|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: A T
Length: 12030 (0x2efe)
Types: TextFile
Names: »Article«
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦3da311d67⟧ »./cops/1.04/cops_104.tar.Z«
└─⟦6a2577110⟧
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦6a2577110⟧ »./cops/1.04/cops_104.tar«
└─⟦this⟧ »cops_104/checkacct/Article«
[The entire text of this article appeared in the Engineering Computer
Network's (ECN) "No Name Newsletter" September 1991]
Guide to Account Security
Philip R. Moyer
------ - -----
1 WHAT IS AN ACCOUNT?
- ---- -- -- -------
Accounts allow people to use the computer. When you get an
account, you are given a password and a home directory. The
home directory is a place on a disk where you can put your
files. Each account has a login associated with it. There
is one login per account. For example, my login is "prm".
Each account has unique information associated with it. One
of these data is the user id (or uid). It is a number that
identifies the login. All files created by you will have
your uid attached to them.
The operating system keeps track of who is logged on at any
given time. It also keeps track of which commands you
execute and how much time it takes to execute them. It also
keeps track of where you logged in. In some cases, the
operating system can keep track of who creates or modifies
files.
It is very important that you keep your account secure; any
user who has access to your login and password can
masquerade as you. If that person does something illegal,
you could get blamed. He or she could also remove or modify
your files.
2 LOGGING IN AND LOGGING OUT
When you want to work on the computer, you must first
identify yourself to the computer and prove you are who you
say you are. This process of identification and identity
verification is called "logging in". First, the computer
identifies itself and prompts you for a login. Here is an
example:
dynamo.ecn.purdue.edu login:
You would then type in your login and the computer would
prompt for a password:
dynamo.ecn.purdue.edu login: prm
Password:
You then type in your password. The computer won't print
the password as it is typed so other users can't see it on
the screen. After the computer checks to see that the
password matches the one associated with the given login, it
starts a shell and grants you access to the machine.
You log in differently depending on what shell you are
using. If you are using Bourne shell (your prompt is "$"),
you log out by typing the control key and the "d" key at the
same time. If you are using csh, type the word "exit" or
"logout" and you will be logged out. The computer records
the times you logged in and logged out.
3 PASSWORDS
Choosing a good password is very important, because
unauthorized users are often able to steal accounts or gain
access to a system by guessing passwords. People who try to
gain unauthorized access to a computer or a specific account
are called "crackers". If your account is compromised,
because of either a bad password or other means, the cracker
can not only remove or modify any of your files, but he/she
can also attack other users on the system, or other systems
on the network.
Good passwords are difficult to create; care and thought
should go into each one. Here are some guidelines for
choosing passwords.
Bad passwords are:
- your login in any form
(as-is, reversed, capitalized, doubled, etc)
- any first or last name, yours or someone else's
(regardless of ordering or capitalization)
- license plate numbers
- phone numbers
- social security numbers
- brands or styles of automobiles
- street, city, state or country names
- all digits or all of the same letter
- any word found in a dictionary, English or other
- passwords shorter than six characters
- famous product names (Budweiser, Ruffles, etc)
- cartoon characters
Good passwords are usually pieces of several words, with odd
capitalizations. A good password may include punctuation or
other non-alphabetic characters. Using digits in unexpected
locations can make a password better.
Use the passwd command to change your password. Just type
and you will be prompted for your old password (to verify
that you are authorized to change it) and a new password.
Then you will be prompted for the new password again, to
make sure you didn't mis-type the new password.
4 KEEPING YOUR PASSWORD SECURE
You should change your password as soon as you get an
account, and then you should change it once every one or two
months, just to be sure it isn't being used by anyone else.
Don't tell anyone what your password is, under any
circumstances. Let me emphasize that. Don't tell ANYONE.
Under ANY circumstances. There are crackers who have been
known to send mail that appears to be from the system
administrator, asking you to change your password to
something they give you. DON'T EVER DO THIS! There is *no*
legitimate reason for ANYONE to ask for your password. If
you ever get mail like this, go to your site specialist and
report the incident.
Don't write your password down. It's too easy for someone
to discover it. You should choose a password that you can
remember. If, however, you absolutely must write down your
password, don't write it anywhere obvious, like on a post-it
note stuck to your terminal, on the front of your notebook,
or on a piece of paper next to the terminal. Write it on
something in your wallet and then be tricky by changing the
written password in some way (like leaving out two key
letters); so you can still remember it, but it is harder for
a someone who sees the paper to get into the account. Don't
ever write your login and password on the same piece of
paper.
You should also be very careful that someone isn't watching
you when you log in. Many people can tell what you are
typing just by watching your fingers on the keyboard.
