Compartmentalization

Previous page
Table of content
Next page
I l @ ve RuBoard

Program isolation is one method of controlling program authorizations by limiting the scope of access. It is an important step in keeping programs secure.

UNIX Protected Subsystem

The UNIX protected subsystem is a process of isolating a software system through the utilization of group permissions. A protected subsystem is a group of programs which provide a particular service or group of related services that require more authorization for access to data files and devices than those of the users who need the service. For example, the mail and printing systems on most UNIX systems are implemented as protected subsystems.

Each protected subsystem has its own user ID and group ID used only by its programs and files. The protected files and devices allow no access except through the group permissions bits and the programs all run with their effective group ID set to the subsystem group ID. No users are allowed access to the group used by a protected subsystem.

The following steps will create a protected subsystem.

  1. Create a user ID and a group ID for the protected subsystem.

  2. Change the ownership and group for each file that is to be protected to the user "bin" and the group ID which was created. 

     chown bin:protected protected_file  chown protect:protected protected_program

  3. Set the permission bits on the files in the protected subsystem so that they are accessible only from the protected group. 

     chmod 060 protected_file

  4. Set the set-group-on- exec bit on the programs in the protected subsystem. 

     chmod 2001 protected_program

All parts of the protected subsystem need to be in directories with sufficient protection so that the files which are part of the protected subsystems cannot be altered or their permissions altered .

chroot Environment

The chroot environment is a method of isolating a software system by creating a separate directory tree for each system to reside. The chroot forces the process to view the sub-tree as the root file system. Software which runs in a chrooted environment has no access to the system outside the chroot directory tree.

The following steps produce a chroot environment.

  1. Create directory for chroot environment. 

     mkdir /chroot/ProgramDir  chmod ugo-rw /chroot/ProgramDir

  2. Load the software into the chroot environment.

  3. Create necessary directories within the chroot environment. 

     mkdir /chroot/ProgramDir/{etc bin tmp opt}

  4. Set appropriate permissions on the directories. 

     chmod 666 /chroot/ProgramDir/tmp  chmod +t /chroot/ProgramDir/tmp

  5. Create needed system files within the chroot environment. 

     echo "chrootid:*:2000:2000:Chroot User:/home/chrootid:/bin/false" \  >/chroot/ProgramDir /etc/passwd

  6. Set appropriate permissions on the files. 

     chmod 444 /chroot/ProgramDir/etc/passwd

  7. Create special files needed within the chroot environment.

I l @ ve RuBoard

Previous page
Table of content
Next page
Halting the Hacker. A Practical Guide to Computer Security
Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)
ISBN: 0130464163
EAN: 2147483647
Year: 2002
Pages: 210
Authors: Donald L. Pipkin
BUY ON AMAZON
VBScript Programmers Reference
Image Processing with LabVIEW and IMAQ Vision
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
What is Lean Six Sigma
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy