Problem Set 2 Due: 11:59pm, Monday October 4

Transcription

1 CS342 Computer Security Handout # 3 Prof. Lyn Turbak September 26, 2010 Wellesley College Important notes: Problem Set 2 Due: 11:59pm, Monday October 4 You can do Problem 1 on your own or together with your teammate from Problems 2 4. Problems 2 4 are team problems that you need to complete on your team Linux machine in the Security Lab (E125) by working in two-person teams. The Linux teammate you choose for this assignment will remain your teammate for the rest of the semester. Students with a strong systems background should not work with each other, but should choose partners with less systems background. In most cases, you are expected to work side-by-side on team problems, so choose teammates who have similar schedules to maximize potential meeting times. Form a team and pick your machine in E125 ASAP. If at all possible, you should complete Problems 2a d before this week s lab, so that you can use your team s machine in lab. Although E125 should be open 24/7, custodians sometime lock the room. Please inform me anytime you want to access the room but find it locked. Start Problem 3 on password cracking soon so that you have as many days as possible to run the cracker. PS3 (the treasure hunt ) will be posted on Fri Oct 1. and due on Fri. Oct. 8. Submission: Please submit a header sheet (indicating the amount of time you/your team spent on the problems) along with the following: 1. For Problem 1, each student/team should submit a written report. 2. For Problem 2, there is nothing to turn in. I will check to see that the accounts and web pages on your machine have been configured properly. 3. For Problem 3, turn in a brief report describing which passwords John was able to crack and which ones it wasn t able to crack. However, under no circumstances should you divulge your root password! If you did any experiments beyond the default cracking mode, describe them. 4. For Problem 4, in addition to the scripts and testing transcripts mentioned in the problem, you should submit a written explanation detailing the design of your solution to the problem, with particular emphasis on how you approached the parts that you found difficult. You should also describe any implementation details that are interesting, and your scripts should be commented to explain how they work. Also, please let me know anything that I could have told you or configured for you in advance that would have saved you time on this assignment. (Your feedback will help future CS342 students!) 1

2 Problem 1 [20]: Tanner Photo Contest Revisited (Do not begin this problem until Mon. Sep. 27) The official Tanner Photo Contest site is at tanner-photos/ cgi-bin/tanner-photos.cgi. I believe I have fixed most (but maybe not all) the security holes and usability issues students reported for the test site in PS1. In this problem, attempt as many exploits you can think of against the official site, including all you tried for PS1 and perhaps some more. Write a report summarizing your attacks and the extent to which they succeeded. (If you discover a serious vulnerability, please let me know ASAP!) Problem 2 [20]: Linux System Administration In this problem, you will choose a teammate and a Linux machine in the Security Lab (SCI E125) and become system administrators (sysadmins) of that machine. You and your teammate will own this Linux machine for the rest of the semester. There are six machines along the back wall of E125 that we will use in this class. jaguar.wellesley.edu ballroom.wellesley.edu bass.wellesley.edu gandhi.wellesley.edu sole.wellesley.edu salmon.wellesley.edu We will refer to this network of machines as the security lab network (SLN). We will use the SLN machines for most computer-based exercises in the course. For these exercises, the SLN machines have weaker security settings than our regular department machines. Currently, the SLN machines are connected to the campus network. So you can access the rest of the Internet from them and can access them remotely via ssh. However, later in the semester, we may experiment with some malware and network exploits on the SLN machines. In order to protect our department and campus machines at that time, we may isolate the SLN machines so that they can communicate with each other but not the outside world. During the semester, you will learn certain hacking techniques, such as packet sniffing, buffer overflows, faking headers, how to break into accounts, and so on. The SLN machines are a playground for experimenting with these techniques. However, you should not use these techniques on any machines other than those in the SLN network; the consequences of doing so could be severe. a: Choose a Teammate and Machine (complete this part ASAP) Choose a teammate and then choose one of the SLN machines listed above to be your machine for the semester. (There are 13 students and 6 machines, so there will need to be one 3-person team.) You should attach a note to the machine claiming it for your team, and post a note to CS F10 announcing your team members and the machine you own. b: Log into Your Machine You can log into your machine with username guest and password guest (or using another account you create in Part d). When you need superuser privileges, you can su to root using the password secs342curity. Note: as a default, logging directly into your machine as user root is disabled. You can enable it by following the instructions at com/2010/04/23/login-as-a-root-from-gui-fedora-13/ c: Change the Root Password You wouldn t want anyone else to log into your machine with superuser privileges, would you? The first thing you should do is change the root password using the passwd program. 1 1 Although Fedora 13 provides a GUI for changing user information and passwords, you should avoid this GUI in this assignment and become facile at accomplishing these tasks via commands in the shell. 2

