- •Table of Contents
- •Introduction
- •Saving Time with This Book
- •Foolish Assumptions
- •Part I: Making the Desktop Work for You
- •Part II: Getting the Most from Your File System
- •Part III: Good Housekeeping with Linux
- •Part IV: Tweaking the Kernel on Your Linux System
- •Part V: Securing Your Workspace
- •Part VI: Networking Like a Professional
- •Part VII: Monitoring Your System
- •Part VIII: Serving Up the Internet and More
- •Part X: Programming Tricks
- •Part XI: The Scary (Or Fun!) Stuff
- •Icons Used in This Book
- •Discovering Your Protocols
- •Managing Snapshots with the camera: Protocol
- •Remote File Management with fish:
- •Getting Help with help:, info:, and man:
- •Other KDE Protocols
- •Using GNOME VFS Modules
- •Stacking VFS Modules
- •Working with Packages: rpm and rpms
- •Putting VFS to Work at the Command Line
- •Burning CDs with a VFS
- •Skinning Your Desktop with VFS
- •Classifying Data with MIME
- •Creating KDE File Associations
- •Creating New MIME Types with GNOME
- •Making Basic Prompt Transformations
- •Adding Dynamically Updated Data to Your Prompt
- •Colorizing Your Prompt
- •Seeing a Red Alert When You Have Superuser Privileges
- •Saving Your Work
- •Completing Names Automatically
- •Using the Escape Key to Your Advantage
- •Customizing Completion for Maximum Speed
- •Using cd and ls to Navigate through bash
- •Setting Your CDPATH Variables to Find Directories Fast
- •Streamlining Archive Searches
- •Turning the Output of a Command into a Variable with $( )
- •Using $UID and $EUID in Shell Scripts
- •Customizing Variables for Rapid Transit
- •Finding the Right Shell Script
- •Choosing your victims
- •Timing is everything
- •Cleaning up made easy
- •Changing prototype scripts
- •Customizing Your Autostart File
- •Navigating the History List
- •Scrolling
- •Summoning a command by number
- •Searching through history
- •Customizing the History List
- •Adjusting key default settings
- •Filtering the history list
- •Executing Commands Quickly with History Variables
- •Viewing Your Aliases
- •Using Aliases for Complex Commands
- •Automating Tedious Tasks with Functions
- •Filtering file searches by file type
- •Automatic downloading
- •Monitoring Your System in a Snap
- •Un-tarring the Easy Way
- •What Is Samba?
- •Getting Up and Running with Samba
- •Checking whether Samba is installed
- •Enabling Samba
- •Adjusting the workgroup name and creating user accounts
- •Giving a Windows machine access to your home directory
- •Sharing Linux files and directories with other computers
- •Hooking Everyone Up to the Printer
- •Sharing Linux printers with SWAT
- •Using a Windows printer from Linux
- •Plugging In to Remote Data with Linux Programs Quickly
- •Finding Files with locate
- •Finding Files with find
- •Qualifying Your Search with the find Command
- •Doing updated filename searches
- •Adding time-based qualifications
- •Filtering by file size
- •Perusing commonly used qualifications
- •Acting on What You Find
- •Displaying specific info with -printf
- •Checking disk usage by user
- •Executing commands with find
- •Building Complex Commands with xargs
- •Creating Archives with File Roller
- •Inspecting and Extracting Archives with File Roller
- •Adding Functionality to tar with Complex Commands
- •Building archives from the command line
- •Archiving complex search results
- •Backing up an installed package
- •Uprooting Entire Directory Trees with scp
- •Splitting Big Files into Manageable Chunks
- •Building Software from Downloaded tarballs
- •Compiling a tarball: The basic steps
- •Downloading and compiling SuperKaramba
- •Versatile Downloading with wget
- •Mirroring sites with wget
- •Verifying your bookmarks with wget
- •Downloading files with wget
- •Downloading and unpacking in one quick step
- •Downloading and Uploading with curl
- •Setting Up ADIOS
- •Downloading ADIOS
- •Burning ADIOS to CD
- •Installing ADIOS
- •Finding Your Way around UML
- •Connecting to the Internet from an ADIOS VM
- •Using a GUI with UML
- •Installing Software into UML
- •Merging Changes to Your Prototype
- •Querying RPM Packages for Content
- •Digesting Information