5 DIRECTORIES AND FILES
All information on the computer is stored in files. A file
is just what it sounds like, a container for data. A
directory is a special file that contains other files or
directories. You can list which files are in a directory
using the ls command. For example, here's what ls says about
-- --
the directory (/home/harbor3/prm/pub/articles) where I'm
located.
RFC1147.ps acct.sec imp.tech new.security
orange-book privacy pu.environ ritalin
s.serv s.serv.tr style wwarticle
zap
You can use ls to find out additional information about
--
files by using the "-l" option. For example, if I wanted
more information about the file acct.sec in the list above,
I would type Here is what happens when I do that:
-rw-r--r-- 1 prm 8058 Aug 19 11:22 acct.sec
- The first field shown as, "-rw-r--r--", is the file
type and permission bits. More information about
permission codes is given below.
- The second field, "1", is the number of links to the
file. In this case, the file has only one name. Other
links can be made with the "ln" command.
- The third field, "prm", is the file's owner. The login
prm owns this file.
- The fourth field, "8058", is the size of the file in
number of characters.
- The fifth field, "Aug 19 11:22", is the time the file
was last modified.
- The last field is the name of the file.
Permission Codes
The first character in the type/permission field is the file
type. If the file is a directory, the first character will
be a "d". If it is a regular file, the first character will
be "-".
The next nine characters are access permission flags. The
leftmost three are owner permissions, the middle three are
group permissions, and the rightmost three are world
permissions. The letter "r" grants read permission, the
letter "w" grants write permission, and the letter "x"
grants execute permission.
In the above example, the permissions for the owner, "prm",
are "rw-". That means the owner "prm" can read and write
the file, but not execute it. The permissions for the
file's group are "r--", as they are for the world.
If a file has modes "rw-rw----" and is owned by group other,
everyone on the computer can write to the file! You can see
group ownership on a file by using the "g" option with the "l"
option to ls.
--
For example, when I type "ls" I get the following:
-rw-r--r-- 1 prm other 8058 Aug 19 11:22 acct.sec
The "other" is the group owner of the file.
You can use the chmod command to change file permissions.
-----
The character "+" means add permission and the character "-"
means deny permission. For example, if I wanted to let
people in group "other" write on my file, I would type
Whereas if I want to deny other people permission to look at
this file, I could type and the read permission on the file
would be revoked.
There is a shorthand way of representing file modes. Each
permission category (owner, group, and world) is given a
number which represents the bits set in the permission
field. Here is a table that explains this numbering system:
_________________________________
| Owner Group World|
_________________________________
| Read 400 40 4 |
| Write 200 20 2 |
| Execute 100 10 1 |
None 0 0 0
|________________________________+
To use this table, merely add up the permissions you want.
For example, a file that is mode 644 has owner read and
write permission (400 + 200), group read permission (40),
and world read permission (4).
You can use this shorthand with chmod as well. Just use the
-----
number instead of the symbolic representation. If you want
to change the mode of your .login from 755 to 644, you can
-----
type:
/bin/chmod 0644 .login
Your home directory should be mode 700, 711, or 755. You
should not allow others write permission to your directory!
That would give them permission to create or destroy files
at will.
Important files should be mode 644 or 600. Only rarely is
it important to make a file mode 666, which is world-
writable.
6 IMPORTANT FILES
Most accounts have special files called "dot" files. These
files control the startup, environment, and execution of the
shell and some programs. It is very, very important that
these files not be writable by anyone but you! If someone
else can write those files, they can take control of your
account in a matter of minutes! Then they'll be you, which
means they can do anything you can do: read, write or modify
files; send mail; talk to other users; print documents.
Make sure that permissions on these files are set to 644,
or, better yet, 600:
.login .logout .cshrc
.bashrc .kshrc .xinitrc
.exrc .dbxinit .profile
.sunview .mwmrc .twmrc
7 PHYSICAL SECURITY
Try to be aware of physical security. When you are logged
in on a terminal or workstation, don't leave it without
locking the screen. Often, this means that you shouldn't
even go to the next room to get output without locking your
screen. It only takes two commands ("cp and chmod") for
someone to steal access to your account if they can find it
logged in and unattended, so be careful!
8 ACCOUNT SHARING
You may, at one time or another, feel you need to give
someone else access to your account. There are several ways
you could go about doing this, the most common of which are
.rhosts files, giving the person your password, and making
------
your directory mode 777. Please don't give anyone else
access to your account. It's too easy for them to do
something malicious. Don't let a friend set up a dot file
for you. Don't use programs in other people's directories.
Don't trust people to leave your account alone. If you let
someone edit your .login because you don't really understand
-----
how a .login works, you've essentially given them your
-----
account, even if you change the password.