Sticky bit, setuid and setgid

The sticky bit, setuid and setgid are one of the powerful concepts of the UNIX based operating systems. Although they are widely used, it is not a widely understood feature. This article explains about them based on Ubuntu.  Other linux flavours may vary slightly in terms of implementing this.

Sticky Bit

Linux is a multi user operating system. So occasionally there will be a need to have a folder which can be used by everyone using the system. This means everyone should have read+write access to this folder. The easiest way to achieve this would be.

mkdir /some/folder/for/everyone

chmod o+rwx /some/folder/for/everyone

Sure enough, this solves the problem in hand. Everyone has permission to create files in this folder. The files will be created with the default group and permission according to the umask. But there is one major flaw. Anyone can delete any file under this folder irrespective of the file permission. This is because everyone has write access at the folder level. The sticky bit is here to solve precisely this problem. When the sticky bit is set on the folder, only the owner of the folder or those with right permission only can delete the files under it. Typically the root should be the owner of the folder so no one else can delete the files of others. To set the sticky bit on a folder use one of the following commands

chmod +t /some/folder/for/everyone
chmod 1777 /some/folder/for/everyone

Now, if you look at the permission of this folder you can see a t at the end. That means the sticky bit is on.
Applying sticky bit to a file doesn't make any difference. Also the sticky bit will only be applied to the other portion of the permission.

setuid and setgid

These commands can be applied to individual files or directories and the behavior is entirely different on each case. 

setuid and setgid on files

when setuid bit is set on an executable file, any other user who has executable permission for the file, can execute it with a temporarily elevated privilege as the original user. Most of the linux flavours including Ubuntu don't enable setuid on shell scripts as a security measure. This means the setuid bit can be set on shell script but it won't be effective.

setuid can be set of a file using command 

chmod u+s file

The files permission will be like -rwSrw-r--. The S indicates the setuid bit is set but the file is not executable. Give executable permission to the file using chmod u+x file and the permission will be -rwsrw-r--. The small s indicates the file is executable and the setuid bit is set.

The best example is /usr/bin/passwd. 

-rwsr-xr-x 1 root root 54256 Mar 29  2016 /usr/bin/passwd

The passwords of individual users are stored in a file that is owned by root. But individual users should be able to update their own password. Thanks to the setuid bit in the command "passwd" the executing user is temporarily elevated as root so he can update his own password.

The setgid bit on the file works same as setuid with the only difference being that it is applied at group level. It can be set using

chmod u+s file. 

If both setuid and setgid are set in a file then it will be executed with a privilege as original user and original group.

setuid and setgid on directory

setuid  bit on a directory has no meaning.

When the setgid bit is set on a directory, any files or directories created under that folder will have the group set as the parent directory instead of the users default group. 

In the following example a folder called my_folder is created with group set to 

adm.

 

$ ls -l
drwxrwxr-x 2 user adm 4096 Oct 21 02:25 my_folder

When a file is created under this folder, and the group is set to the users default group "user"

$ id -gn
user

$ touch my_folder/file1
$ ls -l my_folder/
-rw-rw-r-- 1 user user 0 Oct 21 02:30 file1

Now when the setgid bit is set on the folder and a file is created.

$ chmod g+s my_folder/
$ ls -lt
drwxrwsr-x 2 user adm 4096 Oct 21 02:40 my_folder
$ touch my_folder/file2
$ ls -lt my_folder/
-rw-rw-r-- 1 user adm  0 Oct 21 02:40 file2
-rw-rw-r-- 1 user user 0 Oct 21 02:30 file1
$

As can be seen in the above example, the new file file2 is created with a group adm, parent folder's group, after the setgid bit is set.

Password Encryption and salt

Encrypting Passwords

It is quite obvious that the passwords need to be stored in a encrypted format. One of the following methods could be used to encrypt the passwords

1. Password based encryption or two-way technique
2. Digests or one-way technique

In the first approach, passwords are encrypted using a pass phrase and then stored. This is using symmetric algorithm i.e. using the same pass phrase password could be decrypted. This is generally considered to be a bad practice because you never really have to decrypt any password. In a good system user's password shouldn't be readable to any one including the system administrator. It is violation of the user's privacy. Above all in a worst case scenario, if an attacker gains access to the encrypted password database and the pass phrase, it is relatively easy to read all the passwords.

In the second approach, we can "hash" the password and create a message digest and store the digest. It is impossible to derive the input password from the digest i.e. one way conversion only. When the user enters the password, we can apply the same hashing algorithm to obtain the message digest and then compare the digests to verify the password. There are many hashing algorithms, and they are designed to generate different digests for different input strings i.e. for 2 different input strings/passwords it will not generate same message digest. And also same digest for a single input when hashing is applied. This will make the life of the attacker bit difficult to crack the password once after they have gained access to the password database. But it is still not impossible. Attackers can use brute force or if they already have the digest for dictionary for various hashing algorithms they might be able to crack the simple passwords first which will reveal the algorithm. Later it is a matter of time before they can crack the rest of the passwords.

The concepts "salt" and "iteration" comes into picture here. These techniques make it even more difficult, if not impossible, for an attacker to crack the passwords.

