diff options
| author | Holger Dengler <dengler@linutronix.de> | 2014-05-28 13:34:35 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2015-02-20 16:32:50 +0100 |
| commit | 386304e330a59a1281502d12321f92598455827a (patch) | |
| tree | d9f625cd6b588d4194f0dc7d9a33e5e0dd8ec5ce /security | |
| parent | 2c1e41ae2491fad5cdf700cbdaefa5b27b7ff863 (diff) | |
security: Add user and container to Linux Security Feature slides
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/advanced/pres_advanced_sec.tex | 188 |
1 files changed, 185 insertions, 3 deletions
diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex index abdc749..5eb44c0 100644 --- a/security/advanced/pres_advanced_sec.tex +++ b/security/advanced/pres_advanced_sec.tex @@ -2,19 +2,109 @@ \input{configpres} -\subsection{Extended Security Features} - -\title{Extended Security Features} +\title{Linux Security Features} \maketitle \def\lximg{none} +\subsection{} \begin{frame} \frametitle{Contents} \tableofcontents \end{frame} % ---------------------------- +\subsection{Basic Security Features} +% ---------------------------- +\subsubsection{Users and Groups} + +\begin{frame}[fragile] +\frametitle{Users} +\begin{itemize} +\item Multiple Users per System +\item Login spawn shell with user privileges +\item Process(es) inherit user privileges +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Tools:} +\begin{tiny} +\begin{verbatim} +# Add new user (interactive) +$ adduser <new_user> +# Remove existing user +$ deluser <user_name> + +# Change password +$ passwd [<user_name>] + +# Switch user ID +$ su <user_name> +# Run command as superuser (root) +$ sudo <command> +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Groups} +\begin{itemize} +\item Group contain 0..n users (static) +\item Default group for each user +\item 0..n supplementary groups for each user +\item User can change group dynamically (password required) +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Tools:} +\begin{tiny} +\begin{verbatim} +# Add new group +$ addgroup <new_group> +# Remove existing group +$ delgroup <group_name> + +# Add user to group +$ usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>] + +# Show current user and group ID +$ id +# Switch group ID +$ newgrp <group_name> +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Local Authentication Databases} +\begin{itemize} +\item User Database: /etc/passwd +\item Group Database: /etc/group +\item Password Database: /etc/shadow +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Pluggable Authentication Modules (PAM)} +\begin{frame}[fragile] +\frametitle{Users} +\begin{itemize} +\item Pluggable shared libraries +\item System-wide Authentication +\item Plugins available for: +\begin{itemize} +\item UserID and Password (local) +\item LDAP +\item Kerberos (e.g. NIS, Windows Domain Controller) +\item Hardware-based Authentication (e.g. SmartCard) +\end{itemize} +\item Extendable with own PAM modules +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection{Extended Security Features} +% ---------------------------- \subsubsection{File Access} \begin{frame}[fragile] @@ -143,6 +233,98 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted \end{frame} % ---------------------------- +\subsubsection{Namespaces} + +\begin{frame}[fragile] +\frametitle{Namespaces} +\begin{itemize} +\item Mount: \\ + Provide different filesystem +\item IPC: \\ + Provide isolated inter process communication entities +\item Network: \\ + Provide isolated networking environment +\item User: \\ + Provide different User/UID mapping +\item UTS: \\ + Provide different hostname +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Containers} +\begin{itemize} +\item Application Isolation +\item Lightweight Vitalization +\item Easy namespace configuration and management +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Containers (LXC)} +\begin{beamerboxesrounded}[shadow=true]{Start/Stop container:} +\begin{tiny} +\begin{verbatim} +# Start: Better for single commands +$ lxc-execute -n cont_name [-f config] /bin/bash +# Start: Better for container systems +$ lxc-start -n cont_name [-f config] + +# Stop container +$ lxc-stop -n foo +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Control container:} +\begin{tiny} +\begin{verbatim} +# Pause/resume container (controlling group of processes) +$ lxc-freeze -n cont_name +$ lxc-unfreeze -n cont_name + +# Monitor container states +$ lxc-monitor -n cont_name + +# Attach to container console +$ lxc-console -n cont_name +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Container (LXC): Configuration} +\begin{beamerboxesrounded}[shadow=true]{Networking example:} +\begin{tiny} +\begin{verbatim} +lxc.utsname = myhostname +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth0 +lxc.network.hwaddr = 4a:49:43:49:79:bf +lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Controlgroup example:} +\begin{tiny} +\begin{verbatim} +lxc.cgroup.cpuset.cpus = 0,1 +lxc.cgroup.devices.deny = a +lxc.cgroup.devices.allow = c 1:3 rw +lxc.cgroup.devices.allow = b 8:0 rw +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- \subsubsection{Advanced Resource Access Control} \begin{frame}[fragile] |