Cramsession Linux Newsletter

home

Jul 11 2002

                    LINUX NEWS
        Resources & Links From CramSession.com
             Thursday, July 11, 2002

TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Lessons Learned From Tolkein
LSB Certification
Lindows PC Reviewed
Countdown to Y2Pay

3) Linux Resources

Hooking Up Linux with AD
Use BIND With AD
Advanced Bash Scripting Guide
C-shell Cookbook
How to Switch to Dvorak

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~

Serebra Learning Corporation knows that it’s true, you get paid more if you have the skills. Learn at your own pace with our dynamic training programs for the skills needed to succeed in today’s IT market. The Best Way to Learn Anything, Anywhere, Anytime. Check out this month’s specials!

http://ad.brainbuzz.com/?RC06&AIT65

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For information on how to advertise in this newsletter please contact mailto:adsales@CramSession.com or visit http://cramsession.com/marketing/default.asp

1) Sean’s Notes

For the past couple of weeks we’ve been learning about Unix file permissions. Two weeks ago, it was the basics of file permissions, and last week, it was applied to directories.

http://newsletters.cramsession.com/Newsletters/NewsletterArchive/Li nuxNews/july-4-2002linux.txt

A file or a directory can have the read, write, and execute flags applied to its owner, group, or everyone, for a total of 9 different permission bits. Hold on to your shirt, though: there are some that I didn’t tell you about earlier.

The ‘t’ bit is usually reserved for directories (it has a meaning for files, but not really used). Last week, I said that you could give read/write/execute access to everyone on a directory (octal permissions 777), except that people could then delete each other’s files. Well, +t is what you want. On a directory, it ensures that only the owner of a file can delete it. /tmp is like that, a global place that you can dump temporary files:

drwxrwxrwt 25 root root 5120 Jul 10 21:31 /tmp

To set or clear it, you can use the long format:

$ chmod +t /tmp #set $ chmod -t /tmp #clear

It’s got an octal equivalent of 1, but to use it we’ll have to go to four digits instead of three.

$ chmod 1777 /tmp

(Note that you have to resupply the normal permission bits, one reason I prefer to use the long approach.)

Or, to clear all the special bits:

$ chmod 0777 /tmp

When applied to a file, it means that you want the program image saved to swap, in the hopes that the next time it’s run, it’ll start up faster. I’ve never tried, nor used it, so I can’t say how well it works.

The next special permission is the ‘s’ bit. It’s both dangerous and confusing, but incredibly helpful, so be careful when you use it! This bit is always applied specifically to a user or group (or both). In octal, 4 applies to the user, and 2 applies to the group. Thus, 4555 sets +s on the user, and read/execute to all classes. In the long form, specify group or user:

chmod u+s foo chmod g-s foo

On an executable program, the file runs as the owner when applied to the owner, or the group when applied to the group. Thus, they’re usually referred to as the setuid and setgid bits respectively, because they cause the programs UID or GID to be set.

This needs some more explanation. Take for example a program that needs to run as root such as tcpdump. If you want a normal user to be able to run it, but don’t want to give them the root password, then setting the setuid bit will cause tcpdump to run as the owner (presumably root), no matter who executes it.

NOTE: THIS IS A BIG SECURITY RISK. USE IT WITH CAUTION.

Two things can go wrong here. One is that there is something like a buffer overflow can cause the program to give up a shell. It’s running as root, even though an unprivileged user started it, so guess what kind of shell that’s going to give you? Yup, a root shell.

The second is that the program itself is nice enough to run programs for you. Take for example, vi. With a few keystrokes, vi can run other programs… As root, if it was running setuid.

Scary stuff aside, there are many cases where this is needed. In order to edit your crontab, you have to be able to edit files in protected areas. /usr/bin/crontab has the setuid bit set, within the program itself it does any necessary security checks.

-rwsr-xr-x 1 root root 21280 Jun 24 2001 /usr/bin/crontab

Here, you can see a lowercase ‘s’ where the ‘x’ usually goes, which tells you it’s running setuid. Had it been running setgid, it would have been in the group execute:

-r-xr-s–x 1 root games 233356 Sep 16 2001 /usr/games/gtali

Most of the games are setgid to “games” so that they can write to a system wide high score file. This prevents normal users from overwriting the scores.

When using the setuid or setgid bits on your own, it’s often best to restrict access to the binary itself through the use of groups. Say you wanted your network admins to be able to use tcpdump without root access.

  • create a group, netadmins
  • change the group ownership of tcpdump to netadmins
  • change the permissions of tcpdump to 4550 (setuid, owner/group read/execute, no one else can execute)
  • put the netadmins in the netadmin group (/etc/group)

Last note on the setuid/setgid bits – don’t use ‘em on shell scripts. Modern shells will give up the permissions anyway, but there are just too many ways for an attacker to exploit a script running with elevated permissions.