- •Creating a Package Index
- •Querying for Prerequisites
- •Dissecting an RPM Package
- •Using RPM at the Command Line
- •Removing RPMs
- •Flagging Down RPM
- •Getting Graphic with RPM
- •Using Rpmdrake to install from media
- •Installing from your Konqueror browser
- •Verifying Your System
- •Reading the Tamper-Proof Seal
- •Setting Up Synaptic and apt in a Snap
- •Keeping Up-to-Date with apt and Synaptic: The Basics
- •Handy Hints about Synaptic
- •Changing repositories
- •Viewing package details
- •Installing new packages with Synaptic
- •Importing the Keys to the Repository
- •Letting Task Scheduler Work for You
- •Scheduling a new task
- •Editing a task
- •Adding environment variables
- •Reining In Resources with Disk Quotas
- •Installing the quota RPM package
- •Enabling file system quotas
- •Getting your files together
- •Setting quotas
- •Reviewing your quotas
- •Using System Accounting to Keep Track of Users
- •Setting up system accounting
- •Looking up user login hours
- •Checking out command and program usage
- •Running Down the Runlevels
- •Runlevel basics
- •Customizing runlevels in Fedora
- •Customizing runlevels in SuSE
- •Customizing runlevels in Mandrake
- •Customizing runlevels at the command line
- •Switching to a new runlevel
- •Disabling Unused Services
- •Removing Unneeded Services
- •Learning about modules
- •Installing a module with insmod
- •Taking care of dependencies automatically with modprobe and depmod
- •Loading a module for a slightly different kernel with insmod and modprobe
- •Removing modules with rmmod
- •Step 1: Making an Emergency Plan, or Boot Disk
- •Step 2: Finding the Source Code
- •Step 4: Customizing the Kernel
- •Step 5: Building the Kernel
- •Understanding the Principles of SELinux
- •Everything is an object
- •Identifying subjects in SELinux
- •Understanding the security context
- •Disabling or Disarming SELinux
- •Playing the Right Role
- •Exploring the Process-Related Entries in /proc
- •Surveying Your System from /proc
- •Popping the Cork: Speeding Up WINE with /proc
- •Reading and Understanding File Permissions
- •Controlling Permissions at the Command Line
- •Changing File Permissions from a Desktop
- •Encryption Made Easy with kgpg and the KDE Desktop
- •Creating keys with kgpg
- •Sharing your key with the world
- •Importing a public key from a public-key server
- •Encrypting and decrypting documents with drag-and-drop ease
- •Encrypting Documents with gpg at the Command Line
- •Sharing a secret file
- •Creating a key pair and receiving encrypted documents
- •Encrypting documents on your home system
- •Encrypting E-Mail for Added Security
- •Encrypting with Ximian Evolution
- •Setting up Mozilla e-mail for encryption
- •Sending and receiving encrypted messages with Mozilla mail
- •Using Cross-Platform Authentication with Linux and Windows
- •Prepping for cross-platform authentication
- •Setting up cross-platform authentication
- •Using PAM and Kerberos to Serve Up Authentication
- •Establishing synchronized system times
- •Testing your domain name server (DNS)
- •Setting up a Key Distribution Center
- •Setting up automatic ticket management with Kerberos and PAM
- •Adding users to the Key Distribution Center
- •Building Good Rules with PAM
- •Phase
- •Control level
- •Module pathname
- •Arguments
- •Dissecting a Configuration File
- •Skipping a Password with PAM
- •Feeling the Power
- •Gaining Superuser Privileges
- •Pretending to Be Other Users
- •Limiting Privileges with sudo
- •Installing sudo
- •Adding Up the Aliases
- •Adding Aliases to the sudo Configuration File
- •Defining the Alias
- •Creating a User_Alias
- •Creating a Runas_Alias
- •Simplifying group managment with a Host_Alias
- •Mounting and unmounting CDs without the superuser password
- •Managing access to dangerous commands with command aliases
- •Using SSH for Top-Speed Connections
- •Setting Up Public-Key Authentication to Secure SSH
- •Generating the key pair
- •Distributing your public key
- •Passing on your passphrase
- •Logging In with SSH and Key Authentication
- •Starting from the command line
- •Getting graphic
- •Creating Shortcuts to Your Favorite SSH Locations
