Root User security management policies and practices in Linux, Part 1: permission security and password management

Part 1:Http://www.bkjia.com/Article/201208/151763.html
RootPermission Security
ConfigurationSudo
Sudo is secure and reliable only after careful configuration. The sudo configuration file is/etc/sudoers. You can edit this file to grant specific users the ability to run certain commands (not any commands) with root privileges. You can also restrict these users to run commands only with certain options or parameters. You can also set sudo so that a specific user cannot use a specific option or parameter when running commands with the root privilege.
The best way to edit sudoers is to use the mongodo: su-c mongodo command or sudo mongodo command in the command. The mongodo utility locks, edits, and checks the syntax of the sudoers file. By default, mongodo calls the vi editor. You can set SUDO_EDITOR, VISUAL, or EDITOR environment variables to enable javasdo to call different editors. Run the following command to make movie do call the nano Editor (nano package ):

$ Export EDITOR = $ (which nano)

 
Replace nano with the selected text editor. Place this command in the startup file to automatically set this variable each time you log on. It is worth noting that you always need to use mongodo to edit the sudoers file.
If a syntax error occurs in the sudoers file, sudo cannot be used to obtain the root privilege. If you directly edit this file (without the mongodo command), you will not be able to see the syntax error until you find that sudo cannot be used. The visudo utility checks the syntax of sudoers before exiting. If it finds an error, it selects the option to fix the error, does not save the changes to the file and exits, or saves the changes to the file and exits. The last option is usually poor, so mongodo (DANGER !) Mark it.
In the sudoers file, the Comment starts with # and can appear anywhere in a row. In addition to annotations, this file contains three types of entries: User Privilege specification, alias, and default value. Each of these entries occupies one row. You can use the backslash (\) to continue a row.
The row format of the specified user privilege is as follows (the blank space on both sides of the equal sign is optional ):

User_list host_list = [(runas_list)] command_list

 
Here, user_list specifies the users applicable to this specification line. The list can contain the user name, group (% prefix), and user alias (next section ). You can use the built-in command alias ALL to make this row applicable to ALL users. host_list specifies the host applicable to this standard line. The list can contain one or more host names, IP addresses, or host aliases. You can use the built-in command alias ALL to apply this row to ALL systems. See the sudoers file. runas_list specifies the user who runs the command in command_list. When sudo is called with the-u option. This list can contain usernames, groups (% prefix), and runas aliases (discussed in the next section ). It must be enclosed in brackets. There is no runas_list, and sudo is assumed to be root. You can use the built-in command alias ALL to apply this row to ALL users and groups. command_list specifies the utilities applicable to this standard line. The list separated by commas can contain the utility name, the directory name of the utility, and the command alias (discussed in the next section ). All names must be absolute pathnames; directory names must end with a slash. If an exclamation point (!) is added before the command (!), This command is excluded. In addition, you can use the built-in command alias ALL to apply this row to ALL commands. Sudoedit, a string contained in command_list, grants users in user_list the permission to edit files with the root privilege. If a command in command_list is enclosed in double quotation marks (""), you cannot specify any command line parameters, including the option of this command. You can also specify parameters, including wildcards, to restrict the parameters that can be used by users for this command.
The following User Privilege specifications allow Sam to use sudo to mount and detach a file system (run mount and umount with root privileges) on ALL systems (specified by ALL ), refer to the sudoers files that contain this specification:

Sam ALL = (root)/bin/mount,/bin/umount

 
(Root) runas_list is optional. If it is omitted, sudo allows the user to run commands in command_list with the root privilege. In the following example, Sam uses these privileges. Instead of running umount directly, he must call sudo to run it.

$ Whoami Sam $ Umount/music Umount: only root can unmount/dev/sdb7 from/music $ Sudo umount/music [Sudo] password for sam: $

 
If the following line is used to replace the line in the above sudoers, Sam will not be able to uninstall/p03, although he can still Uninstall any other file system and install any file system:

Sam ALL = (root)/bin/mount,/bin/umount ,! /Bin/umount/p03

 
The result of the previous line in sudoers is then displayed. The sudo program does not prompt you to enter the password, because Sam lost his password in the last five minutes.

