Access Control Lists , advanced permisions in linux

Udgivet den juli 9, 2004 af mike 
Most of the time, the traditional Unix file permission system fits the bill just fine. But in a highly collaborative environment with multiple people needing access to files, this scheme can become unwieldy. Access control lists, otherwise known as ACLs (pronounced to rhyme with "hackles"), are a feature that is relatively new to the Linux operating system, but has been available in FreeBSD and Solaris for some time. While ACLs do not inherently add "more security" to a system, they do reduce the complexity of managing permissions. ACLs provide new ways to apply file and directory permissions without resorting to the creation of unnecessary groups.

ACLs are stored as extended attributes within the filesystem metadata. As the name implies, they allow you to define lists that either grant or deny access to a given file based on the criteria you provide. However, ACLs do not abandon the traditional permission system completely. ACLs may be specified for both users and groups and are still separated into the realms of read, write, and execute access. In addition, a control list may be defined for any user or group that does not correspond to any of the user or group ACLs, much like the "other" mode bits of a file. Access control lists also have what is called an ACL mask, which acts as a permission mask for all ACLs that specifically mention a user and a group. This is similar to a umask, but not quite the same. For instance, if you set the ACL mask to r--, any ACLs that pertain to a specific user or group and are looser in permissions (e.g., rw-) will effectively become r--. Directories also may contain a default ACL, which specifies the initial ACLs of files and subdirectories created within them.

To modify or remove ACLs, use the setfacl command. To modify an ACL, the -m option is used, followed by an ACL specification and a filename or list of filenames. You can delete an ACL by using the -x option and specifying an ACL or list of ACLs.

There are three general forms of an ACL: one for users, another for groups, and one for others. Let's look at them here:

# User ACL

u:[user]:<mode>

# Group ACL

g:[group]:<mode>

# Other ACL

o:<mode>

Notice that in the user and group ACLs, the actual user and group names that the ACL applies to are optional. If these are omitted, it means that the ACL will apply to the base ACL, which is derived from the file's mode bits. Thus, if you modify these, the mode bits will be modified and vice versa.

See for yourself by creating a file and then modifying its base ACL:

$ touch myfile

$ ls -l myfile

-rw-rw-r--    1 andrew   andrew          0 Oct 13 15:57 myfile

$ setfacl -m u::---,g::---,o:--- myfile

$ ls -l myfile

----------    1 andrew   andrew          0 Oct 13 15:57 myfile

From this example, you can also see that multiple ACLs can be listed by separating them with commas.

You can also specify ACLs for an arbitrary number of groups or users:

$ touch foo

$ setfacl -m u:jlope:rwx,g:wine:rwx ,o:--- foo

$ getfacl foo

# file: foo

# owner: andrew

# group: andrew

user::rw-

user:jlope:rwx

group::---

group:wine:rwx

mask::rwx

other::---

Now if you changed the mask to r--, the ACLs for jlope and wine would effectively become r-- as well:

$ setfacl -m m:r-- foo

$ getfacl foo

# file: foo

# owner: andrew

# group: andrew

user::rw-

user:jlope:rwx                  #effective:r--

group::---

group:wine:rwx                  #effective:r--

mask::r--

other::---

As mentioned earlier, directories can have default ACLs that will automatically be applied to files that are created within the directory. Default ACLs are set by prepending a d: to the ACL that you want to set:

$ mkdir mydir

$ setfacl -m d:u:jlope:rwx mydir

$ getfacl mydir

# file: mydir

# owner: andrew

# group: andrew

user::rwx

group::---

other::---

default:user::rwx

default:user:jlope:rwx

default:group::---

default:mask::rwx

default:other::---



$ touch mydir/bar

$ getfacl mydir/bar

# file: mydir/bar

# owner: andrew

# group: andrew

user::rw-

user:jlope:rwx                  #effective:rw-

group::---

mask::rw-

other::---

As you may have noticed from the previous examples, you can list ACLs by using the getfacl command. This command is pretty straightforward and has only a few options. The most useful is the -R option, which allows you to list ACLs recursively and works very much like ls -R.
Udgivet i Knowledge Base, Old Base | Skriv en kommentar

Loosy dir permisions and sticky bit

Udgivet den juli 9, 2004 af mike 
# find / -type d \( -perm -g+w -o -perm -o+w \) -exec ls -lad {} \;

Any directories that are listed in the output should have the sticky bit set, which is denoted by a t in the directory's permission bits. A world-writable directory with the sticky bit set ensures that even though anyone may create files in the directory, they may not delete or modify another user's files. If you see a directory in the output that does not contain a sticky bit, consider whether it really needs to be world-writable or whether the use of groups or ACLs [Hack #4] will work better for your situation. If you really do need the directory to be world-writable, set the sticky bit on it using chmod +t.

