file access right list - Security

This is a discussion on file access right list - Security ; Hi The quick questions first: - Is there s program that parses the filesystem to write which files and directories a user or group have access to and what access he has? - Is there a list of the currently ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: file access right list

  1. file access right list

    Hi

    The quick questions first:

    - Is there s program that parses the filesystem to write which files and
    directories a user or group have access to and what access he has?
    - Is there a list of the currently most security sensitive directories
    and files on a system, i.e. which are being mostly used for attacks to
    get in. Some obvious ones are
    - a users home directory
    - tmp directories
    - directories with system executables


    Then, my thoughts about it.

    I am working on setting up a secure server and the way I see it is that
    one of the many crucial elements of securing the os on the server, is
    file access rights. My view is that one of the most usual ways of
    getting access to the system from the network is by manipulating the
    service to either

    - write/modify files on the files system, either its own
    files/executables or system files and executables.
    - manipulate the services rights, elevate it etc

    The second part I can only do so much with, unless I intend to do a
    security audit of the code my self. One thing is securing the service
    from attacks from the network, another thing is securing the operating
    system from attacks from the service. So for the first issue I have
    greater flexibility, due to the number of tools at hand, inclydiung file
    system rights.

    So I would like to to a audit of who has access to which files or to put
    it another way which files do a specific user have access to, such as
    the accounts dovecot and postfix and its groups. By limiting which files
    and directories they have access to and what access they have I can
    reduce the security problems. So I have two questions:

  2. Re: file access right list

    Tom Forsmo wrote:
    > - Is there s program that parses the filesystem to write which files and
    > directories a user or group have access to and what access he has?


    ls -lR


    > - Is there a list of the currently most security sensitive directories
    > and files on a system, i.e. which are being mostly used for attacks to
    > get in.


    A problem with that approach is it sounds like you're trying to ensure
    that you've stopped existing trojans (good) but not considered unknown
    trojans (bad).

    > Some obvious ones are
    > - a users home directory
    > - tmp directories
    > - directories with system executables


    That sounds like you've covered pretty much the entire filesystem,
    but omitted network services completely.


    > I am working on setting up a secure server and the way I see it is that
    > one of the many crucial elements of securing the os on the server, is
    > file access rights.


    Correct. Have you considered the SELinux extensions?


    > So I would like to to a audit of who has access to which files or to put
    > it another way which files do a specific user have access to, such as
    > the accounts dovecot and postfix and its groups. By limiting which files
    > and directories they have access to and what access they have I can
    > reduce the security problems.


    Sounds like you really haven't looked at SELinux.
    Chris

  3. Re: file access right list

    Tom Forsmo wrote:

    > Hi
    >
    > The quick questions first:
    >
    > - Is there s program that parses the filesystem to write which files
    > and directories a user or group have access to and what access he has?
    > - Is there a list of the currently most security sensitive directories
    > and files on a system, i.e. which are being mostly used for attacks to
    > get in. Some obvious ones are
    > - a users home directory
    > - tmp directories
    > - directories with system executables
    >
    >
    > Then, my thoughts about it.
    >
    > I am working on setting up a secure server and the way I see it is
    > that one of the many crucial elements of securing the os on the
    > server, is file access rights. My view is that one of the most usual
    > ways of getting access to the system from the network is by
    > manipulating the service to either
    >
    > - write/modify files on the files system, either its own
    > files/executables or system files and executables.
    > - manipulate the services rights, elevate it etc
    >
    > The second part I can only do so much with, unless I intend to do a
    > security audit of the code my self. One thing is securing the service
    > from attacks from the network, another thing is securing the operating
    > system from attacks from the service. So for the first issue I have
    > greater flexibility, due to the number of tools at hand, inclydiung
    > file system rights.
    >
    > So I would like to to a audit of who has access to which files or to
    > put it another way which files do a specific user have access to, such
    > as the accounts dovecot and postfix and its groups. By limiting which
    > files and directories they have access to and what access they have I
    > can reduce the security problems. So I have two questions:


    You should do a search for any files that are world writable as well as
    any that are suid/sgid (especially for a privileged user such as root,
    wheel, etc.) and disable any sticky bit suid settings on one's that
    don't need it (be sure you know for sure before removing that setting).
    That is a good first step (permissions, ownerships and suid, etc.) out
    of about 200 things you should do.
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!

  4. Re: file access right list

    On Mon, 20 Oct 2008, in the Usenet newsgroup comp.os.linux.security, in article
    <48fc4034$1@news.broadpark.no>, Tom Forsmo wrote:

    >The quick questions first:


    Yes - _which_ operating system are you using? If Linux, which
    distribution? The answer strongly influences what will work best.

