0 File Permissions

Search Files on their file permissions.



World readable

Normal users should not have access to configuration files or passwords. An attacker can steal passwords from databases or web sites and use them to deface--or even worse, delete--data. This is why it is important that your file permissions are correct. If you are sure that a file is only used by root, assign it with the permissions 0600 and assign the file to the correct user with chown.

World/Group writable



Finding world-writable files and directories

# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 2>/dev/null >writable.txt

# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; 2>/dev/null >>writable.txt



This will create a huge file with permission of all files having either write
permission set to the group or everybody. Check the permissions and eliminate
world writable files to everyone, by executing /bin/chmod o-w on the
files.

SUID/SGID files


Files with the SUID or SGID bit set execute with privileges of the owning
user or group and not the user executing the file. Normally these bits are used
on files that must run as root in order to do what they do. These files can lead
to local root compromises (if they contain security holes). This is dangerous
and files with the SUID or SGID bits set should be avoided at any cost. If you
do not use these files, use chmod 0 on them or unmerge the package that
they came from (check which package they belong to by using equery; if
you do not already have it installed simply type emerge
gentoolkit
). Otherwise just turn the SUID bit off with chmod -s.





Finding setuid files

# find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt



This will create a file containing a list of all the SUID/SGID files.






List of setuid binaries

/bin/su

/bin/ping

/bin/mount

/bin/umount

/var/qmail/bin/qmail-queue

/usr/bin/chfn

/usr/bin/chsh

/usr/bin/crontab

/usr/bin/chage

/usr/bin/expiry

/usr/bin/sperl5.6.1

/usr/bin/newgrp

/usr/bin/passwd

/usr/bin/gpasswd

/usr/bin/procmail

/usr/bin/suidperl

/usr/lib/misc/pt_chown

/usr/sbin/unix_chkpwd

/usr/sbin/traceroute

/usr/sbin/pwdb_chkpwd




By default Gentoo Linux does not have a lot of SUID files (though this depends
on what you installed), but you might get a list like the one above. Most of
the commands should not be used by normal users, only root. Switch off the SUID
bit on ping, mount, umount, chfn, chsh,
newgrp, suidperl, pt_chown and traceroute by
executing chmod -s on every file. Don't remove the bit on su,
qmail-queue or unix_chkpwd. Removing setuid from those files will
prevent you from su'ing and receiving mail. By removing the bit (where
it is safe to do so) you remove the possibility of a normal user (or an
attacker) gaining root access through any of these files.




The only SUID files that I have on my system are su, passwd,
gpasswd, qmail-queue, unix_chkpwd and pwdb_chkpwd.
But if you are running X, you might have some more, since X needs the elevated
access afforded by SUID.

SUID/SGID binaries and Hard links


A file is only considered deleted when there are no more links pointing to it.
This might sound like a strange concept, but consider that a filename like
/usr/bin/perl is actually a link to the inode where the data is
stored. Any number of links can point to the file, and until all of them are
gone, the file still exists.




If your users have access to a partition that isn't mounted with nosuid
or noexec (for example, if /tmp, /home, or
/var/tmp are not separate partitions) you should take care to
ensure your users don't create hard links to SUID or SGID binaries, so that
after Portage updates they still have access to the old versions.

To check how many links a file has, you can use the stat command.





Stat command

$ stat /bin/su

File: `/bin/su'

Size: 29350 Blocks: 64 IO Block: 131072 regular file

Device: 900h/2304d Inode: 2057419 Links: 1

Access: (4711/-rws--x--x) Uid: ( 0/ root) Gid: ( 0/ root)

Access: 2005-02-07 01:59:35.000000000 +0000

Modify: 2004-11-04 01:46:17.000000000 +0000

Change: 2004-11-04 01:46:17.000000000 +0000




To find the SUID and SGID files with multiple links, you can use find.





Finding multiply linked suid/sgid binaries

$ find / -type f \( -perm -004000 -o -perm -002000 \) -links +1 -ls






Powered by ScribeFire.

