Linux's Security Capabilities

Denis Ducamp / Hervé Schauer Consultants - English translation: Frédéric Lavecot

1. Introduction

In this talk, two different aspects will be presented:

• The linux 2.2 kernel's most important security functions

• Authentication with PAM (Pluggable Authentication Modules)

1.1 What is Linux ?

• Linux is Unix

• The kernel is the core of the system

• It can be compared to a big program, loaded in the memory at boot time. It's main tasks are:
  • to manage the input/output devices and the processes and memory allocation

  • to share the cpu time and the memory between the processes

• Programs can "reach" the kernel's functions via system calls

1.2 The main security functions of Linux 2.2

• Capabilities

• Hazard of modules

• Accounting

• Filesystem encryption

• Misc.: security patches, secure distributions and "subterfuge"

2. Capabilities

• What is a capability ?

• Linux's capabilities

• Processes' capabilities

• Process management

• Examples of processes

• Capabilities of files with execute permission

• "References"

2.1 What is a capability ?

• On a classical Unix system the user root (UID 0) has all the permissions
  • Hence root can read all files and kill every process

• If a program needs a special permission it must have the identity root.

• For example a backup program only need read access to all files
  • By running as root he gains total control of the system and can kill every process.

• Capabilities are the partitionning of the root permissions/privilege into a set of distinct privileges: ex: CAP_SYS_TIME: capability to set time.
  Capabilities are listed in /usr/src/linux/include/linux/capability.h.

2.2 Linux's Capabilities

• The capability system used is definied by the POSIX draft 1003.1e "POSIX capabilities" wich is now obsolete

• At this time only the processes are associated with capabilities
  • Two projects are actually in progress to manage the capabilities of executable files.

• There are three set of bits for each capability that can be associated with executable files:
  • permitted(P): the capabilities that can be used by the process
  • effective(E): the capabilities effectively in use at a certain time (the process can choose to use or not the capability)
  • inheritable(I): the capabilities a process launched with exec will be masked with. (fork and clone processes have exactly the same capabilities as the parent)

2.3 Processes Capabilities

• In the kernel 2.2, no reference is made to the process's UID. In order to know what permission the process has only the effective (E) capabilities are checked.

• On a classical Unix system, processes owned by root have all the permissions and the other processes have none.

• The CAP_SETPCAP capability allows to change the capabilities of other processes.
  • In linux 2.2 this capability is not given to any process.

  • To have a system using capabilities you have to change two lines in the kernel sources(see CAPFAQ). Processes owned by root will then have this capability.

• Since kernel 2.2.11, the list of all capabilities is viewable from the file /proc/sys/kernel/cap-bound

• lcap, which can be found at <http://pweb.netcom.com/~spoon/lcap/>, makes it easy to remove system capabilities (those obsolete and those you don't want)

2.4 Setting capabilities to processes

• Use the execcap utility to start a process with a limited set of capabilities:
  • execcap <caps> <command-path> command-args...
    • Will execute a tamagoshi server on priviliged port 999.

    • Process runs as root but can only use priviliged ports

    • If a vulnerability appears in the server, it could be used to gain access to files owned by root.

• Use the sucap utility to start a process with a limited set of capabilities and to specify the user and group ID the program should execute as:
  • sucap <user> <group> <caps> <command-path> command-args...
    • Will execute a tamagoshi server as user tama of group tama but has capability to open priviliges port

    • If a vulnerability appears in the server, it will only enable access to files owned by tama

    • Caution: In some cases the file will start executing itself without having it's capabilities granted. This will disapear as soon as capabilities will be managed at the file level.

2.5 Setting capabilities to executable file

• Two tools are actualy in developement:
  • fcaps: VFS layer patchs for capabilities
    • enables to grant capabilities to executable files
    • the capabilities granted are recorded in the file system
    • Ex. with ping wich needs the CAP_NET_RAW capacity:
      • ping doesn't need to be SUID anymore
      • Ping will have the ID of the person who uses it

  • elfcap: Elf capabilities hack
    • enables to suppress capabilities to any executable file in elf format
    • all the capabilities are stored in the elf header.
    • Ex. with ping wich needs the CAP_NET_RAW capacity:
      • ping must be suid root
      • If the administrator uses the correct options while defining the capabilities granted, then the program takes the ID of the person who executes it.
        • Else it will use the root ID

2.6 CREDITS

• Linux Capabilities FAQ 0.2
  <ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt>
  or <ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt>

• libcap <ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/>
  fcaps <ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2-fcap/>
  by Andrew Morgan <morgan@transmeta.com>:
  library (libcap), tools et kernel patches.