$ Sudo umount/p03 Sorry, user sam is not allowed to execute '/bin/umount/p03' as root on localhost. | ------- Begin | | -------- XML error: The previous line is longer than the max of 90 characters --------- |

 
The following lines restrict Sam from mounting and detaching file systems mounted on/p01,/p02,/p03, And/p04:

Sam ALL =/bin/mount/p0 [1-4],/bin/umount/p0 [1-4]

 
The following command shows the result:

$ Sudo umount/music Sorry, user sam is not allowed to execute '/bin/umount/music' $ Sudo umount/p03 $

 
The following lines in sudoers allow users of the wheel group to use sudo for root privileges:

# Allows people in group wheel to run all commands % Wheel ALL = (ALL) ALL   # Members of the admin group may gain root privileges % Admin ALL = (ALL) ALL

 
This user privilege specification applies to ALL systems (represented by ALL on the left of the equal sign ). As stated in the comment, this row allows the members of the wheel group (a percent sign is added before the group name to specify: % wheel) as any user (ALL in parentheses) run any command (ALL on the rightmost side ). When the sudo utility is called without the-u option, sudo uses sudo most of the time to run the specified command with the root privilege.
If you modify the rows in the previous sudoers as follows, it allows the members of the wheel group to run any command as any user, with one exception: they are not allowed to run passwd to change the root password (although they can get the root privilege and be able to manually edit it ).

% Wheel ALL = (ALL) ALL ,! /Usr/bin/passwd root

 
Aliases allow renaming and/or grouping users, hosts, or commands. The following is the alias format. Alias_type is the alias type (including User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias), and alias_name is the alias name (all uppercase letters are agreed ), alias_list is a comma-separated list of one or more elements that constitute an alias. The exclamation point before the alias element (!) Is a denial of it.

Alias_type alias_name = alias_list

 
The following are some common options.
User_Alias
The alias_list of the user alias is the same as the user_list of the User Privilege specification (discussed in the previous section. The following lines from the sudoers file define three user aliases: OFFICE, ADMIN, and admin2. The alias_list defined by the alias in the first line includes the username zach, sam, and sls. The second row includes two usernames and members of the admin group. The third row includes all members of the admin group except Max.

User_Alias OFFICE = zach, sam, sls User_Alias ADMIN = max, zach, % admin User_Alias ADMIN2 = % admin ,! Max

 
Runas_Alias
The alias_list of the unas alias is the same as the runas_list of the User Privilege specification (discussed in the previous section. The following SM runas aliases include sam and sls user names:

Runas_Alias SM = sam, sls

 
Host_Alias
The host alias is valid only when the sudoers file is referenced by sudo of multiple running systems. The alias_list of the host alias is the same as the host_list of the User Privilege specification (discussed in the previous section. The LCL alias defined in the following line includes a system named guava and plum:

Host_Alias LCL = guava, plum

 
To use a fully qualified Host Name (hosta.example.com, not just hosta) in this list, you must set the fqdn flag. However, this may reduce the performance of sudo.
Cmnd_Alias
The alias_list of the command alias is the same as the command_list of the User Privilege specification. The following command alias contains three files in the/directory at the end, which contains all such files:

Cmnd_Alias BASIC =/bin/cat,/usr/bin/vi,/bin/df,/usr/local/safe/

 
Defaults (Options)
You can use the Defaults keyword to change the default value of the configuration option. Most values in this list are signs of an implicit Boolean (on or off) or string type. Name a flag on a default line to open it, and add a sign before it! To close it. The following sudoers file will close the lecture and fqdn flags and open tty_tickets:

Defaults! Lecture, tty_tickets ,! Fqdn

 
Env_reset
Make sudo to reset the environment variable so that it only contains the LOGNAME, SHELL, USER, USERNAME, MAIL, and SUDO _ * variables. The default value is on. For more information, see the sudoers manual page.
Fqdn
(Fully qualified domain name: fully qualified domain name) perform DNS lookup on the FQDN In the sudoers file. If this flag is set, the FQDN can be used in the sudoers file, but this may have a negative impact on the performance of sudo, especially if DNS cannot work normally. When this flag is set, the official DNS name of the local host must be used, and the alias cannot be used. If hostname returns an FQDN, you do not need to set this flag. The default value is on.
Insults
A gentle and humorous insults is displayed when you enter an incorrect password. The default value is off. For more information, see passwd_tries.
Lecture = freq
Control the frequency of the reminder message displayed by sudo before the password prompt. The possible values of freq are never, once, and always. Specified! Lecture is the same as freq specified as never. The default value is once.
Mail_always
Send an email to the mailto user whenever the user runs sudo. The default value is off.
Mail_badpass
When you enter an incorrect password when running sudo, send an email to the mailto user. The default value is off.
Mail_no_perms
When the user name is in the sudoers file but has no permission to run the requested command (run sudo), send an email to the mailto user. The default value is off.
Mail_no_host
Send an email to the mailto user when the user name is in the sudoers file but does not run commands on the local host. The default value is off.
Mail_no_user
If the user whose user name is not in the sudoers file runs sudo, send an email to the mailto user. The default value is on.
Mailsub = subj
(Mail subject) change the default Email subject used for warning and error messages from the default *** SECURITY information for % h *** to subj. The sudo utility extends % h to the Host Name of the local system in subj. If subj contains special shell characters, place it between quotation marks.
Mailto = eadd
Send sudo warning and error messages to eadd (the default email address is root. If eadd contains a special shell character, place it between quotation marks.
Passwd_timeout = mins
Mins is the number of minutes when the sudo password times out. If the value is 0 (0), the password does not time out. The default value is 5.
Passwd_tries = num
Num is the number of times that the user can enter the wrong password before responding to the sudo password prompt and exiting sudo. The default value is 3. For more information, see insults and lecture.
Rootpw
Make sudo accept only the root password in response to its prompt. Because sudo publishes the same prompt for both the required password and root password, enabling this flag may confuse users. The default value is off, so that sudo prompts the user running sudo to enter the password.
Shell_noargs
Without any parameter calls, sudo will derive a root shell without changing the environment. The default value is off. This option is the same as the-s option of sudo.
Timestamp_timeout = mins
Mins is the number of minutes in which the sudo timestamp is valid. Setting mins to-1 will always make the timestamp valid; setting to 0 (zero) will always prompt sudo to enter the password. The default value is 5.
Tty_tickets
Make sudo authenticate the user based on each tty, instead of based on each user. The default value is on.
Umask = val
Val is the umask value that sudo uses to run the user-specified command. Set val to 0777 to retain the user's umask value. The default value is 0022.
Lock Root Account (delete Root Password)
If you decide to lock the root account, run the su-c 'passwd-l root' command. Add two exclamation marks (!) to the front of the exclamation point (!!), This command sets the encryption password in/etc/shadow to invalid. You can delete an exclamation point to unlock the account or execute the commands shown in the following example.
Unlock Root Account
If you decide to unlock the locked root account, execute the following command. This command assumes that you can use sudo to obtain the root privilege and assign it a password to unlock the root account:

$ Sudo passwd root [Sudo] password for sam: Changing password for user root. New password: Retype new password: Passwd: all authentication tokens updated successfully.