Read more

1 Configure a Physical Interface After System Installation

* Determine the IPv4 addresses that you want to use for the additional interfaces.

* Ensure that the physical interface to be configured has been physically installed onto the system.

* If you have just installed the interface, perform a reconfiguration boot before proceeding with the next task.

Determine which interfaces are currently configured on the system.
# dladm show-link

Configure and plumb each interface
# ifconfig plumb up

for eg. for interface name pcn0 type:
# ifconfig pcn0 plumb up

Assign an IP address.
# ifconfig netmask +

for eg. you would do:
# ifconfig pcn0 192.168.84.3 netmask + 255.255.255.0

Verify that the newly configured interfaces are plumbed and configured, or “UP.”
# ifconfig -a

Check the status line for each interface that is displayed. Ensure that the output contains an UP flag on the status line, for example:
pcn0: flags=1000843 mtu 1500 index 2


To make the interface configuration persist across reboots, perform the following steps:

1. Create an /etc/hostname.interface file for each interface to be configured. For example, to add a pcn0 interface, you would create the following file:
# vi /etc/hostname.pcn0

2. Edit the /etc/hostname.interface file.
At a minimum, add the IPv4 address of the interface to the file.

3. Add entries for the new interfaces into the /etc/inet/ipnodes file.

4. Add entries for the new interfaces into the /etc/inet/hosts file.

5. Perform a reconfiguration boot.
# reboot -- -r
6. Verify that the interface you created in the /etc/hostname.interface file has been configured.
# ifconfig -a





Read more

0 Ethernet Bonding

First thing to know is that this stuff is in the kernel and there is a good doc in your kernel source tree under Documentation/networking/bonding.txt this has a lot more detail than I am going to provide here.

A virtual network interface gets created, bond0 in my case, this gets done in /etc/modules.conf

alias bond0 bonding
options bond0 miimon=100 mode=balance-rr

The above creates the bond0 interface and sets some options. It will check the MII state of the card every 100 milliseconds for state change notification. It will also use their round robin balancing policy. More on the various options for these and many more in bonding.txt

RedHat's RC scripts support this bonding configuration without much modification though there aren't any GUI tool to configure it. RedHat network config gets stored in /etc/sysconfig/network-scripts/ifcfg-int

You need to create a config file for the bond0 interface, ifcfg-bond0

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.70.101
NETMASK=255.255.255.0
NETWORK=192.168.70.0
BROADCAST=192.168.70.255
GATEWAY=192.168.70.1

And for each network card that belongs to this group you need to modify the existing files to look more or less like this:

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
MASTER=bond0
SLAVE=yes

Once you created these for each of your ethernet cards you can reboot or restart your networking using service network restart and you should see something like this:

bond0     Link encap:Ethernet  HWaddr 00:0D:60:9D:24:68
inet addr:192.168.70.101 Bcast:192.168.70.255 Mask:255.255.255.0
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:58071 errors:0 dropped:0 overruns:0 frame:0
TX packets:1465 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4315472 (4.1 Mb) TX bytes:120360 (117.5 Kb)

eth0 Link encap:Ethernet HWaddr 00:0D:60:9D:24:68
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:26447 errors:0 dropped:0 overruns:0 frame:0
TX packets:1262 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1992430 (1.9 Mb) TX bytes:95078 (92.8 Kb)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 00:0D:60:9D:24:68
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:31624 errors:0 dropped:0 overruns:0 frame:0
TX packets:203 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2323042 (2.2 Mb) TX bytes:25282 (24.6 Kb)
Interrupt:17

You can tcpdump the individual interfaces to confirm that traffic goes shared between them, weirdly though on my machine my tcpdump on eth0 and eth1 does not show incoming traffic just outgoing, dumping bond0 works a charm though.

To test it I just turned the power off to one of my switch modules, the networking dies for a couple of seconds but soon resumes without a problem. I am sure I could tweak the times a bit but for now this is all I need.

Read more

Popular Posts

Linux Gazette