3 Executing passwd username as root will prompt you for a new password for the account with name username. (Executing passwd without any arguments changes the password for root.) The passwd program will warn you about vulnerable passwords, such as those that are too short or are based on dictionary words. You may override such warnings to use a password anyway, but you do so at your peril! d: Create User Accounts Now you should create some user accounts for your machine. Every machine already has a guest account with password guest. You should not change this account or password. Throughout the semester, you will be able to log into any SLN machine using this account. You should create some additional accounts for your machine: create personal accounts for each teammate with your usual Wellesley account names. create the six accounts needed for Problem 4: fbar, bquux, stud1, stud2, cs1ta, and cs1. (As part of doing Problem 4, you will also want to create some new groups, but you should do that later.) To create these accounts you should use the useradd and passwd commands. 2 The useradd and other user management commands are described at 06/manage-users-from-the-command-line. For the purpose of the password-cracking exercise in Problem 3, you will want some of your accounts to have weak passwords (easily crackable ones, such as short ones and/or ones based on dictionary words), some to have strong passwords, and some to fall in between. e: Create Some Web Pages All the SLN machines are configured to run an HTTP server (httpd), which means that they can serve web pages that are viewable via web browsers running on the other SLN machines. Because some later exercises will involve web pages, you should get some experience early with creating (and protecting) some simple web pages. The focus here is not on HTML, CSS, or JavaScript (though you re welcome to use these if you want to), so your pages can be mostly plain text with a few links. Each machine already has (an extremely simple) home page for the guest user in/home/guest/public_html/ind You should create the following pages: For each team member and the cs1 account, create a world-viewable home page named index.html in a public_html folder for that user. (You ll need to create this folder). For each team member and the cs1 account, create an http-password-protected page private.html in a protected subfolder of public_html. For the team accounts, use the username team and the password private. For the cs1 account, use the username cs1 and the password cs1isfun!. Also, add a link to the protected page from the home page. Create a world-readable home page for your machine in /var/www/html/index.html that includes links to the home pages of your team members, the guest home page, and the cs1 home page. Create an http-password-protected page in /var/www/html/protected/index.html that includes links to the other protected pages you created above. This page should be unlockable by HTTP users team and cs1 (with the passwords given above) as well as by HTTP user guest with HTTP password guest. 2 Again, there is a GUI available from the menu path System>Administration>Users and Groups that you can use later in the semester for user management, but for now use shell commands. 3

