The ECN No Name Newsletter is no longer being published. This is an archived issue.
[previous article] [next article]There has been much attention on the subject of computer security since the Internet Worm worked its way through a network of more than 3000 computers, which included UNIX hosts at Purdue. This "worm" exploited bugs in the sendmail (which delivers the mail you send to other users), and fingered (which services your finger requests) programs. It also used a routine to guess passwords to gain additional access to hosts that it infested. System administrators and software vendors have corrected system software and made these programs more secure. There are avenues for restricting passwords (see "passwd(1) Program Changing Soon"), but this does not solve the problem.
Users need to be more aware of security and practice measures that improve system security (such as choosing good passwords and checking modes on files).
This concept, which has been explained by many a coach, can also be applied to computer security. If a user chooses a bad password, then his or her account becomes a doorway that a hacker may use to enter the system. Once there, he is able to obtain a wealth of information which can be used to gain further access to the system. The system as a whole can only be as secure as the weakest account.
Some users think that system security is of no concern to them. However, they are the only people who are able to choose passwords for their accounts and keep an eye on files that they own. System administrators cannot choose good passwords for everyone. They also cannot watch the permissions on all files on the system (there are literally millions of files on each machine). Unfortunately, insecure accounts are not found until it is too late, after they have been compromised.
This may be true in some cases, but not in all cases. This is why UNIX allows you to change permissions on files. You may want people to be able to read your plan or project via finger(1), but you most likely do not want people to see your homework or class project files. If you have a poor password that can be broken or have incorrect permissions set for files, you may be letting people see your homework files and getting credit for your work!
---------
Passwords
---------
You need to change your password often (every 30 days is ideal), and pick an intelligent one. Passwords that are easily guessed and are not recommended are:
The list could go on forever. Good passwords, on the other hand, have the following features:
You should "never" write your password down anywhere! When you change your password, commit it to memory. Also, you should not give your password out to anyone, regardless of who they are (boy/girlfriend, best friend, wife, husband, etc...).
If you work in a terminal room where there are lots of people, be sure no one is looking over your shoulder when you type your password. Some people can figure out what you are typing just by watching your fingers, and later use the password they saw you type to log into your account. If you need to, ask anyone who is watching to look away.
----------------
File Permissions
----------------
You also need to check the permissions on all of your files once in a while. You can see the permissions that are set on files by typing the command "ls -lagsF" . This will show you something like:
3 drwxr-xr-x@32 blm@other@ 2560 Oct 25 23:24 ./ 1 drwxr-xr-x@22 root@root@ 512 Sep 17 14:05 ../ 2 -rw-r--r--@ 1 blm@other@ 1885 Oct 14 22:16 .cshrc 1 -rw-r--r--@ 1 blm@other@ 594 Sep 30 14:38 .login 1 -rw-------@ 1 blm@other@ 62 Mar 29 19:90 .logout 1 drwx------@ 4 blm@other@ 512 Sep 22 16:09 .macintosh/ 1 -rw-------@ 1 blm@other@ 51 Mar 27 19:90 .mailrc 1 drwx------@ 2 blm@other@ 1024 Oct 25 23:06 .nn/ 24 -rwx------@ 1 blm@other@24576 Oct 25 23:16 a.out* 1 -rw-------@ 1 blm@other@ 108 Oct 6 14:42 afpvols 1 -rw-------@ 1 blm@other@ 105 Sep 5 23:16 prog1.c 1 -rw-------@ 1 blm@other@ 512 Sep 25 14:53 prog2.c 1 -rw-------@ 1 blm@other@ 1024 Oct 10 13:30 prog3.c 1 -rw-------@ 1 blm@other@ 2048 Oct 30 19:47 prog4.c 1 -rw-------@ 1 blm@other@ 408 Nov 20 9:40 test 1 -rw-------@ 1 blm@other@ 2048 Aug 30 19:17 zero
The part of the output you need to be concerned with is the second field from the left, that looks like "-rw-r--r--". These represent the permissions on each individual file. The information they represent are:
The positions within each owner, group, and world permissions: See the chmod(1) man page for more details.
First of all, you need to be concerned with the modes on your home directory (the first file listed when "ls -lagsF" is called in your home directory, shown as "./"). Permissions for your home directory (and all other directories for that matter) should be one of:
drwx------ only you may go into your directory,
see what's there write files (mode 700)
drwxr-x--- only members of the same group
may go into your directory
and see what's there (mode 750)
drwxr-xr-x anyone may go into your directory
and see what's there.
Only you may write to them (mode 755)
You DO NOT want any of the following:
drwxrwx--- group members may write (or erase) files
in your directory (mode 770)
drwxrwxrwx anyone may write (or erase) files
in your directory (mode 777)
The same permissions are true for individual files. Permissions that are normal for files are:
-rw------- only you may go read from and write
to the file (mode 600)
-rw-r----- you may read and write the file
group members may read the file (mode 640)
rw-r--r-- everyone may read the file
but only you may write it (mode 644)
You DO NOT want the following:
-rw-rw---- You as well as group members
may read and write the file (mode 660)
-rw-rw-rw- Anyone may read or write the file (mode 666)
To change the modes on directories and files, use the chmod(1) command. This is done by:
% chmod
-or-
% chmod
where
UNIX allows you to specify other accounts that may log into your
account without a password. This mechanism is controlled with
the .rhosts file in your home directory. As a general rule this
mechanism should not be used. However, it has a few legitimate
used which include:
Other entries in the .rhosts file should be avoided, including
account sharing. ECN policy states:
Only persons properly authorized may access
the ECN facilities. Proper authorization is
provided by ECN staff or their designate in
the form of an account issued in the name of
the authorized person. Users may not permit
other persons to access ECN via their
account. Users who violate ECN policies may
lose their access authorization for a period
of time commensurate with the infraction.
Repeat offenders may be denied access
indefinitely.
UNIX system security is of utmost concern to system
administrators to ensure the smooth operation of machines at all
times. When users leave their accounts vulnerable to break-ins,
this smooth operation is put in jeopardy. System administrators
cannot look out for every user on the system, which is why users
need to be properly and adequately educated about keeping their
accounts secure.
If you have any questions about UNIX system security or measures
for keeping your account safe, see your site specialist.
----------------
The .rhosts File
----------------
---------------
Summary
---------------
webmaster@ecn.purdue.edu
Last modified: Thursday, 23-Oct-97 20:35:10 EST
HTML