Chapter 12: System Security


Overview

The UNIX System was designed so that users could easily access their resources and share information with other users. Security was an important, but secondary, concern. Nevertheless, UNIX has always included features to protect it from unauthorized users and to protect users’ resources, without impeding authorized users. These security capabilities have provided a degree of protection. However, intruders have managed to access many computers because of careless system administration or unplugged security holes.

In recent releases, UNIX has included security enhancements that make it more difficult for unauthorized users to gain access. Security holes that have been identified have been corrected.

Chapters 2 and 3 discussed how UNIX authenticates users when they log in via login names and passwords and described how file permissions restrict access to particular resources. This chapter describes additional security features relating to users.

The first topic addressed in this chapter involves permissions granted to executable files. In particular, we discuss the setuid bit associated with a program. When the setuid bit is set on a file, the executable file takes on the privileges of the owner of the file when it is executed. Improper use of setuid can lead to serious security problems.

Next, we briefly discuss two more sophisticated types of access control that build on the basic read-write-execute permissions discussed earlier in the book. The first method, access control lists, can be used to grant file permissions to arbitrary sets of users. The second method, role-based access control, allows privileges to be granted to users only when they need to carry out particular sets of tasks. Both access control lists and role-based access control can considerably enhance the security of a system.

Additional topics discussed in this chapter are the /etc/passwd and /etc/shadow files used by the login program to authenticate users, and file encryption via the crypt command. Pretty Good Privacy (PGP), and the related GNU Privacy Guard, used for encrypting files to be sent over a network, such as the Internet, are also covered. Moreover, this chapter describes some common security gaps and different types of attacks, including viruses, worms, and Trojan horses. Some guidelines will be provided for user security Following these guidelines will lessen your security risks.

You will also learn about the restricted shell, a version of the standard shell with restrictions that can be used to limit the capabilities of certain users. The main use of the restricted shell is to provide an environment for unskilled users. It is important to realize that the restricted shell does not provide a high degree of security

Finally, you will see how UNIX fits in with the security levels specified by the U.S. Department of Defense.

Today, networked computing is the norm, making network security extremely important as more and more systems are linked into networks that allow users to access resources on remote machines. UNIX System network security is addressed in Chapters 9, 15, and 17. Although this chapter does not address security from a system administrator’s point of view, Chapter 13 does.




UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net