Unix File System Security

Unix File System Overview

A unix File System is the heart of a unix system and provides hierarchical directories and files. the file system divides the disk space into a group of every 1024 bytes, which is called a block (or 512 bytes, such as sco xenix ). the maximum number of blocks from 0 to the entire disk. the entire block can be divided into four parts. Block 0 is called a boot block, and the file system does not need this block. Block 1 is called a dedicated block, which contains a lot of information, the disk size and the size of the other two parts of the whole block are displayed. the I node table starts from Block 2. The I node table contains I nodes, and the number of blocks in the table is variable. We will discuss it later. an I-node table is followed by an idle storage block (Data Storage block), which can be used to store file content. the logical structure of a file is very different from that of a physical structure. The logical structure is the file you see after you press the cat command. You can get the volume stream that represents the file content.

The physical structure is the storage format of files stored on disks. users think that their files are frontier streams, but in fact the files may not be stored on the disk in the form of frontier. Files larger than one block are usually stored on the disk in a scattered manner. however, when a user accesses a file, the unix file system extracts the blocks in the correct order to provide the user with the logical structure of the file.

Of course, there must be a table somewhere in the unix system, telling the file system how to convert the physical structure to the logical structure. this involves the I node. an I node is a 64-byte table that contains information about a file, including the file size, file owner, file access permission, and the file is a common file, directory files or special files. the most important one in I node is the disk address table. this table has 13 block numbers. the first 10 block numbers are the storage addresses of the first 10 blocks. the 10 block numbers can provide a logical structure of up to 10 long files, and the files will take the corresponding block numbers in the order they appear in the disk address table.

What if there are more than 10 files? The first item in the disk Address Table provides a block number, which indicates that the block number contains 11th block numbers. At this point, this method satisfies the requirements of up to 266 files (272,384 bytes ). if the number of files is larger than 266, a block number is provided for the first item in the disk address table. The block number indicated by this block number contains 12th block numbers, each block number of the 256 block numbers points out another block. The block contains 256 block numbers, which are used to obtain the content of the file. the addressing method of the 13th index items in the disk address is similar to that of the 12th index items, but it is only a multi-level indirect index.

In this way, in unix systems, the maximum length of a file is 16,842,762, that is, 17,246,988,288 bytes. Fortunately, it is the maximum length of a file in unix systems (generally 1 to 2 M bytes) with more practical restrictions, you will not accidentally create a file that uses all blocks of the entire disk quota. the file system converts a file name to an I node. A directory is actually a file containing a directory table: for each file in the directory, there is an entry in the directory table, which contains the file name and the corresponding I-node number of the file. when you press cat xxx, the file system searches for the entry item named xxx in the current directory table to obtain the I-node number corresponding to file xxx, then, you can obtain the block containing the file xxx.

Maintain System Security

Consider some key weaknesses in the system:

A. Does the system have a modem? Public phone number?

B. Is the system connected? Other systems are also connected to the network.

C. Does the system administrator use an unknown or unreliable program?

D. Whether the system administrator places important information in the system

E. Are system users familiar with system usage or new users?

F. Do users pay great attention to security?

G. Does the user's management department pay attention to security?

To ensure the security and integrity of system files, check the access permission for all system files. All programs with suid permission are illegal.

Pay special attention to the access permission for device files.

Files with System id/system group suid/sgid permission in the user directory to be reviewed.

Do not install your file system before you check the suid/sgid program and device file of your file system.

Store the backup of the disk in a safe place.

Set the password validity period. If you can access the unix source code, move the encrypted password and information to a file that is only readable to the root user, and modify the system password handler. this increases password security. modify passwd so that passwd can delete the number at the beginning and end of the password, and then check the new password according to the spell dictionary and the user's personal information in/etc/passwd, check whether the new password neutron string equals the login name. if the new password is a word in the spell dictionary, a value for the entry in/etc/passwd, or a sub-string of the login name, passwd will not allow the user to change the password.