• Elf capabilities hack <http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html>
  by Pavel Machek <pavel@bug.ucw.cz>:
  tools an kernel patches.

3. Linux Kernel Modules

• What is a Kernel Module

• Hazards

• Advantages for administrators

• Advantages for crackers

3.1 What is a Kernel Module

• A module is a piece of code that adds functionality to the kernel
  • device drivers
  • network protocols
  • ...

• Modules can be dynamically loaded in memory without the need to recompile the kernel or reboot

• Modules are executed in the kernel space of the memory:
  • they have full access on the computer

  • they can create or intercept system calls

3.2 Hazards

• modules are not directly related to security

• modules have total control of the computer
  • they can help an administrator to improve the security

  • they can help a cracker to lower the security

3.3 Advantages for the administrator

• Update drivers without rebooting the system or recompiling the kernel

• Divert system calls to improve security:
  • log access to certain files

  • log adding or suppression of modules
    • functions that may be subject to prior authentication

3.4 Advantages for crackers

• Divert System call thus taking full control of the computer:
  • Change the configuration: promiscuous mode

  • Hide files:
    files beginning by a key-word become invisible

  • Filter log contents:
    remove IP adress of the cracker in logs

  • divert ID changing commands:
    a normal account can become administrator

  • Hide a process:
    processes beginning by a key-word become invisible

  • break out of a chroot environment

  • redirect execution of a program:
    instal backdoor without modification of programs files

3.5 Références

• "(nearly) Complete Linux Loadable Kernel Modules"
  <http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html>
  or <http://thc.pimmel.com/files/thc/LKM_HACKING.html>
  by pragmatic / THC: descriptions of various ways of using modules (with Linux 2.0.3x sources).
  The same document exists for FreeBSD (by pragmatic) and for Solaris (by plasmoid)

• "lcamtuf::pliki" <http://dione.ids.pl/~lcamtuf/pliki.html>
  by Michal Zalewski <lcamtuf@ids.pl>: sources for modules and patches for Linux 2.0.3x or 2.2.x (mostly polish)

• Phrack Magazine <http://www.phrack.com/>:
  • "Weakening the Linux Kernel" (Issue 52 article 18)
    by plaguez <dube0866@eurobretagne.fr>: description and sources of a backdoor initialised by a module.
  • "btrom" (Issue 54 article 03)
    by riq: description and sources of a program of detection and deactivation of backdoors.

4. Accounting

• Automatic logging by the kernel of the status of the processes when they terminate:
  • creation date

  • owner ID

  • name of the command

  • use of memory

  • controlled terminal

  • used cpu-time

  • number of input/output operations

4.1 Utilities

• The accounting utilities are edited by GNU <http://www.gnu.org/>: acct-6.3.2.tar.gz . Look at <ftp://ftp.gnu.org/gnu/acct/>:
  • accton: activate/deactivate acounting

  • lastcomm: display data about the last commandes

  • sa: summary of the accounting data

4.2 Requirements

• What is necessary ?
  • "BSD Process Accounting" option in "General Setup" of the kernel configuration

• Accounting is activated by the command: accton /var/account/pacct

• Logfile must exist and should have limited permissions
  • Accounting functionnalities can be modified via /proc/sys/kernel/acct:
    • lower limit: space limit for accounting to be in use

    • upper limite: space limit for accounting to re-activate

    • frequency: time period (in seconds) between two checks of available space

4.3 Statistics

• sa: for each command launched
  • sort by: input/output operations, cpu time, number of calls
  • give the cpu-time used by each user

• lastcomm: show the last commands launched
  • limit the output to any combination of: command name, user name or terminal name éléments.
• La commande dump-acct /var/account/pacct export in a text format the accounting data
  • It is then possible to do your own statistics with awk et perl.

5. Filesystem ciphering

• How does it work ?

• Notes

• Algorithms

• Example

• References

5.1 How does the filesystem ciphering work ?

• losetup associates a loopback to a partition.
  • If a ciphering algorithm was chosen then you are prompted for a password.

• The mounting operation is done by associating a loopback to the desired partition.

• All the data sent to the loopback is ciphered and then written on the partition.

• All the data read from the loopback is deciphered and stored in memory.

5.2 Notes

• Because of the laws on the exportation of cryptographic material, ciphering capabilities are not part of standard distributions.
  • Official patches are available to add ciphering capabilities to the kernel
  • Patchs are available at <http://www.kerneli.org/> (Norway).
  • A first version has been ported to linux 2.4.0-test2.
    Look at <http://www.kernel.org/pub/linux/kernel/people/astor/v2.4/>

• losetup, mount and umount must be patched to support ciphering capabilities.
  • Patchs for these commandes are given with the kernel patchs.

