Another Home Page Blog - findhttps://blog.anotherhomepage.org/2010-12-30T11:11:00+01:00Vérifications de permissions2010-12-30T11:11:00+01:002010-12-30T11:11:00+01:00Nils Ratuszniktag:blog.anotherhomepage.org,2010-12-30:/post/2010/12/30/Vérifications-de-permissions/<p><em>Introduction</em> : les astuces de ce billet sont extraites du document “Guide to the Secure Configuration of Red Hat Enterprise Linux 5” édité par la <a href="https://secure.wikimedia.org/wikipedia/fr/wiki/NSA">NSA</a>. Vous pouvez télécharger le document au format PDF dans son intégralité <a href="http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2">sur leur site</a>. Cette introduction me permet d'être en conformité avec leur <a href="http://www.nsa.gov/terms_of_use.shtml#copyright">notice de …</a></p><p><em>Introduction</em> : les astuces de ce billet sont extraites du document “Guide to the Secure Configuration of Red Hat Enterprise Linux 5” édité par la <a href="https://secure.wikimedia.org/wikipedia/fr/wiki/NSA">NSA</a>. Vous pouvez télécharger le document au format PDF dans son intégralité <a href="http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2">sur leur site</a>. Cette introduction me permet d'être en conformité avec leur <a href="http://www.nsa.gov/terms_of_use.shtml#copyright">notice de Copyright</a>.</p>
<p>Je vous propose de vérifier les permissions de certains de vos fichiers sur votre serveur ou poste fonctionnant sur un système Linux. Le but est de limiter les possibilités de tentatives d'intrusion en recherchant les moyens d'entrée possibles. Commençons par vérifier notre environnement :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:~#<span class="w"> </span>whoami
root
root@orgrimmar:~#<span class="w"> </span>cat<span class="w"> </span>/etc/redhat-release<span class="w"> </span>
CentOS<span class="w"> </span>release<span class="w"> </span><span class="m">5</span>.5<span class="w"> </span><span class="o">(</span>Final<span class="o">)</span>
</code></pre></div>
<p>Recherchons maintenant tous les répertoires dont les droits permettent à n'importe quel utilisateur d'écrire dedans, et dont le <em>sticky bit</em> n'est pas positionné :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:~#<span class="w"> </span>find<span class="w"> </span>/<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span>-a<span class="w"> </span>!<span class="w"> </span>-perm<span class="w"> </span>-1000<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
</code></pre></div>
<p>Si jamais votre machine possède de nombreuses partitions, et qu'elles sont du genre bien remplies, il est possible de limiter la recherche de <em>find</em> à une partition à la fois :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:~#<span class="w"> </span>find<span class="w"> </span>/<span class="w"> </span>-xdev<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span>-a<span class="w"> </span>!<span class="w"> </span>-perm<span class="w"> </span>-1000<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
root@orgrimmar:~#<span class="w"> </span>find<span class="w"> </span>/home<span class="w"> </span>-xdev<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span>-a<span class="w"> </span>!<span class="w"> </span>-perm<span class="w"> </span>-1000<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
root@orgrimmar:~#<span class="w"> </span>find<span class="w"> </span>/var<span class="w"> </span>-xdev<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span>-a<span class="w"> </span>!<span class="w"> </span>-perm<span class="w"> </span>-1000<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
</code></pre></div>
<p>Idéalement (et c'est le cas sur ma machine, ouf !), cette commande ne devrait occasionner aucun affichage. Maintenant, amusons-nous un peu :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:/tmp#<span class="w"> </span>mkdir<span class="w"> </span>insecure
root@orgrimmar:/tmp#<span class="w"> </span>chmod<span class="w"> </span>-v<span class="w"> </span><span class="m">777</span><span class="w"> </span>insecure
Le<span class="w"> </span>mode<span class="w"> </span>d<span class="s1">'accès de `insecure'</span><span class="w"> </span>a<span class="w"> </span>été<span class="w"> </span>modifié<span class="w"> </span>à<span class="w"> </span><span class="m">0777</span><span class="w"> </span><span class="o">(</span>rwxrwxrwx<span class="o">)</span>.
root@orgrimmar:/tmp#<span class="w"> </span>find<span class="w"> </span>/tmp/<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span>-a<span class="w"> </span>!<span class="w"> </span>-perm<span class="w"> </span>-1000<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
/tmp/insecure
</code></pre></div>
<p>Positionnons maintenant le sticky bit :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:/tmp#<span class="w"> </span>ls<span class="w"> </span>-hl<span class="w"> </span>/tmp/<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>insecure
drwxrwxrwx<span class="w"> </span><span class="m">2</span><span class="w"> </span>root<span class="w"> </span>root<span class="w"> </span><span class="m">4</span>,0K<span class="w"> </span>déc<span class="w"> </span><span class="m">30</span><span class="w"> </span><span class="m">23</span>:54<span class="w"> </span>insecure/
root@orgrimmar:/tmp#<span class="w"> </span>chmod<span class="w"> </span>-v<span class="w"> </span>+t<span class="w"> </span>/tmp/insecure/
Le<span class="w"> </span>mode<span class="w"> </span>d<span class="s1">'accès de `/tmp/insecure/'</span><span class="w"> </span>a<span class="w"> </span>été<span class="w"> </span>modifié<span class="w"> </span>à<span class="w"> </span><span class="m">1777</span><span class="w"> </span><span class="o">(</span>rwxrwxrwt<span class="o">)</span>.
