May the source be with you,
but remember the KISS principle ;-)
Key Softpanorama Topics
|About||Contents||Top Updates||Top Visited|
|Bulletin||Selected Papers||Softpanorama Bookshelf||History|
|News||Root Account||Recommended Links||Wheel Group||Solaris RBAC|
|Sudo||PAM||Unix permissions model||Humor||Etc|
There are half-dozen classic ways to improve security of root account
PATHenvironment variable . Root's search path should also be restricted to directories owned by root, such as
/usr/bin:/sbin:/usr/sbin, and you should generally use a fully justified filename when executing applications.
When this is done, all files or directories created by root will have
rwx------ (077) or
rwxr-x--- (027) permissions.
In large corporate environment that main danger is the problem of shared root access: the situation when there are multiple administrators who can became root. Often such groups as database group and other application groups insist on being able to switch to root to perform specific tasks. Sometimes you can use sudo to provide the ability to execute a selected program as root (for example Oracle installer), but generally this is difficult and almost unsolvable problem that creates many real SNAFUs with downtime and sometimes damage to data.
Some people are addicted to power and in IT environment this addiction demonstrates itself as a quest to obtain root access to as many systems as one can. It is very difficult to stop those people until a major incident occurs.
One important difference between external hackers and regular users is the set of IP addresses used. While this is not always true (zombie PC are pretty common those days) this is true enough to warrant some actions complicating break-ins from IP-space distinct from IP-space in which regular users of this system operate.
One solution is to disable direct access to your root ID for telnet, rsh and other client with non-encrypted clients and to limit ability to log-in to root using SSH to "trusted IPs" (static IPs on internal network which have records in DNS).
Please note that there is nothing wrong with using telnet by regular corporate users despite it being a less secure protocol then SSH (actually the number of successful break-ins via Open SSH exploits probably exceeds number of exploits using telnet; at one point OpenSSH exploits were the most popular way to break-in into ISPs ;-). This is connected with the fact that in a typical large corporate usage telnet is used either on the local network with dedicated IP space (usually 10.x.x.x network) or via VPN connection. In both situation attacks are possible but pretty difficult to execute:
That's why I suspect that all this cheap talk about telnet insecurity that is so popular in shallow security books and articles has somewhat weak connection to reality.
As ssh most often is compiled with TCP wrappers they can be used to limit IP space for the daemon.
The other method is that you can periodically reset root password using random password generator and to communicate it only when there is explicit need to use it (for example Tivoli client installations). In this case system administrators need to use sudo to obtain root privileges which limits the set of person eligible to the wheel group. Using sudo also allows you to monitor which users gained root access, as well as the time of their action. Su also has some logging capabilities and you can view su log /var/logs/sulog on Linux and /var/adm/sulog on Solaris. Another alternative is to enable system auditing, which will report detailed activity for each account.
To disable remote login access for your root user, edit the /etc/security/user file. Specify false as the rlogin value on the entry for root.
Before you disable the remote root login, examine and plan for situations that would prevent a system administrator from logging in under a non-root user ID. For example, if a user's home file system is full, the user would not be able to log in. If the remote root login were disabled and the user who could use the su - command to change to root had a full home file system, root could never take control of the system. This issue can be bypassed by system administrators creating home file systems for themselves that are larger than the average user's file system.
For more information about controlling root login, see System Configuration for a CAPP/EAL4+ System.
Root account should be protected from remote exploits as much as possible (no direct remote login other then ssh with certificate, etc).
Most versions of Unix allow you to configure certain terminals so that users can't log in as the superuser from the login : prompt. Anyone who wishes to have superuser privileges must first log in as himself and then use su to root. This feature makes tracking who is using the root account easier Network virtual terminals should not be listed as secure to prevent users from logging into the root account remotely using telnet . The Secure Shell server ignores the terminal security attribute, but it has its own directive (PermitRootLogin in sshd_config ) that controls whether users may log in as root remotely.
On System V-derived systems, terminal security is specified in the file /etc/securetty . In general, most Unix systems today are configured so that the superuser can log in with the root account on the system console, but not on other terminals. Even if your system allows users to log directly into the root account, we recommend that you institute rules that require users to first log into their own accounts and then use the
Because every UNIX system has an account named root , this account is often a starting point for people who try to break into a system by guessing passwords. One way to decrease the chance of this is to restrict logins from all but physically guarded terminals. If a terminal is marked as restricted, the superuser cannot log into that terminal from the login: prompt. (However, a legitimate user who knows the superuser password can still use the su command on that terminal after first logging in.)
On a SVR4 machine, you can restrict the ability of users to log in to the root account from any terminal other than the console. You accomplish this by editing the file /etc/default/loginand inserting the line:
This line prevents anyone from logging in as root on any terminal other than the console. If the console is not safe, you may set this to the pathname of a nonexistent terminal.