4 Problem 3 [15]: Password Cracking Note: installing and running the password cracker takes time (measured in days for running the cracker), so start this problem early. In this problem you will test how good your account passwords are by running a password cracker on them. You will use the John the Ripper password cracker, also known as John. Install this program from Read doc/install for how to install John (use the linux-x86-any target) and doc/examples for how to run John on the passwords on your machine. You should download the large all wordlist from and configure John to use this wordlist. (You can test that it s working by choosing one of your passwords to be a work in the all wordlist that s not in the smaller default wordlist.) John can do some very fancy things, but for this problem you should just use the default mode with the all word list. This can take a very long time. Even if you start this problem right away, it may not finish before your pset is due! Fortunately, it is easy to find the passwords that John has cracked so far. If you stop John, it s also easy to resume it from where it stopped, so you don t needlessly repeat any work. See doc/examples for details. If interested, you are encouraged to experiment with more sophisticated features in an attempt to crack passwords that weren t cracked by the default mode. You can find more information on password cracking at and in Chapter 9 of Hacking Linux Exposed. Please let Lyn know if you need help installing, configuring, or running John. Problem 4 [45]: Access Control The goal of this problem is to give you practical experience with Linux permissions and shell scripts. Professors Foo Bar and Baz Quux are co-teaching introductory course CS1. They and all of their students will be using your (one!) computer in E125 for all of their work. They have asked you to administer all of the accounts for their course on your CS342 machine (which you should assume they can all access). This includes the accounts of the two professors (fbar and bquux), as well as a course account (cs1), the accounts of all the students, and the accounts of the teaching assistants (TAs) for the course. For simplicity, assume that there are only two students (stud1 and stud2) and one TA (cs1ta). However, your approach should scale to an arbitrary number of students and TAs. Professors Bar and Quux have asked you to create a cs1 account with a home directory in /home/cs1. This home directory should have four subdirectories: download: this directory should be visible to everyone in the class (the course account, professors, TAs, and students) but not to any users outside of the class. private: this directory should be visible only to the course staff (i.e., the two professors, the TAs, and anyone logged into the cs1 account). drop: all the contents of this directory should be readable (but not writable) by the course staff. As we shall see below, individual students will own certain subdirectories within the drop directory, but no student should be able to examine the contents of the directories of any other student. public_html: the contents of this directory should be world-readable, except for a protected subdirectory that should readable only by the course staff and apache (the HTTP server). In addition to configuring the above directories, Professors Bar and Quux have asked you to implement the following Linux commands for their course. In all of the commands, you may assume that dir is a directory name (possibly containing slashes) not ending in a slash, and the name psname does not contain any slashes. Your commands should verify that dir is a valid directory (and give a meaningful error message if it isn t). But for simplicity, you are not required 4

5 to verify the assumptions about slashes. The behavior of these commands is unspecified when the slash assumptions aren t met. publish dir psname: The professors use this command to publish directories of code and instructions for their problem sets. Only the two professors (not even the TAs or someone logged into the cs1 account) should be able to execute this command. It copies the contents of the directory dir to the directory /home/cs1/download/psname, creating the latter if it does not already exist. It also creates the directory /home/cs1/drop/psname if it does not already exist. The whole class should be able to read each file within the directory /home/cs1/download, but no one (not even the course staff) should be able to edit such files. No one who is not associated with the course should be able to read or even list any of the files in /home/cs1/download. If the directory dir contains a subdirectory named public_html, the contents of this directory is copied to a world-readable subdirectory of the public_html directory of cs1 named psname. Only course staff should have write access to these files. The public_html subdirectory of dir should not appear in /home/cs1/download/psname. Calling publish with a psname that already exists as a directory name in /home/cs1/download or in /home/cs1/public_html should replace all the existing contents of these directories with the new contents. privish dir psname: The professors use this command to share directories of problem set solutions with each other. Only the two professors (not even the TAs or someone logged into the cs1 account) should be able to execute these commands. It copies the contents of the directory dir to the directory/home/cs1/private/psname, creating the latter if it does not already exist. Only the professors should be able to read and modify the files within /home/cs1/private that have been added by calling privish. If the directory dir contains a subdirectory named public_html, the contents of this directory is copied to the protected subdirectory of the public_html directory of cs1 named psname. Only the course staff (and web browser) should have read/write access to these files. (These files can also be accessed via a web browser by anyone knowing the HTTP password for this directory.) The public_html subdirectory of dir should not appear in /home/cs1/private/psname. Calling privish with a psname that already exists as a directory name in /home/cs1/download or in /home/cs1/public_html/protected should replace all the existing contents of these directories with the new contents. drop dir psname : This is a command that can be executed by any CS1 student, but by no one else (not even course staff). It makes a copy of the directory dir and stores it in the directory whose name is /home/cs1/drop/psname/username, where username is the name of the user executing the command. The command creates /home/cs1/drop/psname/username if it does not already exist. (It is an error if /home/cs1/drop/psname does not already exist.) If /home/cs1/drop/psname/username already exists, any existing files with the same names as in dir should be overwritten with new versions, but any other existing files should be left unchanged. A student should be able to read and write any directories/files that they have submitted via drop, but they should not have read or write access (or the ability to delete) any drop directory (or contents thereof) that they have not submitted. However, the course staff should have read (but not write) access to all subdirectories of the drop directory. All course members might be able to list the contents of /home/cs1/drop/psname, but only the owner of this directory and course staff members should be able to list the contents of any subdirectory of this directory. In Problem 2, you already created accounts for the professors, students, TA, and course. In this problem you should create any groups that you need and then should write bash shell scripts for the above three commands. You will need to think carefully about ownership, groups, permissions, and paths in order to implement the commands. Where should the commands live? What should 5

