sec: Add User/Multiuser slides

Signed-off-by: Holger Dengler <dengler@linutronix.de>
author: Holger Dengler <dengler@linutronix.de> 2016-05-08 19:23:53 +0200
committer: Holger Dengler <dengler@linutronix.de> 2016-05-08 19:46:22 +0200
commit: 90d6ef0ad3278ee5e0eef2a57f03af891e03760f (patch)
tree: 829470ac797337c62d721f422c50bd0d656ad139 /security
parent: 84ad8c9f3a481aa433cdbef7d10487bd665a5c07 (diff)
3 files changed, 384 insertions, 0 deletions
diff --git a/security/advanced/Makefile b/security/advanced/Makefile
index cae6550..d785f51 100644
--- a/security/advanced/Makefile
+++ b/security/advanced/Makefile
@@ -2,3 +2,4 @@ obj-$(CONFIG_SECURITY_ADV) += pres_advanced_sec.pdf
 obj-$(CONFIG_SECURITY_ADV) += pres_capability.pdf
 obj-$(CONFIG_SECURITY_ADV) += pres_exploit.pdf
 obj-$(CONFIG_SECURITY_ADV) += pres_process_thread.pdf
+obj-$(CONFIG_SECURITY_ADV) += pres_multiuser_dac.pdf
diff --git a/security/advanced/frm_multiuser_dac.tex b/security/advanced/frm_multiuser_dac.tex
new file mode 100644
index 0000000..8085466
--- /dev/null
+++ b/security/advanced/frm_multiuser_dac.tex
@@ -0,0 +1,363 @@
+% ----------------------------
+\subsubsection{Users and Groups}
+
+\begin{frame}[fragile]
+\frametitle{Users}
+\begin{itemize}
+\item Multiple Users per System
+\item Login spawn shell with user privileges
+\item Process(es) inherit user privileges
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Tools:}
+\begin{tiny}
+\begin{verbatim}
+# Add new user (interactive)
+adduser <new_user>
+# Remove existing user
+deluser <user_name>
+
+# Change password
+passwd  [<user_name>]
+
+# Switch user ID
+su <user_name>
+# Run command as superuser (root)
+sudo <command>
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Groups}
+\begin{itemize}
+\item Group contain 0..n users (static)
+\item Default group for each user
+\item 0..n supplementary groups for each user
+\item User can change group dynamically (password required)
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Tools:}
+\begin{tiny}
+\begin{verbatim}
+# Add new group
+addgroup <new_group>
+# Remove existing group
+delgroup <group_name>
+
+# Add user to group
+usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>]
+
+# Show current user and group ID
+id
+# Switch group ID
+newgrp <group_name>
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Local Authentication Databases}
+\begin{itemize}
+\item User Database: /etc/passwd
+\item Group Database: /etc/group
+\item Password Database: /etc/shadow
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Pluggable Authentication Modules (PAM)}
+\begin{frame}[fragile]
+\frametitle{Pluggable Authentication Modules (PAM)}
+\begin{itemize}
+\item Pluggable shared libraries
+\item System-wide Authentication
+\item Plugins available for:
+\begin{itemize}
+\item UserID and Password (local)
+\item LDAP
+\item Kerberos (e.g. NIS, Windows Domain Controller)
+\item Hardware-based Authentication (e.g. SmartCard)
+\end{itemize}
+\item Extendable with own PAM modules
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{File Access Control}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{File Access Control}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/file_access_control.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Basic File Permissions}
+\begin{itemize}
+\item for each File or Directory
+\item checked by Virtual Filesystem Layer
+\item Access Mode: \\
+      read, write, execute (entry)
+\item Access Role: \\
+      user, group, other
+\item Special: \\
+      set UID, set GID, sticky
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Basic File Permissions: Example}
+\begin{beamerboxesrounded}[shadow=true]{Example}
+\begin{tiny}
+\begin{verbatim}
+$ ls -l /dev/ttyS?
+crw-rw---- 1 root dialout 4, 64 Nov  5 08:14 /dev/ttyS0
+crw-rw---- 1 root dialout 4, 65 Nov  5 08:14 /dev/ttyS1
+crw-rw---- 1 root dialout 4, 66 Nov  5 08:14 /dev/ttyS2
+crw-rw---- 1 root dialout 4, 67 Nov  5 08:14 /dev/ttyS3
+
+# Change ownership
+chown service /dev/ttyS1
+chgrp test /dev/ttyS1
+
+# Change permissions
+chmod u=rw g=r o= /dev/ttyS1
+
+$ ls -l /dev/ttyS?
+crw-rw---- 1 root    dialout 4, 64 Nov  5 08:14 /dev/ttyS0
+crw-r----- 1 service test    4, 65 Nov  5 08:14 /dev/ttyS1
+crw-rw---- 1 root    dialout 4, 66 Nov  5 08:14 /dev/ttyS2
+crw-rw---- 1 root    dialout 4, 67 Nov  5 08:14 /dev/ttyS3
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Access Control Lists}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Access Control List (ACL)}
+\begin{itemize}
+\item More Users and Groups
+\item Round up Groups
+\item Tools: \\
+      setfacl, getfacl
+\item Requires: \\
+      mount \dots -o acl
+\item Pitfalls: \\
+      Not all tools like tar support ACLs
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ACL: Example}
+\begin{itemize}
+\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are
+members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}.
+\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob
+and Henry?
+\item A: Not mandatory.