To get a list of the directories that don't have their sticky bit set, run this:

# find / -type d \( -perm -g+w -o -perm -o+w \) \

  -not -perm -a+t -exec ls -lad {} \;

If you're using a system that creates a unique group for each user (e.g., you create a user andrew, which in turn creates a group andrew as the primary group), you may want to modify the commands to not scan for group-writable directories. (Otherwise, you will get a lot of output that really isn't pertinent.) To do this, run the command without the -perm -g+w portion.
Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

Scan for SUID and SGID programs

Udgivet den juli 9, 2004 af mike 
Unfortunately, a poorly written SUID or SGID binary can be used to quickly and easily escalate a user's privileges. Also, an attacker who has already gained root access may hide SUID binaries throughout your system in order to leave a backdoor for future access. This leads us to the need for scanning systems for SUID and SGID binaries. This is a simple process and can be done with the following command:

# find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;

One important thing to consider is whether an SUID program is in fact a shell script rather than an executable, since it's trivial for someone to change an otherwise innocuous script into a backdoor. Most operating systems will ignore any SUID or SGID bits on a shell script, but if you want to find all SUID or SGID scripts on a system, change the argument to the -exec option in the last command and add a pipe so that the command reads:

# find / \( -perm -4000 -o -perm -2000 \) \

  -type f -exec file {} \; | grep -v ELF

Now every time an SUID or SGID file is encountered, the file command will run and determine what type of file is being examined. If it's an executable, grep will filter it out; otherwise, it will be printed to the screen with some information about what kind of file it is. Most operating systems use ELF-format executables, but if you're running an operating system that doesn't (older versions of Linux used a.out, and AIX uses XCOFF), you'll need to replace the ELF in the previous grep command with the binary format used by your operating system and architecture. If you're unsure of what to look for, run the file command on any binary executable, and it will report the string you're looking for.
Udgivet i Knowledge Base, Old Base | Skriv en kommentar

Secure mount points

Udgivet den juli 9, 2004 af mike 
A mount option is a flag that controls how the filesystem may be accessed. It is passed to the operating system kernel's code when the filesystem is brought online. Mount options can be used to prevent files from being interpreted as device nodes, to disallow  binaries from being executed, and to disallow the SUID bit from taking affect (by using the nodev, noexec, and nosuid flags). Filesystems can also be mounted read-only with the ro option.

These options are specified from the command line by running mount with the -o flag. For example, if you have a separate partition for /tmp that is on the third partition of your first IDE hard disk, you can mount with the nodev, noexec, and nosuid flags, which are enabled by running the following command:

# mount -o nodev,noexec,nosuid /dev/hda3 /tmp

An equivalent entry in your /etc/fstab would look something like this:

/dev/hda3    /tmp    ext3    defaults,nodev,noexec,nosuid    1 2
Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

Using Vim Editor

Udgivet den juli 9, 2004 af Brian Lund Klint 
Coding in Vim: Vim is a great coder interface, remember cmd's can be added to ~/.vimrc
:syntax on       : enable syntax highlighting on many types og source
:set autoindent  : Autoindent 
:set cindent     : Automatic indent for c source
:set smartindent : Things should be smarter, dunno how/why or when

auto indenting code : 
Visual block code, go to top type a, press page dow to select all code and press "="


Multi Windowing: Very powerfull feature of this briliant editor.

CTRL-W s , splitter vinduet
:split /etc/passwd , editere /etc/passwd i nyt vindue
CTRL-W n , eller :new , nyt vindue
CTRL-W c , eller :cl[ose] , skjul og luk vindue
CTRL-W o , eller :on[ly] , kun vis aktuel vindue
CTRL-W j , flyt til vindue nedenunder
CTRL-W k , flyt til vindue ovenover
CTRL-W CTRL-W , eller CTRL-W w , skift vindue
CTRL-W r , byt om med nedre vindue
CTRL-W R , byt om med oevre vindue
CTRL-W = , alle vinduer lige hoeje
CTRL-W + , goer aktuel vindue stoerer
CTRL-W - , goer akutel vindue mindre