- •Copying Files with scp
- •Secure (And Fast) Port Forwarding with SSH
- •Finding Your Firewall
- •Setting up a simple firewall in Mandrake Linux
- •Setting up a simple firewall in Fedora Linux
- •Setting up a simple firewall in SuSE Linux
- •Editing the Rules with Webmin
- •Starting a Webmin session
- •Reading the rules with Webmin
- •Changing the rules
- •Editing existing rules
- •Adding a new rule with Webmin
- •Sharing Desktops with VNC
- •Inviting Your Friends to Use Your Desktop
- •Serving Up a New Desktop with VNC Server
- •Using tsclient to View Remote Desktops from Linux
- •Using tsclient with a VNC server
- •Using tsclient with an RDP server
- •Creating New VNC Desktops on Demand
- •Switching display managers in SuSE Linux
- •Switching display managers in Mandrake Linux
- •Connecting gdm and VNC
- •Exploring Your Network with lsof
- •Running lsof
- •Interpreting the lsof output
- •Reading file types
- •Discovering Network Connections
- •Other Timesaving lsof Tricks
- •Packet Sniffing with the Ethereal Network Analyzer
- •Starting Ethereal
- •Capturing packets
- •Applying filters to screen packets
- •Peeking in packets
- •Color-coding packets coming from your network
- •Getting Up and Running with Nessus
- •Installing programs Nessus needs to run
- •Installing Nessus
- •Adding a user to Nessus
- •Generating a certificate
- •Starting the daemon and the interface
- •Reading the grim results
- •Keeping Your Plug-ins Up-to-Date
- •Chatting in the Fedora Chat Room
- •Looking for Answers in the SuSE Chat Room
- •Processing Processes with procps
- •Using ps to filter process status information
- •Viewing ps output the way you want to see it
- •Making parent-child relationships stand out in a ps listing
- •Climbing the family tree with pstree
- •Finding processes with pgrep
- •Killing Processes with pkill
- •Killing Processes with killall
- •Closing Windows with xkill
- •Managing Users and Groups with the Fedora/Mandrake User Manager
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Managing Users and Groups with the SuSE User Administrator
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Adding and deleting log files from the viewer
- •Setting up alerts and warnings
- •Viewing your log files from SuSE
- •Monitoring your log files from SuSE
- •Customizing Your Log Files
- •Keeping an Eye on Resources with KDE System Guard
- •Finding and killing runaway processes
- •Prioritizing processes to smooth a network bottleneck
- •Watching your system load
- •Creating a new worksheet
- •Creating system resource logs
- •Displaying network resources
- •Using Synaptic to download and install Apache
- •Installing Apache from disc
- •Starting the Apache Service
- •Building a Quick Web Page with OpenOffice.org
- •Taking Your Site Public with Dynamic DNS
- •Understanding how dynamic DNS works
- •Setting up dynamic DNS
- •Updating your IP address
- •Installing the Fedora HTTP Configuration tool
- •Putting the HTTP Configuration tool to work
- •Watching Your Web Server Traffic with apachetop
- •Installing apachetop
- •Running and exiting apachetop
- •Navigating apachetop
- •Switching among the log files (or watching several at once)
- •Changing the display time of apachetop statistics
- •Accessing MySQL Control Center features
- •Viewing, managing, and repairing a database with the Databases controls
- •Putting the Server Administration controls to work
- •Adding a new user
- •Watching Your MySQL Traffic with mtop
- •Gathering all the packages that mtop needs
- •Installing mtop
- •Monitoring traffic
- •Building a MySQL Server
- •Installing the necessary packages
- •Starting the MySQL server
- •Replicating MySQL Data
- •Configuring replication: The three topologies
- •Setting up replication for a single slave and master
- •Choosing a Method to Back Up MySQL Data
- •Backing Up and Restoring with mysqldump
- •mysqldump backup options
- •Backing up multiple databases
- •Compressing the archive
- •Restoring a mysqldump archive
- •Making a mysqlhotcopy of Your Database
- •Archiving a Replication Slave
- •Taking Care of Business with MySQL Administrator
- •Installing MySQL Administrator
- •Starting MySQL Administrator
