Unix security tutorial exercises

Linux security tutorial exercises


These exercises assume the student to have access to the system administrator (root) account on a Linux virtual machine, or other Linux installation. Before starting on this exercise, you should be familiar with simple Unix commands, editing files on Unix, you should be familiar with Unix pipes, filters and redirection, and you should have some knowledge of Unix shell scripts.

Learning objectives

When you have completed these exercises you will have learned how to create users and groups, how to apply permissions to files and directories, and the effects that some of these permissions have on attempts by various users to read write and execute files, and search directories. You will also have observed some of the effects of setuid program permissions.

Creating users and groups

As root, use adduser(1) and addgroup(1) to add 3 users to your system, e.g. pete, ali and mary. You might want to have 2 users of your gender and one of the other because one of the exercises will involve excluding boys or girls from reading or writing files accessible to users within a girls or boys group. You will probably want to make all the passwords the same if they are not real users, as this makes it easier to switch between these users.

Switching user shells

You can of course switch userids by logging out and in again. But normally you won't login a full session as root. Also as the exercises below require frequent switching between users, this might more conveniently be achieved by having different terminals open on the same desktop executing shells as different users. Experiment using su(1) as a shell command to switch userids for the terminal only, and passwd(1) by a user to change their password, or by root in case a user has forgotten their password. As root check that the password hash has changed in /etc/shadow. If su does not allow you to run a root shell, but sudo allows you to run only a single root command at a time, use the

sudo bash
command in order to get an interactive root shell, once you are confident to run more than one root command at a time. . Create the users so that ali and pete are in the boys group and mary is in the girls group.

If you make any errors, you can always use deluser(1) to remove a user created incorrectly, e.g. if you wanted to add a user to a group before you had created the group. When you have done this, as root look at the contents of the files: /etc/shadow, /etc/group and /etc/passwd. Try and understand what these files are for by briefly reading shadow(5), group(5) and passwd(5) man pages.

Using chmod commands and checking results

As pete, ensure that permissions and ownerships on your home directory are as follows:

pete@vm$ ls -ld ~
drwxr-xr-x 70 pete boys 4096 2006-10-20 14:37 /home/pete

The file size and date and time values don't matter. (Using the d flag with ls lists the directory permissions, and doesn't list the files within the directory.)

Create a subdirectory of your home directory, e.g. d1 . Use chmod to change the permissions on d1 so that only girls can read files within it and boys are excluded (whichever way round you prefer to include and exclude !). Test using userids mary and ali to ensure mary can read but not write files inside d1, and ali has no access. If you have time, try to use both the octal and mnemonic chmod modes (mnemonic mode involves using combinations of letters ugo for user, group and others, +=- for add, assign and remove permissions, and rwx for permissions to be granted, assigned or removed.

Experiment with the chmod command to allow boys permission to read and write some files but not others, and as ali check what can be done, trying to edit or remove or read relevant files. Carefully grant ali write access to the d1 directory, and as ali see what additional actions can now be performed on files in there, including creating files there, deleting them and renaming them.

Create a subdirectory within pete's home directory and rearrange permissions, including on pete's home directory so that this subdirectory is the only place others are able to read files there and that this is all they can do with these files.

Using chown(1) and chgrp(1)

Read the above man pages. As root, create a directory called /home/photos which mary owns and can read and write to and all boys can read from but no-one else on the system can write or reads files placed there.

Creating a setuid script

This exercise is more advanced. You will probably want to do this after the lecture covering setuid permissions.

As root create a file belonging to root which contains a couple of words. Remove all permissions from other users and group. Write a shell script which displays this file.

Copy and modify the 'C' source for wrapper.c, so that this executes your script. Compile and test the script and 'C' program to make sure only root can use it. Next add setuid permission to the compiled program and retest your version of the wrapper program using root and other userids. You have completed this exercise if the setuid applied to the wrapper executable enables a privileged file to be viewed by an ordinary user, and if this ordinary user has no other way of seeing this file.