IT Security - 2 Exercise 4 (Access Controls, Firewalls)

Tanmaya Mahapatra Matriculation Number : 340959 [email protected] Bharath Rangaraj Matriculation Number : 340909 [email protected]

Mohibullah Kamal Matriculation Number : 341323 [email protected] November 7, 2013

Task - 1 : Access Control

You are the administrator of a new Linux le server at a small company. You have just set it up and you are now about to set up access rights (without ACL extensions) to a directory with the following les for the users Bianca, Claus, Dora and Frieda: auskunft.doc billing.xls codele.cpp excursion.jpg index.html Question 1 Find a way to set up the following access pattern: File Frieda Claus Bianca Dora auskunft.doc rw rw billing.xls rw rw r rw codele.cpp r r r rw excursion.jpg r rw r index.html r rw r r You have root access. You may create groups, add users to groups and do chown, chgrp, chmod. Your solution should look roughly like a ls -l output, plus a list of the groups and their members. Solution: The named les have been created in a separate directory named work. This directory has sticky bit set on it. So the dierent users have read or write access to the les but in general cannot delete any les. The les can be deleted or renamed only by admin of the server. 1. The Files have been created. 2. The users have been added to the System. 3. The following groups have been added : info, nance, code, photo & web 4. The owner of every le is tanmaya who is the admin of the server. However owner of the le excursion.jpg is claus. 1

5. The Files have been placed under dierent groups and with dierent permission values like : auskunft.doc = info (group name), 660 (permission value) billing.xls = nance, 664 codele.cpp = code, 664 excursion.jpg = photo, 640 index.html = web, 664 6. The Users members of the dierent groups are shown in the Shell output listing. Executing the following code in bash
1 2 3 4 5 6

ls l groups groups groups groups groups

frieda claus bianca dora emil

yields the following output:

Question 2 A new employee is hired. His name is Emil and he may access the same les as Frieda. What changes do you have to make to the existing conguration ? Solution: The new employee has the same level of access as of Frieda. So the changes that are needed in the conguration are : 1. Add the user : useradd -m emil 2. Make emil member of the groups of which Frieda is currently a member. : usermod -a -G nance,photo emil Question 3 A new employee is hired. Her name is Ruth and she is a new administrator in charge of the server. What changes do you have to make to the existing conguration ?

Page 2

Solution: Ruth can be made administrator in the following ways : 1. By adding an entry for ruth user in the /etc/sudoers le : ruth ALL=(ALL) ALL 2. Or she can be made a member of group called admin which again has a listing in the sudoers as : %admin ALL=(ALL) ALL 3. Or if ruth is a partial administrator i.e admin for specic tasks to be carried out on the server then instead of granting access to all commands we can make use of command alias to specify exactly what commands she is allowed to execute. The second approach is more elegant instead of creating individual entries for individual users in the sudoers le and cluttering up. Question 4 Frieda is to be red. There is some concern that she might retaliate by deleting data on the server. What changes do you have to make to the existing conguration ? Solution: Frieda can cause data damage in 2 ways : 1. He/She can delete the les : Not Possible as the parent directory work has sticky bit on it. 2. She can truncate the les. Possible solution is : Move user frieda out of nance group. Now she has only read only access to the les on the server.

Task - 2 : Access Control on Android

Question 1 Describe how classic Unix-like access control is used within the security concept of Android.

Solution: The foundation of the Android platform is the Linux kernel. The Linux kernel itself has been in widespread use for years, and is used in millions of security-sensitive environments. Through its history of constantly being researched, attacked, and xed by thousands of developers, Linux has become a stable and secure kernel trusted by many corporations and security professionals. As the base for a mobile computing environment, the Linux kernel provides Android with several key security features, including: A user-based permissions model. Process isolation. Extensible mechanism for secure IPC.

Page 3

 The ability to remove unnecessary and potentially insecure parts of the kernel. All android applications are run in sand-boxes. They do not have any permission to aect the user data or OS. If they need to perform some specialised task then the applications declare the permissions they need for additional capabilities not provided by the basic sandbox. Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security. At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the packages life on that device. Because security enforcement happens at the process level, the code of any two packages can not normally run in the same process, since they need to run as dierent Linux users. Only two applications signed with the same signature (and requesting the same sharedUserId) will be given the same user ID. Any data stored by an application will be assigned that applications user ID, and not normally accessible to other packages. A basic Android application has no permissions associated with it by default, meaning it can not do anything that would adversely impact the user experience or any data on the device. To make use of protected features of the device, the developer must include in the AndroidManifest.xml one or more uses-permission tags declaring the permissions that the application needs. At application install time, permissions requested by the application are granted to it by the package installer, based on checks against the signatures of the applications declaring those permissions and/or interaction with the user. No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user. A particular permission may be enforced at a number of places during the programs operation: 1. At the time of a call into the system, to prevent an application from executing certain functions. 2. When starting an activity, to prevent applications from launching activities of other applications. 3. Both sending and receiving broadcasts, to control who can receive the broadcast or who can send a broadcast to the application. 4. When accessing and operating on a content provider. 5. Binding to or starting a service.