- •Choosing an SSL Certificate
- •Creating a Certificate Signing Request
- •Creating a Signing Authority with openssl
- •Creating a certificate authority
- •Signing a CSR
- •Exploring Your Certificate Collection with Mozilla
- •Introducing hotway
- •Getting Started with hotway
- •Setting Up Evolution to Read HTTPMail Accounts with hotway
- •Ringing the Bells and Blowing the Whistles: Your Evolution Summary Page
- •Installing SpamAssassin
- •Installing from the distribution media
- •Installing from RPM downloads
- •Starting the service
- •Fine-Tuning SpamAssassin to Separate the Ham from the Spam
- •Customizing settings
- •Saving your settings
- •Adding a New Filter to Evolution
- •Serving Up a Big Bowl of the RulesDuJour
- •Registering Your Address
- •Taming a Sendmail Server
- •Tweaking Your Configuration Files with Webmin
- •Serving up mail for multiple domains
- •Relaying e-mail
- •Using aliases to simplify mail handling
- •Deciding What to Archive
- •Choosing Archive Media
- •Tape drives
- •Removable and external disk drives
- •Removable media
- •Optical media (CDs and DVDs)
- •Online storage
- •Choosing an Archive Scheme
- •Full backups
- •Differential backups
- •Incremental backups
- •Incremental versus differential backups
- •Choosing an Archive Program
- •Estimating Your Media Needs
- •Creating Data Archives with tar
- •Backing up files and directories
- •Backing up account information and passwords
- •Targeting bite-sized backups for speedier restores
- •Rolling whole file systems into a tarball
- •Starting an Incremental Backup Cycle
- •Restoring from Backup with tar
- •Backing Up to CD (Or DVD) with cdbackup
- •Creating the backup
- •Restoring from a CD or DVD backup
- •Restoring from a disc containing multiple archives
- •Combining the Power of tar with ssh for Quick Remote Backups
- •Testing the ssh connection to the remote host
- •Creating a tar archive over the ssh connection
- •Backing up to tape drives on remote machines
- •Backing Up to a Remote Computer with rdist and ssh
- •Testing the ssh connection to the remote host
- •Creating the distfile
- •Backing up
- •Getting Started with CVS
- •Checking whether CVS is installed
- •Discovering what to use CVS for
- •Creating a CVS Repository
- •Populating Your Repository with Files
- •Simplifying CVS with cervisia
- •Installing cervisia
- •Putting files in your sandbox
- •Adding more files to your repository
- •Committing your changes
- •Browsing your log files
- •Marking milestones with tags
- •Branching off with cervisia
- •Using the libcurl Library (C Programming)
- •Uploading a File with a Simple Program Using libcurl
- •Line 7: Defining functions and data types
- •Line 14: Calling the initialization function
- •Lines 18– 21: Defining the transfer
- •Line 23: Starting the transfer
- •Line 26: Finishing the upload
- •Installing the Ming Library
- •Building a Simple Flash Movie with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Building Interactive Movies with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Doing the curl E-shuffle with PHP
- •Combining PHP with curl and XML: An overview
- •Checking out the XML file
- •Downloading and displaying the XML file with a PHP script (and curl)
- •Sending E-Mail from PHP When Problems Occur
- •Debugging Perl Code with DDD
- •Installing and starting DDD
- •Examining the main window
- •Reviewing and stepping through source code
- •Making Stop Signs: Using Breakpoints to Watch Code
- •Setting a breakpoint
- •Modifying a breakpoint
- •Opening the data window
- •Adding a variable to the data window
- •Changing the display to a table
- •Using the Backtrace feature
- •Using the Help menu
- •Making Fedora Distribution CDs
- •Downloading the ISO images
- •Verifying the checksums
- •Burning an ISO File to Disc at the Command Line
- •Finding the identity of your drive
- •Running a test burn
- •Burning the distribution discs
- •Burning CDs without Making an ISO First
- •Finding setuid quickly and easily with kfind
- •Finding setuid and setgid programs at the command line
- •Deciding to Turn Off setuid or setgid
- •Changing the setuid or setgid Bit
- •Who Belongs in Jail?