• A file can be associated to a loopback:
  • create small ciphered partition that can be mounted only when necessary.
  • make secured backup of partitions into ciphered files

5.3 Algorithms

• Two algorithms have been implemented to cipher partitions:
  • CAST-128 defined in RFC 2144; look at <http://www.entrust.com/>
    used in ECB mode

  • Twofish defined by Bruce Schneier, Doug Whiting, John Kelsey, Chris Hall et David Wagner; look at <http://www.counterpane.com>
    used in CBC mode

• An option permits to enable in CBC mode any of the 8 algorithms available:
  • Blowfish, DES, DFC, IDEA, MARS, RC5, RC6 et Serpent.

• Hash algorithms MD5 and SHA1 are also available.

5.4 Exemple

• Backup in a ciphered file:

  # dd if=/dev/urandom of=~/mon_fichier bs=1k count=100
  # losetup -e twofish /dev/loop0 ~/mon_fichier
  Password:
  # mkfs -t ext2 /dev/loop0
  # mount -t ext2 /dev/loop0 ~/mnt
  # cp -pr ~/prive ~/mnt 
  # umount /dev/loop0
  # losetup -d /dev/loop0
  

5.5 References

• The official patch is available on the following ftp site:
  • <ftp://ftp.kerneli.org/pub/linux/kerneli/v2.2/>
  • and the following web site: <http://www.kerneli.org/>

• Patchs are also available for 2.0.3x versions: <ftp://ftp.kerneli.org/pub/kerneli/net-source/loop/>
  • loopback-berkeley-recent: DES and IDEA
    by Ian Goldberg <ian@cypherpunks.ca>
  • loopback-device-aem: CAST and IDEA
    by Andrew E. Mileski <aem@netcom.ca>

• Transparent Cryptographic File System <http://tcfs.dia.unisa.it/>:
  • TCFS is a shared file system similar to NFS but has 3DES, IDEA or RC5 ciphering capabilities.
  • Developped at Dipartimento di Informatica ed Applicazioni of the Università di Salerno (Italy).

6. Misc.

• The functions that will be presented are part of the secure-linux patch <http://www.openwall.com/linux/>
  • developped by Solar Designer <solar@false.com>.

  • those functions are available for kernels 2.0.38 and 2.2.17 .

• Presented distributions are either in development or in study.

• subterfugue is a new functionnality intended to restrict access for kernels 2.4 .

6.1 Security patches

• restricted /proc partition:
  • each user has only access to the data concerning his processes and a special group has acces to all the data of all processes.
  • <http://underley.zakopane.top.pl/linux/restricted-procfs.html>
    or <http://www.underley.eu.org/linux/>
    by Daniel Podlejski <underley@zakopane.top.pl>
• restricted links and FIFOs in /tmp:
  • A process has access to a link or a FIFOs in /tmp only if he owns it or if it belongs to root.
  • <http://www.sekure.org/english/resources.html> (not available anymore)
    by Sekure SDI <http://www.sekure.org/> (Brazilian Info Security Team)
• Special handling of fd 0, 1, and 2 at startup of SUID/SGID binary.
  • those files have a special meaning for the C library and lots of programs.
  • they're often referenced by number.
• Non-executable user stack area:
  • the stack area is made non-executable, buffer overflow vulnerabilities become harder to exploit.
  • the biggest problem is caused by the glibc 2.x programs that use trampoline jumps.
    • Kernel must detect and emulate trampoline jumps
    • It is (theoretically) possible to deceive this functionnality and execute buffer overflows.

6.2 Distributions sécurisées

• nmrcOS <http://www.nmrc.org/nmrcOS/>: who's goal is to provide a secured and stable system
  • Based on a Slackware distribution with a 2.0.36 kernel, it includes several security patchs for the kernel: "Solar Designer's patch", "Trusted path support", "Probe Detection Patch"...
  • A script to harden acess rights to numerous sensible files.
  • Currently ported to Linux 2.2.12

• bastille-linux <http://bastille-linux.sourceforge.net/>: based on a RedHat distribution it's goal is "to "harden" or "tighten" the Linux operating system".
  • The project consists today in a script that tighten a system under Redhat 6.0 et 6.1: acess rights to sensible files and security parameters of applications.
  • The 1.1.0 version is available since june, 7 of 2000 and is extensible to other distributions.