Record the users of the system and their authorized systems.

Find a long unused login account and cancel the account.

Make sure there is no password-free login account header.

Start the accounting system.

Find out unusual system usage, such as occupying a large number of disks, using a large amount of cpu time, a large number of processes, a large number of attempts to use su, and a large number of invalid logins, A large number of network transmission to a system, strange uucp requests.

Modify the shell to wait for a certain period of time without terminating the task.

Modify login to print the Last Logon Time of the user. After three invalid logons, the communication line is suspended so that the system administrator can check whether someone has attempted to access the system illegally. make sure that login does not allow root users to log on to the console from any location except the console.

Modify the su so that only the root user can access a specific account with an Expired Password Through su.

When installing software with unreliable sources, check the source code and makefile file to view special sub-program calls or commands.

Even if the software is installed with reliable sources, check whether there is a suid (sgid) program to confirm that these licenses are indeed necessary. if possible, do not allow these programs to have a suid (sgid) license for the System id (or group). Instead, create a new user (or give) for the software to run.

If the system is in the office, the door should be locked, and important data should be stored on a floppy disk or attached, and locked.

Set secure, perms, and all other shell program access permits for security checks to only run, and better store these shell programs on removable media.

Remember, as long as the system has a dial-up line that everyone can call, the system cannot be truly secure. the system administrator can prevent accidental damage to the system. however, those who are patient, have plans, and know what they are doing can often succeed in directly premeditated attacks on the system.

If the system administrator Thinks the system has been leaked, he should try to find the responsible person. if the victim is a user of the system, contact the user's Management Department, check the user's files, find all suspicious files, and carefully supervise the user's logon for several weeks. if the perpetrator is not a user of the system, the company can take legal measures and require all users to change the password to let users know that a security accident has occurred, users should check whether their files are tampered. if the system administrator thinks that the system software has been changed, re-mount all system software from the original system tape (or; floppy disk) to ensure system security is better than apologizing.

Unix System Device Files

Communication between unix systems and various devices on the system is implemented through special files. For programs, disks are files, modem is files, and even memory is files. all devices connected to the system have a file in the/dev directory. when I/o operations are performed on these files, the unix system converts the I/o operation to the actual device action. for example, the file/dev/mem is the system memory. If the file cat is used, the system memory is displayed on the terminal. for the sake of security, this file is not readable to common users. at any given time, the memory zone may contain the user login password or the password for running the program, and the editing buffer of some files may contain the decrypted text using the ed-x command, and various types of information that users do not want others to access. files in/dev are usually called device files. You can use the ls/dev command to view some devices in the system:

Acuo call automatic dial

Console

Operate Disk Partitions using dsknn Blocks

Kmem core memory

Mem memory

Lp printer

Mto block-based tape operation

Disk Partitions operated by rdsknn stream

Rmto stream-operated tape

Swap Zone

Syscon System Terminal

Ttynn terminal port

X25 network port

And so on.

Unix File System/etc/mknod command

Used to create a device file. only root can use this command to create a device file. the parameter is the file name. The letters c or B respectively indicate the special character file or block special file, the master device number, and the secondary device number. block special files are devices that access data in blocks, such as tapes and disks. A special character file is a device that transmits one character at a time, such as a terminal, printer, modem, or any other device that communicates with the system, including a disk drive that imitates character access to the disk.

The main device number specifies the system sub-Program (Device Driver). When I/o is executed on the device, the system calls this driver. when a device driver is called, the device number will be passed to the driver (the device specifies the specific disk drive, with the drive, signal line number, or disk partition ). each type of device generally has its own device driver.

The unix File System stores the primary device number and secondary device number in the disk address table of the I node, so there is no disk space allocated to the device file (except the disk occupied by the I Node itself ). when a program tries to perform an I/o operation on a device file, the system identifies the file as a special file and calls the device driver specified by the main device number, the device number is used as a parameter to call the device driver.