 
Allows common users to run privileged commands
The consolehelper utility makes it easier for common users to run system programs that can only run by root-privileged users. PAM authenticates the user. You can set to trust all console users. You must enter the user password (non-root password) or enter the root password before granting the trust. The basic concept of eaglehelper is that anyone who has access to the console may be considered trustworthy. For example, Sam can log on to the console as his identity and run reboot without having to know the root password.
To learn how consolehelper works, refer to the two halt files:

$ File/sbin/halt/usr/bin/halt /Sbin/halt: symbolic link to '../bin/systemctl' /Usr/bin/halt: symbolic link to 'lelehelper'

 
In Fedora, the file in/sbin is linked to/bin/systemctl; in RHEL, it is linked to/sbin/reboot. On both systems, the files in/usr/bin are links to/usr/bin/consolehelper. These linked files are all executable files:

$ File/bin/systemctl/usr/bin/consolehelper /Bin/systemctl: ELF 32-bit LSB executable, Intel 80386... /Usr/bin/consolehelper: ELF 32-bit LSB executable, Intel 80386...

 
In the root PATH variable,/sbin is usually prior to/usr/bin. Therefore, when you run the halt command in the root logon environment with the root privilege, shell will execute/bin/systemctl reboot under Fedora or/sbin/reboot under RHEL. In a common user's PATH variable,/usr/bin is usually prior to/sbin (if PATH contains/sbin ). Therefore, when a common user executes a reboot command, shell will execute the/usr/bin/consolehelper (consolehelper utility ).
Consolehelper depends on how PAM is set. By default, lelehelper does not require the root password. Any user can run the reboot command to restart the system.
Root Account and password security management
Password Security Management Principles
Currently, most password cracking programs use dictionary attacks and brute-force attacks. improper user passwords are vulnerable to dictionary attacks. Many users prefer to use their English names, birthdays, accounts, and other information to set passwords. In this way, hackers may use dictionary attacks or social engineering techniques to crack passwords. Therefore, it is recommended that you use combinations of non-dictionary characters and password settings that combine numbers and characters, in combination with uppercase and lowercase Characters During password setting, increase the difficulty of password cracking. In addition, you can also use regular password changes and regularly invalidate the password to protect your logon password. The following table lists the reference principles for setting security passwords ):

• The password must contain at least eight characters: the longer the password, the better. If an MD5 password is used, it should contain at least 15 characters. If you use the DES password, the maximum length is 8 characters ).
• Mix uppercase and lowercase letters: Linux is case sensitive, so the mix of uppercase and lowercase letters increases the robustness of passwords.
• Mixing letters and numbers: adding numbers to a password, especially adding numbers in the middle (not just at the beginning and end) can enhance the robustness of the password.
• Special characters except letters and numbers: $, and> can greatly enhance the robustness of the password (such characters cannot be used if the DES password is used ).
• Select a password that you can remember: if you cannot remember your password, it will be useless. You can use abbreviations or other memory methods to help you remember the password.

In addition, there are some principles that need to be kept in mind (a few should not ):

• Do not use only words or numbers. Do not use only words or numbers in passwords.
• Do not use out-of-the-box words: words like names, words in dictionaries, or even words in TV series or novels. Do not use them even if you use numbers on both ends.
• Do not use words in a foreign language: Password deciphering programs often use dictionaries in multiple languages to check their word lists. Relying on foreign languages to protect Passwords usually does not work.
• Do not use hacker terminology.
• Do not use personal information: Do not use personal information. If attackers know their identities, it will become very easy to export their own passwords. The following information types should be avoided when creating passwords.
• Do not roll back existing words: A good password-breaking translator always reverses common words, so reversing weak passwords does not make it safer.
• Do not record your own password: never write it on paper. Keep it in mind to make it safer.
• Do not use the same password on all machines: it is important to use different passwords on each machine. In this way, if a system leaks, all other systems will not be immediately threatened.