On a directory, the setgid bit has special meaning (the setuid bit does nothing). Assuming the user in the directory is a member of the same group that the directory is, then all newly created files will be owned by that group. (Remember that a user can belong to several groups). By giving group write access to the directory and setting the setgid bit, you can ensure that everyone in the group can share files properly.

Remember this:

1 - t (must be owner to delete file for a directory) 2 - setgid (process assumes gid on files, forces group ownership on directories 4 - setuid (process assumes uid on files)

In practice, I never use octal values when dealing with special permissions, instead always preferring to set it explicitly with the +/- operators. You don’t want to accidentally give setuid permissions (4) when you meant to do a setgid (2).

The permissions I showed you today are both very powerful, but require a great deal of thought before using. It’s tempting to simply setuid any binary that is causing you trouble, but often, a more elegant solution is available (for example, rather than setuid’ing CD writing utilities, relax the permissions on the CD device itself). Use them with care!

Long live the Penguin,

Sean swalberg@cramsession.com

2) Linux News

Lessons Learned From Tolkein

Linux is playing a big role in the making of The Two Towers, the next movie in the Lord of the Rings series. The CTO of a company doing work on the project speaks a bit about the making of the movie, and the challenges they’ve encountered.

http://www.digitalanimators.com/2002/07_jul/features/lessons.htm

LSB Certification

A while ago the Linux Standards Base was announced as ready to be used. The Open Group has now created a program to certify and brand LSB certified distributions and applications. Fees are quite reasonable, and unlike the so called “United Linux”, likely won’t result in fees being passed on to consumers.

http://www.opengroup.org/lsb/cert/

Lindows PC Reviewed

NewsForge reviewed the Lindows PC offering from WalMart, and the results were disappointing. Poor documentation, a subscription fee for the software service, and a general lack of polish are the marks against it. Still, it’s progress.

http://newsforge.com/article.pl?sid/07/02/1247234&mode=thread&tid#

Countdown to Y2Pay

Afraid of the new licencing scheme coming down the pipe from Microsoft? Ximian might make it worth your while, as they’re offering some discounts on their Linux desktop solutions.

http://www.ximian.com/solutions/y2pay.html

3) Linux Resources

Hooking Up Linux with AD

Microsoft guru QCumber dug up this little gem on how to get your Linux box to authenticate to an Active Directory server. It’s even able to use SSL to protect the data in transit.

http://jaxen.ratisle.net/~jj/nss_ldap-AD_Integration_how-to.html

Use BIND With AD

Windows 2000 makes heavy use of DNS. Linux is good with DNS. Hey! A match made in heaven. You’ve got Q to thank for this one, too.

http://ibiblio.org/gferg/ldp/BIND+AD-HOWTO/BIND+AD-HOWTO.html

Advanced Bash Scripting Guide

Here is a very complete shell scripting guide. The subtitle, “An in-depth exploration of the gentle art of shell scripting” doesn’t do it justice. Hell, it implements the “Game of Life” in the examples. Bookmark this one.

http://tldp.org/LDP/abs/html/index.html

C-shell Cookbook

“This cookbook describes the fundamentals of writing scripts using the UNIX C shell. It shows how to combine Starlink and private applications with shell commands and constructs to create powerful and time-saving tools for performing repetitive jobs, creating data-processing pipelines, and encapsulating useful recipes.”

http://www.starlink.rl.ac.uk/star/docs/sc4.htx/sc4.html

How to Switch to Dvorak

The Dvorak keyboard layout is supposed to be more efficient, and also less prone to cause injury. Switching your keyboard layout is pretty easy, though learning it is a pain (yes, I gave up soon after starting this week’s edition).

http://www.mwbrooks.com/dvorak/

4) App o’ the Week

Microsoft Proxy Server has a setting where all clients have to provide NTLM authentication before going out on the Internet, effectively limiting your choice of browsers to Internet Explorer. Here’s a proxy that will let any browser emulate IE; the proxy server will be none the wiser, and you can use your favorite browser.

http://www.geocities.com/rozmanov/ntlm/

(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.

      This message is from CramSession

You are currently subscribed to the following list Hottest Linux News and Resources as: sean@ertw.com

To un-subscribe from this newsletter by e-mail, send a blank email message to: mailto:leave-linuxnews-3825955Y@list.cramsession.com

To subscribe to this newsletter and many others visit our site at: http://newsletters.cramsession.com/signup/default.asp

github.com/swalberg
twitter.com/seanwalberg