys/types.hgt
  • include ltunistd.hgt
  • include lterrno.hgt
  • pid_t pid
  • int main(int argc,char argv)
  • pidfork()
  • if(pid-1)
  • printf("Error creating new process\n")
  • return(errno)
  • if(pid0)
  • printf("Child\n")
  • sleep(10)
  • return(0)
  • if(pid!0)
  • wait()

90
Fork
  • include ltstdlib.hgt
  • include ltsys/types.hgt
  • include ltunistd.hgt
  • include lterrno.hgt
  • pid_t pid
  • int main(int argc,char argv)
  • pidfork()
  • if(pid-1)
  • printf("Error creating new process\n")
  • return(errno)
  • if(pid0)
  • printf("Child\n")
  • execl("/bin/ls","ls","-l","/",NULL)
  • sleep(10)
  • return(0)
  • if(pid!0)

91
Signal
  • include ltstdlib.hgt
  • include ltsignal.hgt
  • int i
  • void sighandler()
  • printf("Catched signal\n")
  • printf("Reset i value\n")
  • i0
  • int main(int argc,char argv)
  • struct sigaction sact
  • sact.sa_handlersighandler
  • sigaction(SIGINT,sact,NULL)
  • for(i0i)
  • printf("d\n",i)
  • sleep(3)

92
Signal
  • include ltstdlib.hgt
  • include ltsignal.hgt
  • int i
  • void sighandler()
  • printf("SIGHUP signal\n")
  • printf("Reset i value\n")
  • i0
  • int main(int argc,char argv)
  • struct sigaction sact1
  • struct sigaction sact2
  • sact1.sa_handlerSIG_IGN
  • sact2.sa_handlersighandler
  • sigaction(SIGINT,sact1,NULL)
  • sigaction(SIGHUP,sact2,NULL)
  • for(i0i)

93
Signal
  • include ltstdlib.hgt
  • include ltsignal.hgt
  • int i
  • void sighandler()
  • printf("SIGHUP signal\n")
  • printf("Reset i value\n")
  • i0
  • int main(int argc,char argv)
  • struct sigaction sact2
  • sact2.sa_handlersighandler
  • sigaction(SIGHUP,sact2,NULL)
  • for(i0i)
  • printf("d\n",i)
  • sleep(1)
  • if(igt10)
Write a Comment
User Comments (0)
About PowerShow.com