Use password analysis tools for verification
John the Ripper is a tool software used to crack the plaintext password when the ciphertext is known. It mainly supports cracking the ciphertext of DES and MD5 encryption methods. It can work on multiple and different models and different operating systems. The operating systems that have been tested to run normally include: linux x86, freeBSD, x86, Solaris, iSCSI, OSF/1 Alpha, DOS, WinNT/WinXP series, etc. John the Ripper 1.7 is a good password cracking tool. During the decryption process, disks are automatically stored regularly. You can force the decryption process to be interrupted (using the Ctrl + C key combination ), you can continue from the interrupted location next time (john-restore command ). When you press the keyboard, you can see the entire decryption process. All cracked passwords will be stored in JOHN. in the POT file, all users with the same ciphertext in the SHADOW will be classified as one type, so JOHN will not perform unnecessary repetitive work. In program design, key password generation conditions are placed in JOHN. in the INI file, you can modify the settings by yourself. This file not only supports changing the word type, but also supports Writing C Programs to limit the password value.
Before using the software, we can download the latest version of john-1.7.9 for Linux from an online http://www.openwall.com/john/, which contains three directories: DOC, SRC, and RUN, under the SRC directory, run the following command on the x86 machine:

# Make # Make clean linux-x86-any

 
After installation, you can switch to the RUN directory for testing, as shown below:

# Cd ../run #./John-test

 
After the installation, you can use the following methods to test your account and password. Generally, many users use simple naming methods, such as foo, hello, world, and many others use the same password as the user name, in general, we can use a simple Decryption Method To preliminarily test the passwords in the system. If we find that the passwords can be successfully cracked, we need to strengthen the strength of these passwords, as follows:

// Use simple decryption to test the system account #./John-single/etc/shadow Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/32]) Test (test) Guesses: 1 time: 0: 00: 00: 00 100% c/s: 6975 trying: 999991900

 
In the above command, we found that there is a test user in the system, whose username and password are both test, so we can find and use it in the simplest way, if it is a hacker, it will lead to unimaginable consequences. Therefore, our users should immediately strengthen their passwords based on this situation.
Secondly, users can use dictionary files to test and test the malicious password strength of system users. People usually use hello, superman, cooler, asdfgh, 123456, and so on as their own passwords. The-rules parameter adds some changes on this basis. For example, if the dictionary contains the word "cool", JOHN will try to decrypt it using the word changes such as cooler, CoOl, and Cool. Generally, depending on the number of users in the SHADOW, their dictionary size, and their machine speed, the decryption time ranges from several hours to several days. The following is an example of decryption using this method. Suppose we have generated a password. the lst file contains frequently used passwords based on dictionary words. Therefore, we use this method to test and crack the user password in the system. Because the dictionary retains a word such as duango, therefore, the user's test password is also tested. The Network Administrator also needs to reinforce the password, such as adding appropriate suffixes, letters, and numbers:

// Use dictionary decryption to test the system account #./John -- wordlist = password. lst/etc/shadow Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/32]) Duango (test) Guesses: 1 time: 0: 00: 00: 01 100% c/s: 7065 trying: duango

 
Of course, the above two methods are very intuitive and simple, but if the dictionary is complete and Practical enough, you can find the vast majority of weak passwords. In practice, we can also use the following options to fully check and verify the system password strength:

• Rules: use the word rule change function during decryption. For example, we will try other possibilities of cool words, such as COOLER and Cool. The detailed Rules can be found in the [List. Rules: Wordlist] section of the JOHN. INI file.
• Incremental: In traversal mode, all possible combinations of passwords can also be found in [Incremental: *****] in the JOHN. INI file.
• External: the custom extended decryption mode allows you to define the password combination mode you need in john. ini. JOHN also provides several examples in the INI file, the automatic cracking function defined in [List. External: ******] of the INI file.
• Restore: continue the last cracking. After JOHN is interrupted, the current decryption progress is stored in the RESTORE file. You can copy the file to a new file. If the parameter does not contain a file name, JOHN uses the RESTORE file by default.

 
References
Learning

• A simple tutorial on how to use sudo: sudo in Linux-a mini tutorial helps you get started with sudo quickly.
• For more information about root password security, see root password security.
• Download the software from the John the ripper portal for installation and trial use.
• In the developerWorks Linux area, find more references for Linux developers (including new Linux beginners) and refer to our most popular articles and tutorials.
• Read all Linux tips and Linux tutorials on developerWorks.
• Stay tuned to developerWorks technical events and network broadcasts.