    >- Is there s program that parses the filesystem to write which files
    >and directories a user or group have access to and what access he has?


    [compton ~]$ whatis find
    find (1) - search for files in a directory hierarchy
    [compton ~]$

    Pay attention to the 'gid', 'group', 'nouser', 'nogroup', 'perm',
    'uid', and 'user' tests. In the case of group name/gid, you should
    look at the fourth (colon separated) field in /etc/passwd (which
    defines a user's primary group) and the /etc/group file, which lists
    any secondary groups the user may belong to. For example, using the
    GNU version of find, I can do

    [compton ~]$ find /bin -uid +2 -exec ls -ld {} \;
    [compton ~]$

    to find things with a user ownership of UID 2 and above in the /bin
    directory. Another idea might be

    [compton ~]$ find / \( -type f -o -type d \) -perm -002 -exec ls -ld {} \;
    drwxrwxrwt 3 root root 16384 Oct 20 07:42 /tmp
    drwxrwxrwt 2 root root 1024 Oct 11 18:17 /var/tmp
    [compton ~]$

    >- Is there a list of the currently most security sensitive directories
    >and files on a system, i.e. which are being mostly used for attacks to
    >get in. Some obvious ones are
    > - a users home directory
    > - tmp directories


    Those two are writable by the user

    > - directories with system executables


    If those are writable by ANYONE other than the "owner", you are in
    really deep weeds already.

    >Then, my thoughts about it.
    >
    >I am working on setting up a secure server and the way I see it is
    >that one of the many crucial elements of securing the os on the
    >server, is file access rights.


    Then use access control lists. In Linux, see the 'SELinux program.
    Some registered UNIX can also be set up with ACLs.

    >My view is that one of the most usual ways of getting access to the
    >system from the network is by manipulating the service to either
    >
    >- write/modify files on the files system, either its own
    >files/executables or system files and executables.
    >- manipulate the services rights, elevate it etc


    Do not allow anyone who is not trusted to run any command. In the case
    of web servers, this explicitly means not using dynamic scripting
    languages, such as (but not limited to) PHP.

    >The second part I can only do so much with, unless I intend to do a
    >security audit of the code my self. One thing is securing the service
    >from attacks from the network, another thing is securing the operating
    >system from attacks from the service. So for the first issue I have
    >greater flexibility, due to the number of tools at hand, inclydiung
    >file system rights.


    If you are that concerned, operate the entire system "READ ONLY"
    (except for such things as /var/run, /var/lock, and perhaps /var/log)
    and mount any data partitions 'noexec' and 'read-only'.

    >So I would like to to a audit of who has access to which files or to
    >put it another way which files do a specific user have access to, such
    >as the accounts dovecot and postfix and its groups.


    Assuming (because of the 'comp.os.linux.security' newsgroup) you are
    referring to Linux, start with the HOWTOs

    [compton ~]$ ls /usr/share/HOWTO | grep Secur
    -rw-rw-r-- 1 gferg ldp 37228 May 15 2007 Secure-BootCD-VPN-HOWTO
    -rw-rw-r-- 1 gferg ldp 47197 Mar 24 2003 Secure-CVS-Pserver
    -rw-rw-r-- 1 gferg ldp 11488 Apr 26 2001 Secure-POP+SSH
    -rw-rw-r-- 1 gferg ldp 642561 Mar 10 2003 Secure-Programs-HOWTO
    -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO
    -rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO
    -rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002
    Security-Quickstart-Redhat-HOWTO
    [compton ~]$

    then hit the Linux Documentation Project (http://tldp.org/guides.html)
    and grab a copy of "Securing & Optimizing Linux: The Ultimate Solution".
    You can also go to your favorite dead-tree book store and buy a copy of
    "Practical Unix & Internet Security" by Garfinkel, Spafford and Schwartz
    (O'Reilly, ISBN 0-596-00323-4) and perhaps "Linux Server Security" by
    Bauer (O'Reilly, ISBN 0-596-00670-5).

    >By limiting which files and directories they have access to and what
    >access they have I can reduce the security problems. So I have two
    >questions:


    and I suppose the first is how to use a news-reader so that you can
    finish writing the article before posting. The second might be how
    to use a search engine to find information on Access Control Lists, or
    ACLs for short. They are part of SELinux and the several "Trusted"
    versions of branded UNIX.

    Old guy

+ Reply to Thread