ch22.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 22 -- Who or What Is Root?</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch21/ch21.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch23/ch23.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">22</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Who or What Is Root?</FONT></H1>
</CENTER>
<P>Throughout this book, I have made references to the terms <I>root</I> and <I>administrator</I>.
It occurred to me that the average user might have no idea what those terms mean,
so I have provided this brief chapter to explain these concepts.
<H2><FONT COLOR="#000077"><B>The General Idea</B></FONT></H2>
<P>Most users deal primarily with a single workstation. Their first experience with
such a machine probably comes at home or at school. Even when the machine is connected
to a network, a user might think of his machine as the only one of relevance. That
is, he might view his machine as a separate entity that exists (or could exist) without
the presence of all those other machines.</P>
<P>In most instances, that is exactly right. The majority of workstations have a
local disk and on that disk, local software, including an operating system and applications.
Only in hard-core networking or academic environments do you see the diskless client.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>A <I>diskless client</I> is any
	machine that lacks a local hard disk drive and must therefore find another way to
	boot. One way is through the use of a floppy that loads the minimum drivers necessary
	to engage the Ethernet card within the machine. This card then sends a broadcast
	message requesting a login session. This is common in networks driven by Novell NetWare,
	for example; these networks use a floppy with the Ethernet driver, the LAN adapter
	software, and a small shell. Another method is where the workstation has firmware
	(or other software, hard-coded to some portion of the board) within it that can initiate
	a boot session over a network via Ethernet or other protocols. This is more commonly
	seen in UNIX-based networks, with the use of X terminals or the use of remote booting
	services. 
<HR>


