Programs running as root in Unix System Security

Unix SystemIn, some programs use the systemRootProcess running. These programs do not always have suid permission, because many of them only run by the root, the system administrator needs to know what these programs are doing and what other programs these programs will run.

(1) Start the system

When some unix systems (such as sco unix/xenix) are started, they are run in a way called a single user. In this mode, common users cannot log on. The only process is init, swapper, and some processes run by the system administrator from the console. the single-user startup of unix system enables the system administrator to check system operations before allowing common users to log on to the system to ensure that the system is operating normally. When the system is in the single-user mode, as a Super User, the console is "#". For some unix systems, do not confirm the Super User Password. The console is "root" and a prompt is provided. this may become a security issue.

(2) init process

Unix systems always run in a certain way or called a certain level. The system has several running levels controlled by the init process. when a unix system is started, it runs as a single user, also called level 1 or level s. for other users to log on to the system, unix has a multi-user running mode, also known as Level 2 init process control system running level, which reads the file/etc/inittab, this file specifies in detail which processes are running at what level. when root clicks init n (number), the system enters n level. init reads the file to determine which processes are terminated and which processes are started.

Valid run-level values are from 0 to 6 and s.

Note: processes created by init run with uid 0 (root) and programs run from/etc/inittab as root, therefore, the system administrator should ensure that he knows what the programs in/etc/inittab do, and make sure that these programs and the directories where these programs are located are not writable until/and/etc/inittab except root.

(3) access to multiple users

When the unix system enters the multi-user mode, a series of events are destroyed, and then gettys is executed to allow other users to log on to the system. if you look at the/etc/inittab file, you will see that gettys is defined at runtime Level 2, with at least three shell processes/etc/brc,/etc/bcheckrc, /etc/rc * is also defined at the runtime Level 2. these programs run before gettys starts. these shell programs run as root, and cannot only be writable to the root, but should also check the commands that run the shell program, because these commands will also run as root.

(4) shutdown command

Use the shutdown command to shut down the system. The shutdown shell program sends a warning to notify all users to leave the system. After the "given time limit" expires, the process is terminated and the file system is detached, enter the single-user mode or shutdown status. once you enter the single-user mode, all gettys stops running and you cannot log on again.

After the instance is shut down, the system can be shut down.

Shutdown can only be run by the user logged on as the root user from the system console. Therefore, any shutdown command can only be writable to the root user.

(5) cron program of System v

Cron runs in a multi-user mode in unix systems. It runs the specified command according to the specified schedule and checks the file/usr/lib/crontab every minute to find out whether there is a program to be run?

If you find the program you want to run, run it. Otherwise, wait for one minute. the actual/usr/lib/crontab is used to run the program according to the full-day rule schedule, or to run programs that are unwilling to run during the day at night for fear of reducing the speed of other users. generally, programs run by cron are such programs as accounting and saving files. cron is generally started by/etc/rc after the system enters multiple users, and stops running when shutdown runs the killall command. the program running by cron serves as the root, so pay attention to the programs in crontab and make sure that/usr/lib/crontab and any programs listed in the table are not writable to anyone.

If the user needs to execute a program by cron, the system administrator can use the su command to create an entry in the crontab table, so that the user's program cannot obtain the root permission.

(6) cron program after System v Version 2

In System v version 2, cron is changed to allow users to create their own crontab entries, and the/usr/lib/crontab file no longer exists, replaced by files in the/usr/spool/cron/crontabs directory. these files are in the same format as crontab, but each file corresponds to a user in the system and is run by cron in the name of a user.

If you want to restrict the users who can create crontab, you can go to the/usr/lib/cron file. the allow file lists Users Allowed To run the crontab command. no user not listed in the file can run crontab. if you prefer to list users who are not allowed to run the crontab command, you can include them in/usr/lib/cron. in the deny file, other users not listed in the file are allowed to create crontab.

NOTE: If both files exist, the system uses cron. allow, ignore cron. deny. if both files do not exist, only root can run crontab. therefore, to allow all users in the system to run the crontab command, an empty cron should be created. deny file, if cron. if allow exists, the file is deleted.

The cron command of this version is more secure than the previous one, because users can only view their own crontab, and the system administrator does not have to worry about whether programs of other users will run as root, since each system login user is allowed to have their own crontab, it also simplifies the processing of the system program that must be run by cron, but does not have to be used as the root program.

Make sure that the root crontab file is only writable to the root user, and that the directory where the file is located and all parent directories are only writable to the root user.

(7)/etc/profile

When a user (including root) logs on, the shell executes the/etc/profile file and ensures that the file and the programs and commands run from this file are only writable to the root user. 5. the/etc/passwd file is one of the key unix security files. this file is used to verify the user's password during user logon. Of course, it must be writable only to the root user. the general format of each line in the file is: logname: password: uid: gid: userinfo: home: shell

The first two items in each line are the login name and the encrypted password, the second two numbers are uid and gid, and the other one is any information about the user that the system administrator wants to write, the last two items are two path names: one is the home directory allocated to the user, and the other is the shell to be executed after the user logs on (if it is a space, the default value is/bin/sh ).

1. Unix System Security Management
2. Unix File System Security
3. Continued Security of Unix System File Systems
4. Analysis of Common commands for security policies of Unix systems
5. Analysis of the inevitability of Unix host System Security Vulnerabilities