- •Using UML to Jail Programs
- •Using lsof to Find Out Which Files Are Open
- •Debugging Your Environment with strace
- •Investigating Programs with ltrace
- •Handy strace and ltrace Options
- •Recording Program Errors with valgrind
- •Hardening Your Hat with Bastille
- •Downloading and installing Bastille and its dependencies
- •Welcome to the Bastille
- •Addressing file permission issues
- •Clamping down on SUID privileges
- •Moving on to account security
- •Making the boot process more secure
- •Securing connection broker
- •Limiting compiler access
- •Limiting access to hackers
- •Logging extra information
- •Keeping the daemons in check
- •Securing sendmail
- •Closing the gaps in Apache
- •Keeping temporary files safe
- •Building a better firewall
- •Port scanning with Bastille
- •Turning LIDS On and Off
- •Testing LIDS before Applying It to Your System
- •Controlling File Access with LIDS
- •Hiding Processes with LIDS
- •Running Down the Privilege List
- •Getting Graphical at the Command Line
- •Getting graphical in GNOME
- •Getting graphical with KDE
- •Staying desktop neutral
- •Index
468 Technique 61: Creating a Second Line of Defense with LIDS
Testing LIDS before Applying It to Your System
You can use LIDS to secure your computer, but it’s a good idea to experiment in a UML virtual computer first. Fortunately, LIDS is bundled with the ADIOS UML distribution we talk about in Technique 15.
A quick way to find out just how good your potential system configuration will work for you is to make a practice run inside a UML VM.
Here’s an overview of how testing in a UML VM works:
1. Set up the system in a confined environment
(a UML VM).
See Technique 15 for details on downloading, installing, and setting up LIDS in a UML VM.
2. Test the LIDS configuration.
You find the details on configuring LIDS in the sections that follow.
3. If you like the LIDS configuration in the VM, copy the access control list to your system.
A LIDS-enabled kernel runs in two distinct modes. In secure mode (called LIDS On mode), all the access control rules that you define are enforced. In nonsecure mode (LIDS Off), you’re running a standard Linux kernel; LIDS has no effect in nonsecure mode. The easiest way to manage LIDS is to boot into LIDS Off mode, make the configuration changes that you want, and then boot back into LIDS On mode. Throughout this technique, we assume that you’re using the ADIOS UML distribution. To boot in LIDS On mode, just open the KDE Menu and choose User Mode Linux LIDS On; to boot in LIDS Off mode, choose User Mode Linux LIDS Off.
Understanding the LIDS
Access Control List
LIDS is controlled by a set of configuration files, typically stored in the /etc/lids directory. When you configure LIDS, you add access control entries to an access control list (we use the terms ACE and ACL, respectively). An ACE controls access to a file, a directory tree, or a superuser capability. The ADIOS VM is preconfigured with a reasonable set of access rules that you can use as a starting point.
To view your current LIDS configuration (the access control list), type in the command lidsconf -L. You see a list that looks something like this (we’ve modified the following example to fit on the page):
Subject ACCESS inherit time Object
------------------------------------------
- |
|
|
|
|
Any file |
READONLY: 0 0000 |
/bin |
||
0 |
|
|
|
|
Any file |
READONLY: 0 0000 |
/lib |
||
0 |
|
|
|
|
Any file |
READONLY: 0 |
0000 |
/sbin |
|
0 |
|
|
|
|
Any file |
READONLY: 0 |
0000 |
/usr/bin |
|
0 |
|
|
|
|
Any file |
READONLY: 0 |
0000 |
/usr/sbin |
|
0 |
|
|
|
|
/sbin/insmod GRANT: 0 |
0000 |
CAP_SYS_MODULE |
||
0 |
|
|
|
|
... |
... |
. ... |
|
|
Here’s how to interpret the configuration info:
Subject: The first (leftmost) column shows the subject. If you see a program name in the subject column, the ACE controls that specific program. If you see Any file in the subject column, the ACE controls all programs.
ACCESS: The second column shows how the subject can access the object.
Controlling File Access with LIDS |
469 |
Inherit: The inherit column displays a 1 for ACEs that are inherited by the subject’s child processes and a 0 for ACEs that are not inheritable.