Task - 3 : Process and user IDs

Question 1 Describe in your own words what real uid, eective uid, and saved uid are best used for.

Page 4

Solution: The Real UID The real UID (ruid) and real GID (rgid) identify the real owner of the process and aect the permissions for sending signals. A process without superuser privilege can signal another process only if the senders real or eective UID matches the real or saved UID of the receiver.Since child processes inherit the credentials from the parent, they can signal each other. The Eective UID The eective UID (euid) of a process is the ownership assigned to les created by that process. The eective GID (egid) of a process may also aect le creation, depending on the semantics of the specic kernel implementation being used and possibly also by the mount options used. The Saved User ID The saved user ID (suid) is used when a program running with elevated privileges needs to temporarily do some unprivileged work: it changes its eective user ID from a privileged value (typically root) to some unprivileged one, and this triggers a copy of the privileged user ID to the saved user ID slot Question 2 When a process drops privileges permanently to reduce the impact of e.g. a buer overow vulnerability, what is the saved uid set to ? Solution: The saved uid is set to the real user id to drop the privileges permanently. Example program for doing so is given below : / perform a r e s t r i c t e d o p e r a t i o n / setup secret (); / Drop p r i v i l e g e s permanantly . Assumes RUID i s u n p r i v i l e g e d / i f ( s e t r e s u i d ( getuid ( ) , getuid ( ) , getuid ( ) ) < 0) { / h a n d l e e r r o r / } / c o n t i n u e w i t h g e n e r a l p r o c e s s i n g / some other loop ( ) ;

Question 3 You have found the following le on a remote Linux system where you have a non-privileged account: -rwsrwxrwx 1 root root 39 2006-12-05 03:44 test1 Obviously, the le belongs to root and has the setuid bit set. You (and everybody else) are allowed to execute, read, and write it. What is the security threat associated with this le ? Solution: Since the setuid bit for the le is set( it is denoted by s in place of x in the rst part of user permission) the eective uid and the saved uid of the incoming process will be set to the root since root is the owner of the le and as the set user id bit is set for the le.

Page 5

This allows the process to learn the identity of the user who invoked it(which is root in this case), and to continue to access les with the privilege of the invoking user.

Task - 4 : Firewalls

Question 1 Why does FTP often causes issues in conjunction with rewalls and NATs ? Solution: 1. Additional TCP/IP connections are used for data transfers. 2. Data connections may be sent to random port numbers. 3. Data connections may originate from the server to the client, as well as originating from the client to the server. 4. Data connections, destination addresses are negotiated on the y between the client and server over the channel used for the control connection. 5. The control connection is idle while the data transfer takes place on the data connection. Question 2 Which measures is Skype taking to avoid being blocked by rewalls? Name the evasion techniques and the rewall techniques they bypass. Solution: 1. Skype can use both UDP and TCP. The preferred protocol for best performance is UDP. 2. Skype probes the rewall for open ports and can auto detect a local web proxy. 3. It can try rst with UDP; if it fails it can switch to TCP and use the common web access TCP ports 80(HTTP) and 443(HTTPS) for connectivity. 4. Skype automatically traverses most rewalls and NATs using UDP hole punching, a common technique favoured by Internet Engineering Task Force (IETF) standards, such as RFC 5389 (Session Traversal Utilities for NAT (STUN)). Question 3 Give some examples for which tasks modern rewalls are used besides protecting against threats from the public Internet. Solution: 1. They can disable certain protocols and content type. Just as a user can disable your Web browsers Java and JavaScript support, a rewall can screen incoming content and disable Java applets, JavaScript code, cookies, etc.

Page 6

2. They allow us to dene rules to thwart attacks by specifying their signatures. 3. They are used for web caching. 4. Centralised management and reporting.

Task - 5 : Linux Firewalling with iptables

Question 1 Block all TCP trac for the IP address 137.226.107.63 on the eth0 interface. Solution: I did not understand the above question. If we are blocking all TCP trac from our system to foreign host 137.226.107.63 it would be iptables -A OUTPUT -p TCP -d 137.226.107.63 -o eth0 -j DROP If we are blocking all TCP trac from 137.226.107.63 to our system it would be like iptables -A INPUT -p TCP -s 137.226.107.63 -i eth0 -j DROP Question 2 Allow all incoming SSH connections on the eth0 interface. Solution: iptables -A INPUT -i eth0 -p TCP dport 22 -j ACCEPT Question 3 Allow outside users to be able to ping your local hosts. Solution: Allow to accept ping request in INPUT chain : iptables -A INPUT -p icmp icmp-type 8 -s 0/0 -d 192.168.1.0/24 -m state NEW,ESTABLISHED,RELATED -j ACCEPT Allow the system to send ping response in OUTPUT chain : iptables -A OUTPUT -p icmp icmp-type 0 -s 192.168.1.0/24 -d 0/0 -m state state ESTABLISHED,RELATED -j ACCEPT where 192.168.1.0/24 - Range of Local Host IPs. Question 4 A rule that provides basic protection from SYN oods. Solution: iptables -A INPUT -p tcp -s 0/0 syn -m limit limit 1/s limit-burst 3 -j RETURN

Page 7