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:}
+\begin{tiny}
+\begin{verbatim}
+mkdir /data/shared/project_x
+chown pm_admin:pm_admin /data/shared/project_x
+setfacl -m user:sue:rwx /data/shared/project_x
+setfacl -m user:bob:rwx /data/shared/project_x
+setfacl -m user:henry:rwx /data/shared/project_x
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ACL: Example (2)}
+\begin{beamerboxesrounded}[shadow=true]{Result:}
+\begin{tiny}
+\begin{verbatim}
+getfacl /data/shared/project_x
+# file: data/shared/project_x/
+# owner: pm_admin
+# group: pm_admin
+user::rwx
+user:sue:rwx
+user:bob:rwx
+user:henry:rwx
+group::r-x
+mask::rwx
+other::r-x
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Extended File Attributes}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Extended File Attributes}
+\begin{itemize}
+\item More File Attributes
+ \begin{itemize}
+ \item a - append only
+ \item i - immutable
+ \item s - Override with zeros on delete
+ \end{itemize}
+\item Tools: \\
+      lsattr, chattr 
+\item Requires: \\
+      root or mount \dots -o user\_xattr
+\item Pitfalls: \\
+      Not all tools like tar support xattr
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{xattr: Example}
+\begin{itemize}
+\item Q: You want to check what user Franz is typing on commandline?
+\item A: Look at /home/franz/.bash\_history
+\item But Franz is clever and deletes /home/franz/.bash\_history 
+\item Q: How can you prevent that?
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+sudo chattr +a /home/franz/.bash_history
+lsattr /home/franz/.bash_history
+-----a-------e-- /home/franz/.bash_history
+rm /home/franz/.bash_history
+rm: cannot remove `/home/franz/.bash_history': Operation not permitted
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Multi-user Programming}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UserIDs and GroupIDs of a Process}
+\begin{itemize}
+\item Real
+ \begin{itemize}
+ \item privileged: \\
+       set to any value
+ \item unprivileged: \\
+       set to real or effective
+ \end{itemize}
+\item Effective
+ \begin{itemize}
+ \item privileged: \\
+       set to any value
+ \item unprivileged: \\
+       set to real, effective, saved
+ \end{itemize}
+\item Saved
+ \begin{itemize}
+ \item normal: \\
+       set to real UID/GID
+ \item s-Bit: \\
+       set to file UID/GID
+ \item privileged: \\
+       set to any value
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UID/GID: change}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/proc_uidgid.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UID/GID: Programming I}
+\begin{beamerboxesrounded}[shadow=true]{temporary change of Effective:}
+\begin{tiny}
+\begin{verbatim}
+printf("\nChange effective UID/GID back...\n");
+if(setegid(real_gid))
+        /* error handling */;
+if(seteuid(real_uid))
+        /* error handling */;
+print_resugid();
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\begin{beamerboxesrounded}[shadow=true]{and back again:}
+\begin{tiny}
+\begin{verbatim}
+printf("...and forth\n");
+if(seteuid(saved_uid))
+        /* error handling */;
+if(setegid(saved_gid))
+        /* error handling */;
+print_resugid();
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\begin{beamerboxesrounded}[shadow=true]{Drop finally:}
+\begin{tiny}
+\begin{verbatim}
+printf("\nChange finally to stored UID/GID“);
+printf(" (there is no way back)\n");
+if(setregid(saved_gid, saved_gid))
+        /* error handling */;
+if(setreuid(saved_uid, saved_uid))
+        /* error handling */;
+print_resugid();
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{UID/GID: Programming II}
+\begin{beamerboxesrounded}[shadow=true]{Result:}
+\begin{tiny}
+\begin{verbatim}
+$ ls -l
+-rwsr-sr-x 1 dengler dengler 8480 Aug 19 17:22 ugid_to_stored
+
+$ ./ugid_to_stored
+Backup all UID/GID
+UIDs/GIDs after start
+eUID  1000 (rUID  1002, sUID  1000)
+eGID  1000 (rGID  1002, sGID  1000)
+
+Change effective UID/GID back...
+eUID  1002 (rUID  1002, sUID  1000)
+eGID  1002 (rGID  1002, sGID  1000)
+...and forth
+eUID  1000 (rUID  1002, sUID  1000)
+eGID  1000 (rGID  1002, sGID  1000)
+
+Change finally to stored UID/GID (there is no way back)
+eUID  1000 (rUID  1000, sUID  1000)
+eGID  1000 (rGID  1000, sGID  1000)
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
diff --git a/security/advanced/pres_multiuser_dac.tex b/security/advanced/pres_multiuser_dac.tex
new file mode 100644
index 0000000..c45b009
--- /dev/null
+++ b/security/advanced/pres_multiuser_dac.tex
@@ -0,0 +1,20 @@
+\input{configpres}
+
+% ----------------------------
+\subsection{Linux Multi User}
+
+\title{Linux Multi User}
+\maketitle
+
+% ----------------------------
+\begin{frame}
+\frametitle{Overview}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\input{security/advanced/frm_multiuser_dac.tex}
+
+% ----------------------------
+\subsection*{}
+\input{tailpres}
author	Holger Dengler <dengler@linutronix.de>	2016-05-08 19:23:53 +0200
committer	Holger Dengler <dengler@linutronix.de>	2016-05-08 19:46:22 +0200
commit	90d6ef0ad3278ee5e0eef2a57f03af891e03760f (patch)
tree	829470ac797337c62d721f422c50bd0d656ad139 /security
parent	84ad8c9f3a481aa433cdbef7d10487bd665a5c07 (diff)