Some older Berkeley-derived versions of UNIX allow you to declare terminal lines and network ports as either secure or not secure . You declare a terminal secure by appending the word "secure" to the terminal's definition in the file /etc/ttys
In this example taken from a /etc/ttys file, terminal tty01 is secure and terminal tty02 is not. This means that root can log into terminal tty01 but not tty02 .
Note that after changing the /etc/ttys file, you may need to send out a signal to initialize before the changes will take effect. On a BSD-derived system, run:
# kill -1 1
Other systems vary, so check your own system's documentation.
You should carefully consider which terminals are declared secure. Terminals in public areas should also not be declared secure. Being "not secure" does not prevent a person from executing commands as the superuser: it simply forces users to log in as themselves and then use the su command to become root . This method adds an extra layer of protection and accounting.
On the other hand, if your computer has a terminal in a special machine room, you may wish to make this terminal secure so you can quickly use it to log into the superuser account without having first to log into your own account.
NOTE: Many versions of UNIX require that you type the superuser password when booting in single-user mode if the console is not listed as "secure" in the /etc/ttys file. Obviously, if you do not mark your console "secure," you enhance your system's security.
Consider the case where we approach a terminal in multi-terminal environment (like used to be common at universities) and wish to login to the system. What if someone has left a spoof login running in his terminal session. If the spoof is carefully programmed you will not be able to tell the difference until the damage is done. Such problem with the programs that mimic the login program behavior are common to all operating systems. In Windows environment where login are typically performed in GUI environment vendors produce complex animated pictures that make it more difficult to write a spoof.
In any case if you are not using one-time passwords or tokens, this way you can give an intruder access to your account.
AIX can be configured to recognize a special signal from real terminals (including workstation consoles) for this purpose. When the signal (usually a BREAK, or some sequence of control characters) is received by the low-level terminal driver, the driver sends an unstoppable signal to all processes still connected to the terminal, that terminates them. Thereafter, a new session is started and the user can be assured that the next prompt for a login is from the real system software.
For this mechanism to work, you should access real terminal: networked connection can still be intercepted and spoofed.
Here is a long quote from Red Hat document Administrative Controlswhich explains issues more or less well:
Allowing Root Access
If the users within an organization are a trusted, computer-savvy group, then allowing them root access may not be an issue. Allowing root access by users means that minor activities, like adding devices or configuring network interfaces, can be handled by the individual users, leaving system administrators free to deal with network security and other important issues.
On the other hand, giving root access to individual users can lead to the following issues:
4.4.2. Disallowing Root Access
- Machine Misconfiguration— Users with root access can misconfigure their machines and require assistance or worse, open up security holes without knowing it.
- Running Insecure Services— Users with root access may run insecure servers on their machine, such as FTP or Telnet, potentially putting usernames and passwords at risk as they pass over the network in the clear.
- Running Email Attachments As Root— Although rare, email viruses that affect Linux do exist. The only time they are a threat, however, is when they are run by the root user.
If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer to Section 4.2.2 Boot Loader Passwordsfor more on this topic.)
Table 4-1shows ways an administrator can further ensure that root logins are disallowed:
Method Description Effects Does Not Affect Changing the root shell. Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin .
Prevents access to the root shell and logs the attempt. The following programs are prevented from accessing the root account: login gdm kdm xdm su ssh scp sftp
Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are notprevented from accessing the root account: sudo FTP clients Email clients
Disabling root access via any console device (tty). An empty /etc/securetty file prevents root login on any devices attached to the computer.
Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account: login gdm kdm xdm Other network services that open a tty
Programs that do not log in as root, but perform administrative tasks through through setuid or other mechanisms. The following programs are notprevented from accessing the root account: su sudo ssh scp sftp
Disabling root SSH logins. Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no .
Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account: ssh scp sftp
This only prevents root access to the OpenSSH suite of tools.
Use PAM to limit root access to services. Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is required for authentication.[a]
Prevents root access to network services that are PAM aware. The following services are prevented from accessing the root account: FTP clients Email clients login gdm kdm xdm ssh scp sftp Any PAM aware services
Programs and services that are not PAM aware.
a. Refer to Section 18.104.22.168 Disabling Root Using PAMfor details.
Table 4-1. Methods of Disabling the Root Account22.214.171.124. Disabling the Root Shell
To prevent users from logging in directly as root, the system administrator can set the root account's shell to /sbin/nologin in the /etc/passwd file. This prevents access to the root account through commands that require a shell, such as the su and the ssh commands.
Important Programs that do not require access to the shell, such as email clients or the sudo command, can still access the root account.