</BLOCKQUOTE>

<P>Nevertheless, most users learn about computers by using their home machine. Although
machines at work might restrict users to a single program or operate on a now archaic
platform, the home machine is completely under the users' control. They can navigate,
execute programs, and delete items as they see fit (alas, often to their detriment).
So the average user probably has only a murky understanding of how a network operates.
Indeed, the average user had no reason to understand networking...until now.</P>
<P>In a network, there must be some central control not just for humans but also
for machines. Consider the use of name servers. A <I>name</I> <I>server</I> provides
a method to resolve Internet addresses from names. Every real network on the Internet
has one such name server. If any machine on that network is unaware of the name server's
address, that machine will be unable to resolve Internet hostnames to physical addresses.
The name server's address, therefore, must be located somewhere on the drive. In
UNIX networks, this information is generally stored in the <TT>/ETC/RESOLV.CONF</TT>
file. On the Mac platform, this is stored in the MacTCP settings (generally reachable
through the Control Panels menu). On the Microsoft Windows platform, it is stored
(at least for dial-up accounts) in the dial-up networking configuration of each individual
connection. This is generally specified in the TCP/IP settings of the connection
(see Figure 22.1).</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>FIGURE 22.1.</B></A> <I><BR>
TCP/IP settings for a connection: the name server.</I></P>
<P>Using a name server is a way of centralizing information so that it is easier
to reach. Consider the Archie network. Archie servers can be used to search for files
all over the world; for example, you could search for a file and find that the only
location for it is in Iran. The Archie system works differently than you might think.
It doesn't fan out across the globe, searching every machine on the Internet until
it finds (or fails to find) the requested file. Instead, administrators of networks
report the content of their drives to centralized Archie servers. This makes sense
because it is easier to search a simple record database on an Archie server than
engage connections all over the world. In this way, Archie servers and gateways use
simple techniques to perform what appears to be a modern miracle.</P>
<P>Similarly, a small network has many centralized resources. These may include file
libraries, applications, or address databases. Centralization of these resources
ensures that the system runs smoothly and effectively. For example, imagine if everyone
on the network could designate any Ethernet or IP address they wanted for their workstation.
How would other machines know what this address was? This would cause a great deal
of confusion on the network. Certainly, information would not travel reliably in
such a climate.</P>
<P>The design of the modern network also provides for some level of economics, not
only from a financial point of view, but from a practical one. For example, each
workstation need not install a C compiler as long as one is available to all users.
These shared resources can be enjoyed by all users, but must be installed only once.
(This is a slight oversimplification; in many instances, a single interpreter or
compiler might not suffice.)</P>
<P>Someone must control where, when, and how such resources can be used; that someone
is whom I refer to when I use the terms <I>root</I>, <I>supervisor</I>, <I>administrator</I>,
and <I>operator</I>. This person (or rather, this account) works almost identically
on all networked operating systems. This account has privileges to read, write, execute,
delete, create, list, or otherwise modify every file on the drive. As such, this
person has enormous power.</P>
<P>Although this power is necessary to maintain the system, it can be quite dangerous
in inexperienced hands. This lesson is quickly learned by users who decide to migrate
from the Microsoft Windows platform to UNIX. To get this change-over under way, many
users purchase a book on Linux that comes with a CD-ROM. They manage to get through
the installation process and log in as root, and then they travel around the drive,
trying out various applications. Inevitably, they delete or otherwise modify some
crucial part of the system, rendering the system unusable. Not yet possessing the
skills necessary to find and remedy the problem, they simply reinstall. The average
new Linux user does this two or three times before finally getting it right. (<I>Getting
it right</I> means not roaming the drive as root without a valid reason. Instead
of roaming as root, you should create a user account for yourself with limited privileges
until you learn the system more completely. This user account will inherit privileges
that forbid you from destroying crucial, indispensable network resources.)</P>
<P>Because network administration is such a touchy subject, those charged with this
responsibility are usually long on experience. Most of them are <I>toolsmiths</I>,
individuals who not only can run the system efficiently, but can create new software
to improve on deficiencies inherent in the out-of-the-box operating system distribution.
At a minimum, root must know how to properly administer file and directory access
control.
<H2><FONT COLOR="#000077"><B>About Access Control</B></FONT></H2>
<P><I>Access control</I> refers to methods of controlling user access to files, directories,
ports, and even protocols. Modern forms of access control grew out of efforts to
create secure systems. For example, the criteria used to measure the security of
a system naturally include access control as an integral element. The capability
to grant or deny access by this or that user to a given resource should be an inherent
part of the networked operating system. Most networked systems have some form of
access control.</P>
<P>Most schemes of access control rely on a system of privileges or permissions.
These might involve read, write, or list permissions, or they might be even more
finely implemented. The level to which these are categorized dramatically affects
whether or not access control will be used. Some forms of access control are so restrictive
that the network might be unable to run efficiently.</P>
<P>In any event, root decides the majority of these permissions. Some access control
schemes are embedded within the system. For example, on many operating systems, a
series of directories or files are owned (or limited to access) by root or the network
system administrator by default. Thus, by default, only root can access them. These
are typically system configuration files vital to the operation of the network. In
the wrong hands, these could provide unauthorized access to and perhaps compromise
of the network.</P>
<P>On a UNIX network, you can easily identify all permissions simply by listing a
directory structure of the files within that directory. To get an idea of how this
listing looks, see Figure 22.2.</P>

<P><A NAME="02"></A><A HREF="02.htm"><b>Figure 22.2</b></a><i> A typical example of a listing from the base directory of a UNIX box, shows a series of columns of information.</i></p>

<p>Each column displays significant details about the listed file or directory.</p> 

<p><A NAME="03"></A><A HREF="03.htm"><b>Figure 22.3</b></a> <i>shows those columns broken down intocategories of information called attributes</I>.</P>

<P>I want to briefly detail these attributes. They are, in reverse order of importance
in terms of access control:

<UL>
	<LI>Attribute #4: File Statistics. These columns relate the size of the file or directory,
	the date and time (usually of its last modification, or where there is no modification,
	when it was created), and the name. This is very similar to the information you receive
	on a DOS directory listing or in a file management application like Explorer in Windows
	95.<BR>
	<BR>
	