Time: The time column shows the hours during which the ACE will be enforced.
Object: The second-to-last column shows the object. The object is the thing that you’re securing. In the sample listing, the first ACE controls access to the /bin directory (and all files and subdirectories underneath /bin). If you see the same object listed more than once, the first ACE generally restricts access for all subjects, and the other ACEs grant exceptions for specific programs. An object can be a file or directory, or a capability. When you secure a directory, you secure everything underneath that directory as well.
Parameters: The last (rightmost) column lists ACE parameters. ACE parameters are rarely needed. In fact, you can include parameters only when you create a CAP_BIND_NET_SERVICE
ACE (the parameter specifies a range of port numbers).
Controlling File Access with LIDS
To create a new entry, or ACE, you need to know three things:
The complete pathname of the program that you want to manage (unless you want to restrict all programs).
The complete pathname of the file (or directory) that you want to protect.
The type of access you want to grant (or deny). You can assign four security levels to an object:
WRITE: This level does not protect the object at all; if users hold superuser privileges, they can do whatever they want with the object.
APPEND: This level grants read permission, and lets you add to the object but not delete (or otherwise alter) it. This is the protection level you should assign to all log files. If you grant WRITE protection to a log object, intruders could edit the object to hide their tracks.
READONLY: This level grants read permission, but the object cannot be altered (or deleted).
Use the READONLY level for all system configuration files and programs.
DENY: Objects that are secured at the DENY level are hidden from view. Use DENY to hide password files and then grant exceptions to only those programs that require access.
After you have those three pieces of information, create an ACE with the lidsconf -A command. For example, to protect all files (and subdirectories) in the /etc directory from modification, use this command:
# lidsconf -A -o /etc -j READONLY
In this case, /etc is the object, and because you didn’t include a subject, this ACE will control the type of access granted for all programs. To grant an exception to the default rule, use this command:
# lidsconf -A -s /usr/bin/passwd \ -o /etc/passwd \
-j WRITE
The -s subject parameter defines the subject, and -o object defines the object.
Delete an ACE with lidsconf -D. To delete an ACE, you supply a subject and an object, just like you did when you created the ACE:
# lidsconf -D -s /usr/bin/passwd \ -o /etc/passwd
470 Technique 61: Creating a Second Line of Defense with LIDS
You must protect a program before you can use it in another ACE. For example, if you want to grant write privileges to the passwd command, you have to protect /usr/bin/passwd first. That makes sense because you don’t want to grant privileges for a command that might be modified by an intruder.
It’s a good practice to protect just about everything first, and then grant exceptions.
For example, to protect Samba configuration files, start out by denying write access for all programs:
#lidsconf -A -o /etc/samba -j READONLY
#lidsconf -A -o /var/samba -j READONLY
Next, grant write access to the Samba daemons (smbd and nmbd). Don’t forget to protect the daemons against modification:
# lidsconf -A -o /usr/sbin -j READONLY
Now you can grant write access to the two Samba executables:
# lidsconf -A -s /usr/sbin/smbd \ -o /var/samba \
-j WRITE
# lidsconf -A -s /usr/sbin/nmbd \ -o /var/samba \
-j WRITE
If you forget to protect a program before you grant privileges for that program, you’ll see an error message such as lidsconf: subject file is not protected.
Hiding Processes with LIDS
Another nifty feature of LIDS is the CAP_HIDDEN capability. CAP_HIDDEN is a pseudo-capability. It’s not really part of a normal Linux kernel but a feature added by LIDS itself. Why would you want to hide
a process? So intruders don’t know that you’re watching them. Protect network sniffers, log file
analyzers, and security monitors with CAP_HIDDEN, and intruders will think they’re all alone on your computer.
When you hide a process, you don’t actually hide the program itself (use DENY to do that); instead, you’re hiding the process from the process list. In other words, you can still see the program if you browse through a directory listing, but if you run the program and then search through the output from a ps command, you won’t find it.
If you’re accustomed to using top to watch what your system is doing, here’s how you can hide the top process from intruders (or anyone else for that matter):
1. Open the file /etc/lids/lids.cap in your favorite text editor.
2. Find the line that says
+29:CAP_HIDDEN
3. Change that line to read
-29:CAP_HIDDEN
Basically, you change the + sign to a – sign.