126.96.36.199. Disabling Root Logins
To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous as a user can login into his machine as root via Telnet, which sends his password in plain text over the network. By default, Red Hat Enterprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command:
echo > /etc/securetty
Warning A blank /etc/securetty file does notprevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication. 188.8.131.52. Disabling Root SSH Logins
To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file (/etc/ssh/sshd_config ). Change the line that reads:
# PermitRootLogin yes
to read as follows:
184.108.40.206. Disabling Root Using PAM
PAM, through the /lib/security/pam_listfile.so module, allows great flexibility in denying specific accounts. This allows the administrator to point the module at a list of users who are not allowed to log in. Below is an example of how the module is used for the vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file (the \character at the end of the first line in the following example is notnecessary if the directive is on one line):
auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
This tells PAM to consult the file /etc/vsftpd.ftpusers and deny access to the service for any user listed. The administrator is free to change the name of this file, and can keep separate lists for each service or use one central list to deny access to multiple services.
If the administrator wants to deny access to multiple services, a similar line can be added to the PAM configuration services, such as /etc/pam.d/pop and /etc/pam.d/imap for mail clients or /etc/pam.d/ssh for SSH clients.
For more information about PAM, refer to the chapter titled Pluggable Authentication Modules (PAM)in the Red Hat Enterprise Linux Reference Guide.
4.4.3. Limiting Root Access
Rather than completely deny access to the root user, the administrator may want to allow access only via setuid programs, such as su or sudo .220.127.116.11. The su Command
Upon typing the su command, the user is prompted for the root password and, after authentication, is given a root shell prompt.
Once logged in via the su command, the user isthe root user and has absolute administrative access to the system. In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:
usermod -G wheel <username>
In the previous command, replace <username>with the username you want to add to the wheel group.
To use the User Manager for this purpose, go to the Main Menu Button (on the Panel) => System Settings => Users & Groups or type the command system-config-users at a shell prompt. Select the Users tab, select the user from the user list, and click Properties from the button menu (or choose File => Properties from the pull-down menu).
Then select the Groups tab and click on the wheel group, as shown in Figure 4-2.
Figure 4-2. Groups Pane
Next, open the PAM configuration file for su (/etc/pam.d/su ) in a text editor and remove the comment
[#]from the following line:
auth required /lib/security/$ISA/pam_wheel.so use_uid
Doing this permits only members of the administrative group wheel to use the program.Note: The root user is part of the wheelgroup by default.
Keeping the superuser account secure should be a top priority for any system.
The most sought-after account on your machine is the superuser account. This account has authority over the entire machine, which may also include authority over other machines on the network. Remember that you should only use the root account for very short specific tasks and should mostly run as a normal user. Running as root all the time is a very very very bad idea.
Several tricks to avoid messing up your own box as root:
- When doing some complex command, try running it first in a non destructive way...especially commands that use globbing: e.g., you are going to do a rm foo*.bak, instead, first do: ls foo*.bak and make sure you are going to delete the files you think you are. Using echo in place of destructive commands also works.
- Provide your users with a default alias to the /bin/rm command to ask for confirmation for deletion of files.
- Only become root to do single specific tasks. If you find yourself trying to figure out how to do something, go back to a normal user shell until you are sure what needs to be done by root.
- The command path for the root user is very important. The command path, or the PATH environment variable, defines the location the shell searches for programs. Try and limit the command path for the root user as much as possible, and never use '.', meaning 'the current directory', in your PATH statement. Additionally, never have writable directories in your search path, as this can allow attackers to modify or place new binaries in your search path, allowing them to run as root the next time you run that command.
- Never use the rlogin/rsh/rexec (called the "r-utilities") suite of tools as root. They are subject to many sorts of attacks, and are downright dangerous run as root. Never create a .rhosts file for root.
- The /etc/securetty file contains a list of terminals that root can login from. By default (on Red Hat Linux) this is set to only the local virtual consoles (vtys). Be very careful of adding anything else to this file. You should be able to login remotely as your regular user account and then use su if you need to (hopefully over ssh or other encrypted channel), so there is no need to be able to login directly as root.
- Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type!
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : C++ Humor : ARE YOU A BBS ADDICT? : Object oriented programmers of all nations : C Humor : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor: Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : The Most Comprehensive Collection of Editor-related Humor : Microsoft plans to buy Catholic Church : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor : Best Russian Programmer Humor : Russian Musical Humor : The Perl Purity Test : Politically Incorrect Humor : GPL-related Humor : OFM Humor : IDS Humor : Real Programmers Humor : Scripting Humor : Web Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor :
The Last but not Least
|You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.|
The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: May 16, 1997; Last modified: December 16, 2011