root@orgrimmar:/tmp#<span class="w"> </span>ls<span class="w"> </span>-hl<span class="w"> </span>/tmp/<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>insecure
drwxrwxrwt<span class="w"> </span><span class="m">2</span><span class="w"> </span>root<span class="w"> </span>root<span class="w"> </span><span class="m">4</span>,0K<span class="w"> </span>déc<span class="w"> </span><span class="m">30</span><span class="w"> </span><span class="m">23</span>:54<span class="w"> </span>insecure/
root@orgrimmar:/tmp#<span class="w"> </span>find<span class="w"> </span>/tmp/<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span>-a<span class="w"> </span>!<span class="w"> </span>-perm<span class="w"> </span>-1000<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
root@orgrimmar:/tmp#<span class="w"> </span>
</code></pre></div>
<p>Qu'est-ce que le <em>sticky bit</em> ? Extrait de la page de manuel de <em>chmod</em> (man chmod) :</p>
<blockquote>
<p>t (sticky-bit) conserver le code du programme sur le périphérique de swap après exécution. Il s’agit du comportement original, mais de nos jours il sert uniquement pour les répertoires. Il indique que seuls le propriétaire du répertoire, et le propriétaire d’un fichier qui s’y trouve ont le droit de supprimer ce fichier. C’est typiquement utilisé pour les répertoires comme /tmp ayant une autorisation d’écriture générale.</p>
</blockquote>
<p>Vérifions cela :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:/tmp#<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>/
root@orgrimmar:/#<span class="w"> </span>ls<span class="w"> </span>-hl<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>tmp
drwxrwxrwt<span class="w"> </span><span class="m">5</span><span class="w"> </span>root<span class="w"> </span>root<span class="w"> </span><span class="m">4</span>,0K<span class="w"> </span>déc<span class="w"> </span><span class="m">30</span><span class="w"> </span><span class="m">23</span>:59<span class="w"> </span>tmp/
</code></pre></div>
<p>Le sticky bit est positionné. Je suis rassuré. Néanmoins, il ne fait pas tout. Regardons donc quels répertoires sont accessibles à tous les utilisateurs, sans chercher à savoir si le sticky bit est positionné :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:/#<span class="w"> </span>find<span class="w"> </span>/<span class="w"> </span>-type<span class="w"> </span>d<span class="w"> </span><span class="se">\\</span><span class="o">(</span><span class="w"> </span>-perm<span class="w"> </span>-0002<span class="w"> </span><span class="se">\\</span><span class="o">)</span><span class="w"> </span>-print
/var/tmp
/var/lib/xenstored
/dev/shm
/tmp
/tmp/insecure
/tmp/.ICE-unix
</code></pre></div>
<p>Cela fait déjà un peu plus de monde... pas très rassurant mais à part notre répertoire <em>insecure</em>, pas de quoi s'affoler : <em>/var/tmp</em> et <em>/tmp</em> sont des répertoires destinés aux fichiers temporaires des programmes en fonctionnement, <em>/var/shm</em> désigne <a href="https://secure.wikimedia.org/wikipedia/fr/wiki/M%C3%A9moire_partag%C3%A9e">la mémoire partagée</a> et le xenstored sert <a href="http://books.google.com/books?id=XS-Jj7s2nhYC&pg=PA68&lpg=PA68&dq=/var/lib/xenstored&source=bl&ots=UUPHrW9az-&sig=NvdqPm8-x3cC6UOPlGEpRGOXKQY&hl=fr&ei=sw4dTcycMouo8QPnsrm9BQ&sa=X&oi=book_result&ct=result&resnum=4&ved=0CC8Q6AEwAw#v=onepage&q=%2Fvar%2Flib%2Fxenstored&f=false">au bon fonctionnement de l'hyperviseur Xen</a>.</p>
<p>Pour finir, nous pouvons nettoyer notre petite expérience :</p>
<div class="highlight"><pre><span></span><code>root@orgrimmar:/#<span class="w"> </span>rmdir<span class="w"> </span>-v<span class="w"> </span>/tmp/insecure/
rmdir:<span class="w"> </span>destruction<span class="w"> </span>du<span class="w"> </span>répertoire<span class="w"> </span>/tmp/insecure/
root@orgrimmar:/#<span class="w"> </span>ls<span class="w"> </span>-hal<span class="w"> </span>/tmp/<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>secu
</code></pre></div>
<h2>Commentaires</h2>
<h3>Le 06/01/2011 19:09 par <a href="http://www.sakana.fr/blog/">stephane</a></h3>
<p>Hello,</p>
<p>Juste un petit commentaire en passant, vu que ça fait longtemps :-)</p>
<p>Un flag de ls a connaître : -d, pour éviter le ls .... | grep .... , tu peux faire un ls -ld /tmp par exemple. Ça te sort le ls du répertoire et non de son contenu.</p>
<p>A+</p>
<p>Stéphane</p>