• Stack-Guard <http://www.immunix.org/products.html#stackguard>: it's a patch to the gcc 2.7.2.3 compiler to generate auto-immune code to buffer overflows in the execution stack.
  • Has shown great efficiency on many occasions:
    • exploitation of security vulnerabilities are generally of this kind.
  • A version of RedHat 5.2 entirely recompiled with Stack-Guard is available.
  • Is a complementary approach to:
    • Using a non executable stack
    • Auditing source code
  • The 2.O version of Stack-Guard is a port to egcs 2.91.66 and an Immunix OS version 6.2 based on a Red Hat 6.2 is available.

• Nexus Linux <http://www.lemuria.org/Nexus/>: is a distribution indented for administrators who's first concern is security. It comes in standard with Openssh and ssl support for apache.
  • Still in early development stage: v0.4.4p1
  • Available on the following site: <ftp://ftp.lemuria.org/pub/Nexus/>
  • is in fact the old kha0s distribution <http://www.kha0s.org/>.

• slinux <http://www.slinux.org/>: is a distribution intended to be more complete than all the others, it should integrate privilige management, partition cipherening, ...
  • Actualy, development didn't start.
  • is in fact the old securelinux distribution <http://www.reseau.nl/securelinux/>

6.3 subterfugue

• Subterfuge can limit acess of processes and their chidren.
• http://www.subterfugue.org/ by Mike Coleman <mkc@subterfugue.org>
  is downloadable at: http://sourceforge.net/project/?group_id=1951
• Linux kernel includes subterfuge support since 2.3.99-pre1
• Subterfuge makes it possible to:
  • restrict disk access by specifying:
    • forbidden directories
    • read-only directories
    • read and write access directories
  • extend arguments to complete filenames and apply regular expressions (regexp).
  • log the number of system calls and signals.
  • forbid or limit access to the network.
  • forbid the closing of standard input / output / error.
  • forbid the sending of signals to "foreign" processes.
  • trace system calls (with the possibility of chosing the system calls).
  • restrict positionning of acces rights (forbid SUID, write for all, ...).

7. PAM (Pluggable Authentication Modules)

• Historically, authentication of Unix users relied on the input of a password wich was checked with the one stored in /etc/passwd .

• At each improvement (/etc/shadow , one-time passwords...) each program (login, ftp, ...) had to be rewritten.

• PAM is a more flexible user authentication mecanism.

• Programs supporting PAM must dynamically link themselves to the modules in charge of authentication.

• The administrator is in charge of the configuration and the attachement order of modules.

7.1 Configuration

• All applications using PAM must have a configuration file in /etc/pam.d . Each file is composed of four columns:
  • Module type:
    • auth: user authentication
    • account: user restriction (ex: hour restriction, ... )
    • session: tasks to perform at login and logout
      ex: mounting directories, ...
    • password: update of the user authentication token
  • success control:
    • required: a leat one of the required modules
    • requisite: all the requisite modules
    • sufficient: only one sufficient module
    • optional: a least one of the required modules is necessary if no other has succeeded
  • path to the module: usually /lib/security .
  • optional arguments

• the /etc/pam.d/other file provides default configuration for all modules not specified in the configuration file of the application.

7.2 Modules

• pam_cracklib: uses the cracklib library to check the "strength" of a password and to check it was not built based on the old one.

• pam_limits: this module can restrict, depending on the user and/or group, the number of simultaneous processes, CPU time, the number of files simultaneously opened, their size, the maximum number of simultaneous connexions.
  The configuration file is: /etc/security/limits.conf

• pam_rootok: enables root to access a service without using his password. To be used with chfn or chsh and not with login.

• pam_time: control the access time. The configuration file is: /etc/security/time.conf .

• pam_wheel: allow access to root only to users of the wheel group. For use with su.

• pam_cap: this module can force all privilges to a user.

7.3 References

• <ftp://ftp.kernel.org/pub/linux/libs/pam/>:
  PAM librairies and programs for Linux.
• <ftp://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/>:
  • The Linux-PAM System Administrators' Guide <ftp://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html>
    by Andrew G. Morgan <morgan@transmeta.com>
  • The Linux-PAM Application Developers' Guide <ftp://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html>
    by Andrew G. Morgan <morgan@transmeta.com>
  • The Linux-PAM Module Writers' Guide <ftp://ftp.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules.html>
    by Andrew G. Morgan <morgan@transmeta.com>
• Unified Login With Pluggable Authentication Modules <http://www.pilgrim.umass.edu/pub/osf_dce/RFC/rfc86.0.txt>:
  Open Software Foundation Request For Comments 86.0
  by V. Samar and R. Schemers (SunSoft)

® © Hervé Schauer Consultants 2000 - 4 bis, rue de la gare - 92300 Levallois-Perret
Phone : +33 141 409 700 - Fax : +33 141 409 709 - Email : <secretariat@hsc.fr>