6 be the permissions on the commands? What should be the permissions on the directories and files created by these commands? In addition to submitting a written description of your solution, you should turn in copies of your shell scripts (along with their permissions) and testing transcripts that show your commands work as specified. I.e.: the commands have the right behavior; all relevant parties can execute only the commands and read/write only the files to which they should have access. This is a challenging problem, and requires careful thought. Here are some notes you may find helpful (see Linux documentation for more details): You may want to make some of the commands setuid and/or setgid. As explained in lecture, Linux does not permit plain scripts to be executed setuid/setgid, but this restriction can be circumvented by creating a C program that invokes the script. For example, to make the publish command setuid, write the script in a file named publish_script (beginning with #!/bin/bash -p) and then write the following C program: int main (int argc, char* argv) { execv("publish_script", argv); } Within a shell script, any text delimited by single backquotes indicates a command that should be executed and replaced by its result. For example, if stud1 executes a script containing the filename /home/ whoami /stuff, this filename expands to /home/stud1/stuff. But be careful: if the program is setuid, then whoami will return the name of the effective user, not the real user. To get the real user name, see the next note. Within a script that is running setuid, you may want to distinguish the real user id (or name) from the effective user id (or name). The bash id command (and the bash variables UID and EUID) can be used for this purpose, as illustrated in the following script: #!/bin/bash -p REALUSERID= id -ur REALUSERNAME= id -urn EFFECTIVEUSERID= id -u EFFECTIVEUSERNAME= id -un EFFECTIVEGROUPID= id -g EFFECTIVEGROUPNAME= id -gn echo "Real user id = $UID ($REALUSERID)" echo "Real user name = $REALUSERNAME" echo "Effective user id = $EUID ($EFFECTIVEUSERID)" echo "Effective user name = $EFFECTIVEUSERNAME" echo "Effective group id = $EFFECTIVEGROUPID" echo "Effective group name = $EFFECTIVEGROUPNAME" echo -n "All id info: " id #prints all id info The -e (resp. -d) tests can be used in a conditional to determine if a file (resp. directory) exists. E.g. if [[ -e $FILENAME ]]; then... else... fi # IF $FILENAME exists... if [[!(-d $DIRNAME) ]]; then... else... fi # IF $DIRNAME doesn t exist... Many other tests for files and directories are listed in the bash shell documentation. 6

7 You may find a for loop helpful for iterating through the contents of a directory. By default, expansion of filenames including * does not include filenames beginning with a dot (. ). For example, cp -R foo/* bar will copy all files in foo to bar except those whose name begins with a dot. This default can be overridden in a shell script with the magical incantation shopt -s dotglob. To enable the printing of debugging information for a script, supply the options -vx to the script (i.e., begin the script with #!/bin/bash -vx). Changes made to group membership aren t noticed in an already-logged-in user. To see the changes, log out and log back in again. You can view HTTP server errors in /etc/httpd/logs/error_log. Be proactive about consulting Lyn with any questions you have about the problem specification. 7

8 Group Problem Header Page Please make this the first page of your hardcopy submission for group problems. CS342 Problem Set 1 Group Problems Due 11:59pm Monday, October 4 Names of Team Members: Date & Time Submitted: Collaborators (anyone you or your team collaborated with): By signing below, I/we attest that I/we have followed the collaboration policy as specified in the Course Information handout. Signature(s): In the Time column, please estimate the time you or your team spent on the parts of this problem set. Team members should be working closely together, so it will be assumed that the time reported is the time for each team member. Please try to be as accurate as possible; this information will help me design future problem sets. I will fill out the Score column when grading you problem set. Part Time Score General Reading Problem 1 [20] Problem 2 [20] Problem 3 [15] Problem 4 [45] Total 8