Code folding (thanks to BT)

first hilite the code you're going to fold. use 'zf' and a movement descriptor
eg: to make a folding block of 10 lines, type 'zf 9 down'

now the fold is created and is folded, to unfold go to the folded line, and type 'zo' to open it

the fold stays in memory, to refold it, type 'zc'
Udgivet i Knowledge Base, Vim | Skriv en kommentar

sparc console cable and other cables

Udgivet den juli 8, 2004 af black 
ethernet kabler:
http://www.ertyu.org/~steven_nikkel/ethernetcables.html

diverse console kabler
http://www.pitt.edu/~bdgregg/Cable_Wireing.html

sparc console kabel:
fra PC til sparc
fra lille 9 pins hun til stort 25 pins han
fra	til
1	8
2	2
3	3
4	20
5	7
6	6
7	4
8	5
9	22

Std modem kabel:
fra pc til modem
fra lille 9 pins hun til stort 25 pins han
fra	til
1	8
2	3
3	2
4	20
5	7
6	6
7	4
8	5
9	22
Udgivet i Knowledge Base, Old Base, Sparc | Skriv en kommentar

how to make hotplug on slackware not plug in pci

Udgivet den juli 6, 2004 af black 
just remove the file /etc/hotplug/pci.rc
  mv /etc/hotplug/pci.rc /etc/hotplug/pci.rc.old
(the script only looks for *.rc)

should also work with pcmcia =D
Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

bt keder sig meget

Udgivet den juli 6, 2004 af black 
eject /mnt/cdrom/ && sleep 5 && mount /mnt/cdrom/ && installpkg /mnt/cdrom/slackware/n/tcpdump-3.8.3-i486-2.tgz && eject /mnt/cdrom
Udgivet i Humor, Knowledge Base, Old Base, Shellscript | Skriv en kommentar

Set up IPSEC in openbsd

Udgivet den juli 4, 2004 af mike

Use IPsec the OpenBSD way.

Setting up IPsec in OpenBSD is fairly easy since it’s compiled into the kernel that ships with each release and is enabled by default. All that is left to do is to create the appropriate /etc/isakmpd/isakmpd.conf and /etc/isakmpd/isakmpd.policy files and start isakmpd (the IPsec key-management daemon). This may sound daunting, but OpenBSD’s outstanding documentation and example configuration files make it easier.

First of all, you’ll need to put something similar to this in your /etc/isakmpd/isakmpd.policy:

KeyNote-Version: 2

Authorizer: “POLICY”

Licensees: “passphrase:mypassword”

Conditions: app_domain == “IPsec policy” &&

esp_present == “yes” &&

esp_enc_alg == “aes” &&

esp_auth_alg == “hmac-sha” -> “true”;

This sets a password to use for the IPsec connection.

Now you’ll need to edit your /etc/isakmpd/isakmpd.conf to contain the following:

[General]

Listen-on= 192.168.1.1

Shared-SADB= Defined

[Phase 1]

Default= ISAKMP-peer-remote

#Default= ISAKMP-peer-remote-aggressive

[Phase 2]

Passive-Connections=IPsec-local-remote

[ISAKMP-peer-remote]

Phase= 1

Transport= udp

Local-address= 192.168.1.1

Configuration= Default-main-mode

Authentication= mypassword

[ISAKMP-peer-remote-aggressive]

Phase= 1

Transport= udp

Local-address= 192.168.1.1

Configuration= Default-aggressive-mode

Authentication= mypassword

[IPsec-local-remote]

Phase= 2

ISAKMP-peer= ISAKMP-peer-remote

Configuration= Default-quick-mode

Local-ID= Net-local

Remote-ID= Net-remote

[Net-remote]

ID-type= IPV4_ADDR

Address= 0.0.0.0

[Net-local]

ID-type= IPV4_ADDR

Address= 0.0.0.0

[Default-main-mode]

DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-SHA

[Default-aggressive-mode]

DOI= IPSEC

EXCHANGE_TYPE= AGGRESSIVE

Transforms= 3DES-SHA-RSA

[Default-quick-mode]

DOI= IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-AES-SHA-PFS-SUITE

This configuration will allow anyone to connect with the password mypassword.

After you’ve edited the configuration files, you can start isakmpd by running this command:

# /sbin/isakmpd

To have isakmpd start up with each system boot, you should edit your /etc/rc.conf.local (or create one if it doesn’t exist) and put the following line in it:

isakmpd_flags=””

That should do it. As usual, check your system logs if your tunnel has trouble connecting.

Udgivet i Knowledge Base, Networking, Old Base, OpenBSD | Skriv en kommentar

Mod rewrite for begyndere

Udgivet den juni 30, 2004 af Brian Lund Klint 
content negotiation:

Apache sender selv filer der ender på et lands landekode efter hvad browseren helst vil have:

index.php.da til dansk
index.php.en til engelsk

brugeren skal så bare åbne index.php
Udgivet i Knowledge Base | Skriv en kommentar