home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
c
/
cops_104.zip
/
cops_104
/
kuang.pl.shar
/
README.perl
< prev
next >
Wrap
Text File
|
1992-03-10
|
10KB
|
196 lines
This is a perl version of Dan's version of Bob Baldwin's Kuang program
(originally written as some shell scripts and C programs).
The original intent was to improve the speed of kuang, which is
especially important for installations like ours with several thousand
accounts and NFS things and all that. The shell version of Kuang used
C programs to add rules, get a groups members, determine the writers
of a file, and so on, which really slowed things down.
"no" problems /etc staff writeable
------------- --------------------
shell kuang 2:14 (14) 12:26 (98) 0.1 p/s
perl kuang 1:10 (18) 2:34 (588) 3.8 p/s
The "no" problems column indicates the time taken (and number of plans
considered) for the shell and Perl versions of Kuang on a system with
no known security problems. The "/etc staff writeable" column gives
timing and # of plans for a system with a /etc directory that is
writeable by group staff, which contains several dozen users.
As you can see, the Perl version is a bit faster. Turns out there are
all sorts of details that need to be considered in real
implementations of Kuang type programs, some of which are discussed
below.
--- Steve Romig, CIS, Ohio State, October 1990
------------------------------------------------------------------------------
Some Features of the Perl Version
Caches passwd/group file entries in an associative array for faster
lookups. This is particularly helpful on insecure systems using YP
where password and group lookups are slow and you have to do a lot of
them...:-)
Can specify target (uid or gid) on command line.
Can use -l option to generate PAT for a goal.
Can use -f to preload file owner, group and mode info, which is
helpful in speeding things up and in avoiding file system
'shadows'... See the man page for details.
Future plans, things to fix:
- An earlier version scanned the password file looking for generally
accessible accounts (no password), which would be added to the
uids.known list (in addition to -1, "other"). I had planned on also
adding a password checker which would allow us to also add accounts
with easily guessed passwords. Eventually I nuked the code that
scanned the password file to speed things up, and further reflection
reveals that it isn't wise to add the password scanning to Kuang
itself (since there are many other things that might be considered
in determining whether an account is accessible or not, and you
probably don't want to add them all to Kuang).
At some point we should add a command line option that allows us to
add additional uid's (or gid's?) to the uids.known list. That way
the user could run some other tool to scan the password file and
generate a list of accessible accounts, which could then be fed to
kuang. Makes it faster on clients using YP since most of the
password file is the same for all N clients, why scan it N times.
This would make it easier for the Kuang user to do smarter things
to/with the password file checks (list all accounts with no password
or easily guessed password, filter out "ok" entries (eg, sync) and
etc.)
- This version doesn't deal with uid's and gid's correctly. If there
are several entries that list the same UID, but with different
names, directories and shells, we'll only check plans for becoming
one of them, rather than any of them, so some possible plans aren't
even examined.
Hmmm...this is easier than I thought - when we evaluate some plan
for granting a particular uid, we need to evaluate plans for all
usernames that can become that uid. Just stick a loop in there
somewhere...get CF's for each of username's in turn.
Bah, harder than I thought, since it'd have to scan the whole
password file to figure which username/home directories can become
which uid's. Similarly with groups.
Current plan: by default, kuang will have to scan the whole password
and group files so it can be sure to get all possible ways to become
some uid or gid. Internally, really need several lists:
mapping from uid to list of usernames that have that uid
mapping from a username to home directory, shell
mapping from gid to list of uids that have access to that
gid when they login (either member of group with that gid or
given as login group in passwd file)
mapping from gid to list of group names for that gid
Course, this means that we have to read the whole password and group
file, most of which will be common to many machines (like in a YP
environment). We could preload the tables above from files created
once, containing the brunt of the YP info, and then augment that
with the local passwd and group info on each host when kuang is
invoked, but then we need to correctly interpret funky YP things
like +@netgroup:::*:..., which means that the uid has a name but no
password here...and similarly with shell substitutions and so on.
Bah.
- In a large environment (like ours, 260+ machines, 30+ file systems
on as many servers, 2000 password file entries served by YP) it
would be nice to 'precompute' successful plans that would be common
to all systems. In particular, plans for becoming most of the users
with home directories on the NFS file systems would be useful, since
we don't really want to recheck these on each host. You wouldn't
want the plan to be too deep - probably shouldn't span more than 2
uids (1 on each end: grant u.romig grant g.staff write ~foo/.login
grant u.foo). I'm thinking that you could feed a list of these
precomputed plans to kuang and add some code that causes it to
splice in relevant plans where it can to short cut the planning
steps. For example, if one of the plans in uids.next is something
like "grant u.foo ...", and I have the precomputed plan mentioned
above, I could splice the two: "grant u.romig grant g.staff write
~foo/.login grant u.foo ..." and skip all the normal steps that
would've been taken to get there.
I'm not sure this is even feasible or useful. Food for thought.
- Hmmm...thinking about it, it seems like some of the steps are a bit
too implicit...maybe the rules should be broken out a bit more.
That will cost in processing time, though.
- Would be really, really nice to be able to deal with PATH variables
- location of ., who can write elements of path, etc. Basic rule is
"anyone who can replace anything in any of path directories or the
path directories themselves can become that PATH's user..." This
can be really messy though - in our environment, the path for a user
will depend on the architecture type of the machine that he is
logged into, and to get the path, you'd have to read and interpret
his .login (including variable assignments, source's and
conditionals). Urf. One wonders whether it might be better to have
something running as root that su's to each username in turn and
gets the path that way...:-)
- The kuang described in Baldwin's dissertation is somewhat different
in nature from this one. The original computes a Privilege Access
Table (PAT) which describes for each uid and gid which uids have
access to that uid. To assess security, we compare this against the
security policy for the site, which similarly describes which uid's
are supposed to have access to each uid and gid. A sample SP might
be that each uid should be accessible only by itself and root, and
each gid should be accessible only to the members of that group and
root. If the PAT listed additional uid's for some priv, that would
constitute a violation of the Security Policy for the site.
The current kuang is different. It registers Success (a problem was
found) if it determines that some uid in the uids.known list (-1,
"other" by default) can access the target privilege. It may find
along the way that extra uids can access some uid, but these aren't
reported as specific problems unless they are added to the
uids.known list.
We could do something similar to the kuang described in the paper by
setting uids.known to be all the uids that aren't in the security
policy table for the target uid, and running kuang against the
target. This would report success for each uid that could access
the target. You could do similar things with groups - uids.known
would be all the uids that aren't members of the group...
Alternately, we could simply have kuang record the list of uids that
can access the target priv and print the list when its done. That
way you could iterate kuang against all uids and gids and compare
the resulting PAT against your security policy and record the
differences. You'd probably want to record the plan for each uid
reported also.
On our system this would mean running kuang roughly 2500
times to check 1 host, and we have about 300 hosts...urf...assuming
that each kuang invocation has to check 50 plans, that's a total of
125,000 plans per host, or about an hour of real time...not as bad
as it could be, though.
- It would be nice to add to the list of rules. It would be especially
nice to extract the rules from the code so that we can create site
specific rule files (for example, we use X11r4 here, and many users
have a .Xinitrc that contains shell commands that get executed when
they login.)
Easiest way to do this would be to extract the rules as Perl code so
we can take advantage of conditionals and so on, and include them
within the body of kuang somehow. A sample rule in perl:
if (&shell($uid) eq "/bin/csh") {
&addto("files", &home($uid)."/.login",
"replace .login $plan");
}
which simply means "if the user's shell is csh, then try to replace
his .login file."