4. Save your work and close the editor.
This change disables the CAP_HIDDEN capability. (You have to disable a capability before you can grant it to a specific program.)
5. At the command line, disable LIDS for your login session:
# lidsadm -S -- -LIDS SWITCH
enter password:
6. Enter your LIDS password when prompted.
The default LIDS password for the ADIOS UML VMs is 12qwaszx.
When you disable LIDS for a login session, LIDS continues to enforce the security policies for all other uses, but you can bypass LIDS in your login session in order to change the LIDS access control list.
Running Down the Privilege List 471
7. Find the program that you want to hide (in this case, top):
#which top /usr/bin/top
8.Grant the CAP_HIDDEN capability to top:
#lidsconf -A -s /usr/bin/top \
-o CAP_HIDDEN \ -j GRANT
9. Tell LIDS to reload its configuration file:
#lidsadm -S -- +RELOAD_CONF
10.And finally, enable LIDS for your login session:
#lidsadm -S -- +LIDS
TABLE 61-1: LIDS CAPABILITIES
Now when you run top, it doesn’t appear in the list of processes. You can’t see it with the ps command. You can’t find it by looking through the /proc directory. You can’t even see it in top! Now you can
spy on other users, er, intruders, without anyone knowing.
Running Down the Privilege List
Table 61-1 lists the superuser capabilities that you can enable and disable with LIDS. If you’re testing a prototype configuration in a UML, start by disabling most of the superuser capabilities and then adding back the privileges you find you need. Copy the access control list (stored in /etc/lids/*) to your main system when you’re happy with the results.
Name |
Description |
CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
If disabled, the program cannot change the owner or group owner of any file.
If disabled, the program cannot ignore file access permissions even with superuser privileges.
Disable this capability, and the program cannot ignore file access permissions when reading a file or searching a directory. (This is a little less restrictive than CAP_DAC_OVERRIDE.)
CAP_FOWNER |
Most of the actions that you can perform on a file (such as updating the modification time or |
|
changing the permissions) are prohibited unless you’re the file’s owner or the superuser. If you |
|
disable CAP_FOWNER, the superuser can change the attributes of a file only if he or she owns |
|
the file. |
CAP_FSETID |
Normally, a superuser can turn on the setuid and setgid attributes for any program. (If the |
|
setuid bit is turned on for a program, any user who runs that program gains the privileges |
|
of the program’s owner.) If you disable CAP_FSETID, a superuser can turn on the setuid or |
|
setgid bits only for programs owned by the superuser. |
CAP_KILL |
If disabled, a superuser can kill processes only if he or she owns them. (Technically speaking, |
|
this capability controls whether or not a superuser can send a signal to another process.) |
CAP_SETGID |
If disabled, a superuser cannot add himself or herself to a group that he or she is not a |
|
member of (using the newgrp command, for example). |
CAP_SETUID |
If disabled, a superuser cannot impersonate other users with the su command. This is a good |
|
capability to disable, but you have to reenable CAP_SETUID for selected programs that must |
|
change user IDs (the sshd daemon for example). |
CAP_SETPCAP |
If disabled, a superuser cannot grant capabilities to other programs. |
(continued)
472 Technique 61: Creating a Second Line of Defense with LIDS
TABLE 61-1 (continued)
Name |
Description |
CAP_LINUX_IMMUTABLE Some file system types (like ext2 and ext3) support immutable files — files that cannot be changed by anyone. Disable CAP_LINUX_IMMUTABLE, and the superuser cannot make files immutable.
CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST
CAP_NET_ADMIN
CAP_NET_RAW
CAP_IPC_LOCK
CAP_IPC_OWNER
CAP_SYS_MODULE
CAP_SYS_RAWIO
CAP_SYS_CHROOT
TCP port numbers 1–1024 are privileged — only the superuser can create a service that listens for clients on a privileged port. That’s handy because a client knows that if it’s connecting to a privileged port, it’s probably not connecting to a joker that’s set up a private service to impersonate a legitimate service. If you disable CAP_NET_BIND_SERVICE, the superuser cannot create services on privileged ports; you can grant CAP_NET_BIND_SERVICE to selected programs such as the sshd daemon.