	<LI>Attribute #3: The Group. This column specifies the group to which the file is
	assigned. Groups are clusters of individuals (usually) who have common permissions
	and requirements throughout the system. However, system processes can also belong
	to groups, and can even form them. Figure 22.3 lists two groups: <TT>root</TT> and
	<TT>sys</TT>.<BR>
	<BR>
	
	<LI>Attribute #2: The Owner. This attribute specifies the owner of the file or directory
	(in this case, root).<BR>
	<BR>
	
	<LI>Attribute #1: Permissions. This field is where permissions are explicitly stated.
</UL>

<P>It is with Attribute #1 that we most concerned. Attribute #1 (or the permissions)
are set to reflect three distinct elements of access. Reading Attribute #1 from left
to right, those elements are

<UL>
	<LI>The permissions for the owner (who is revealed in Attribute #2)<BR>
	<BR>
	
	<LI>The permissions for the group (identified in Attribute #3)<BR>
	<BR>
	
	<LI>The permissions for those not belonging to the group specified in Attribute #3
	(the rest of the folks on that system)
</UL>

<P>In each case, a letter or a dash appears. The dash signifies that a certain access
permission or privilege is denied. The remaining letters (<TT>r</TT>, <TT>w</TT>,
and <TT>x</TT>) represent access privileges; specifically, they represent read, write,
and execute access.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>If you examine the listings provided
	in Figure 22.2, you will also note that a <TT>d</TT> appears within the first field
	(Attribute #1). This signifies that the listed item is a directory and not a file.
	
<HR>


</BLOCKQUOTE>

<P>The structure of the permission scheme reads from left to right in ascending order.
In other words, the first three characters (reading from left to right) represent
the permissions for the owner. The next three represent permissions for the group.
The last three represent permissions for the rest of the world.</P>
<P>Networked operating systems that have access control might not present it in exactly
this manner. UNIX has presented permissions this way for many years. It is a quick
and efficient way (at a command prompt) to find out who can access what. Different
systems might do this in different ways. Older Novell NetWare, for example, has a
shell interface that allows you to use a semi-graphical interface to set and view
these permissions. Microsoft Windows NT <I>is</I> graphical, but you can also set
a surprising number of access control options from a prompt.
<H2><FONT COLOR="#000077"><B>About Gaining Root</B></FONT></H2>
<P>If this is how UNIX implements access control, the obvious task of a cracker is
to gain root privileges. Because UNIX was (and probably still is) the predominant
operating system on Internet servers, crackers have put themselves to the task of
gaining root for over 20 years. The reason is simple: Whoever has root sets the permissions;
whoever sets the permissions has control of the entire system. If you have compromised
root, you have seized control of the box (and maybe the entire network).
<H3><FONT COLOR="#000077"><B>Pros and Cons of the Permissions System</B></FONT></H3>
<P>The permissions system has many advantages, including support of classing. That
means you can create a hierarchical structure in which you can refine the privileges
based on classes (of groups, users, and so forth). Because of this, you can quickly
and efficiently implement at least the basics of security. Groups can reflect the
organizational structure of your firm. Naturally, any member of a group will inherit
security permissions from his parent group (in other words, a certain member of a
group will inherit the same default permissions on files that all members of the
group would have immediately upon being added to the group). Thus, you can assign
at least minimal privileges with a single stroke.</P>
<P>After setting the group (and after the owner and user of the group have inherited
these permissions from their superseding classes), root can begin to detail a more
refined expression of those privileges. That is, root can begin to implement even
more restrictive guidelines for a particular user's permissions. A well-organized
system administrator can efficiently manage the permissions and privileges of hundreds
or even thousands of users. Amazing.</P>
<P>Nevertheless, the system has its drawbacks. Indeed, the very existence of root
is a security risk for several reasons. For instance, any program that must be run
as root will, if successfully attacked, grant the attacker root privileges. Furthermore,
if root is compromised, the entire system is subject to attack. This is especially
critical in multisegment networks.
<H3><FONT COLOR="#000077"><B>Cracking Root</B></FONT></H3>