Disable this capability, and the superuser can’t broadcast network messages (he or she has to send messages to each computer, one at a time).
If this capability is disabled, the superuser can’t manage network interfaces. By default, LIDS disables this capability and then grants it to selected programs.
If a program can access a network interface in raw mode, it can fabricate network packets in order to fool other computers. Disable CAP_NET_RAW, and the superuser is denied raw access to network devices. By default, LIDS disables this capability and then grants it to selected programs.
If this capability is disabled, the superuser is not allowed to lock shared-memory segments that he or she doesn’t own. This is a rather obscure capability that you can probably ignore without serious consequence.
Normally, a superuser can access any shared memory segment, semaphore, or message queue. If you disable CAP_IPC_OWNER, the superuser can only access interprocess communication objects that he or she owns.
Disable CAP_SYS_MODULE, and the superuser can’t load or unload kernel modules. This is a good capability to disable because if a superuser can load good kernel modules, he or she can also insert pesky modules that can really mess up your system.
If you disable this capability, the superuser doesn’t have raw access to disk drives and can’t poke around in kernel memory. If the superuser has raw access to a disk drive, he or she can easily bypass file system permissions and can even corrupt your data.
Disable CAP_SYS_CHROOT, and the superuser can’t create chroot jails — he or she can’t break out of chroot jails either. By default, LIDS disables CAP_SYS_CHROOT. You have to grant CAP_SYS_CHROOT to the sshd daemon if you want to run an ssh server.
CAP_SYS_PTRACE
CAP_SYS_PACCT
CAP_SYS_ADMIN
The CAP_SYS_PTRACE capability is typically granted to debuggers. It’s a good idea to disable CAP_SYS_PTRACE and then grant it when needed.
Turn off this capability, and the superuser can’t manipulate the process accounting package on your computer (see Technique 21 for more information).
This capability is something of a catch-all for all system administration actions. If you disable this service, the superuser can’t perform administrative tasks like changing the host name, configuring disk quotas, mounting new file systems, or shutting down your computer. By default, LIDS disables this capability and grants it to selected programs (such as mount
and halt).
|
Running Down the Privilege List |
473 |
Name |
Description |
|
|
|
|
CAP_SYS_BOOT |
Disable this capability, and a superuser is not allowed to reboot your computer. |
|
CAP_SYS_NICE |
The superuser can normally raise or lower the runtime priority of any process. Disable this |
|
|
capability, and the superuser can’t change priorities. |
|
CAP_SYS_RESOURCE |
Disable this capability, and the superuser can’t ignore resource quotas (such as the amount of |
|
|
disk space he or she is allowed to consume). |
|
CAP_SYS_TIME |
If you disable CAP_SYS_TIME, the superuser cannot change the clock on your computer. |
|
CAP_SYS_TTY_CONFIG |
This capability allows a superuser to manage serial ports — which isn’t very exciting; just use |
|
|
the default value that LIDS has chosen for you. |
|
|
|
|
62 Getting Graphical
with Shell Scripts
Technique
Save Time By
Using graphical interfaces to get input from your users
Using zenity and the GNOME Toolkit to add graphics to your shell scripts
Using kdialog from KDE to add graphics to your shell scripts
When you think of writing a shell script, you think about the command line. If you need to ask the user a question, you probably echo a string to the terminal window (standard output stream)
and read the reply from the keyboard (the standard input stream). If you want to give feedback to the user, you echo a string to the terminal window. That works, but it’s not very flashy.
Linux offers several graphical toolkits that you can use from within a shell script to display information dialogs. By using the toolkits with your shell scripts, you can graphically
Query your users for passwords with a pop-up dialog.
Use calendars to retrieve important dates from your users.
Display text boxes showing file contents to your users.
Display completion gauges (for file uploads or downloads).
Use checklists and forms to retrieve user information.
Because your users are (probably) used to working in a graphical environment, the dialogs will be friendlier and easier to use. You’ll also have better control of the result set returned to your program — your users can choose their input from the buttons you give them instead of improvising at the command line.
In this technique, we introduce you to using graphical toolkits to share information with your users. Use these kits to make work easier and more attractive for you and your users. The little time it takes to build them into shell scripts is worth the effort.