The salt

Salt is nothing but sequence of bytes (typically 6 to 16 bytes) of random data. This data is added to the passwords and hashed together to be converted into a digest. There are 2 types of salts

1. Fixed salt --> Same sequence of bytes will be used for encrypting all passwords
2. Variable salt --> Random sequence of bytes will be generated for each password. In this case the salt will usually be stored along with the digest in plain format (i.e un-encrypted). The attacker can easily find the salt. But he will have to attack each password separately. We are making his life more more difficult and the next technique will deliver the ultimate punch.

Iteration

Iteration applies to the number of times the hashing is applied on passwords. The input password is hashed and the resultant digest is hashes again, resultant digest is hashes again, and this cycle continues. An iteration count of 1000 is a good level. When verifying the user password 1000 iterators might take few milliseconds. But imagine the case of an attacker who has managed to access the password database. Even if he manages to know the algorithm  and found out the salt, for each guess it will take few milliseconds and for an eternity to crack few passwords.

iptables Basics

iptables Basics

iptables is a linux utility for packet filtering. In a nutshell it examines each network packet based on some rules defined in the table and then decides the action to be taken on that packet. 

There are mutiple levels in iptables to deal with different scenarios. The highest level is tables, followed by chains and then rules. There are some predefined tables and the user can also setup their own tables. But for a basic usage, the predefined tables are more than enough. Following are the tables

1. filter ( the default table ), as the name suggests used to filter out packets
2. nat
3. mangle
4. raw
5. security

As can be seen from the name, different tables are needed for different purpose. In this tutorial we are only going to lean about the table filter. 

The next level is chains. Each of the above tables contains multiple chains. There are some built-in chains and there can also be user-defined chains. The filter tables contains the following built-in chains

1. INPUT --> Rules under this chain will be applied to the incoming packets
2. OUTPUT --> Rules under this chain will be applied to the outgoing packets
3. FORWARD --> For packets being routed through this box

Each of this chains contain set of rules. And each rule specification a "target", which is the action to be performed on each packet that matches the given rule. The target can be a user defined chain or the following pre-defined values

1. ACCEPT
2. QUEUE
3. DROP
4. RETURN

When a packet is received, the kernel determines the appropriate table and the chain. Then the kernel checks the packet against each rule in the chain. If a match is found then the target is executed and the check stops here unless the target is another chain. 
Now, lets look at some example commands.

•  sudo /sbin/iptables --line-number --list

Lists the currently defined tables, their chains and rules under them

•  sudo /sbin/iptables -A INPUT -j REJECT

Adds a rule to the chain INPUT on default table filter, to reject all the incoming packets. -j options stands for jump to target. Print the list using the previous command and note down the rule number.

• sudo /sbin/iptables -D INPUT  1

Deletes the above rule number 1 on INPUT chain on default table filter.

• sudo /sbin/iptables -I OUTPUT 1 -p tcp --dport 80 -j ACCEPT

Above command inserts a rule on chain OUTPUT, table filter on position 1, to allow all outgoing http connection requests.


Following table summarises some of the frequently used options

iptables command Switch	Desciption
-t <-table->	If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle
-j <target>	Jump to the specified target chain when the packet matches the current rule.
-A	Append rule to end of a chain
-F	Flush. Deletes all the rules in the selected table
-p <protocol-type>	Match protocol. Types include, icmp, tcp, udp, and all
-s <ip-address>	Match source IP address
-d <ip-address>	Match destination IP address
-i <interface-name>	Match "input" interface on which the packet enters.
-o <interface-name>	Match "output" interface on which the packet exits

Common TCP and UDP Match Criteria

Switch	Desciption
-p tcp --sport <port>	TCP source port. Can be a single value or a range in the format: start-port-number:end-port-number
-p tcp --dport <port>	TCP destination port. Can be a single value or a range in the format: starting-port:ending-port
-p tcp --syn	Used to identify a new TCP connection request. ! --syn means, not a new connection request
-p udp --sport <port>	UDP source port. Can be a single value or a range in the format: starting-port:ending-port
-p udp --dport <port>	UDP destination port. Can be a single value or a range in the format: starting-port:ending-port

Security and Encryption Buzz words

Encryption systems generally belong to one of the below 2 categories.

Symmetric-key encryption

Same key is used for encryption and decryption

Public-key encryption

Also called as Asymmetric-key encryption. Public and private key pairs are used for encryption and decryption. As the name implies public key is shared and private key is kept as a secret. 

Data Encryption Standard (DES)

First major/popular symmetric key algorithm. Uses 56 bit key. This is too week for modern computer systems. So it is no longer considered secure.

Advanced Encryption Standard (AES)

Replacement for DES as it uses upto 256 bit keys. It is generally believed that this is a secure enough system for near future.

Pretty Good Privacy (PGP)

Very popular encryption program that implements public-key encryption

GNU Privacy Guard (GPG)

Another popular encryption program that implements public-key encryption. Both PGP and GPG are interchangeable i.e. the text that is encrypted in PGP can be decrypted using GPG with correct key and vice versa. Only licencing terms seems to be difference between PGP and GPG.

Secured Socket Layer (SSL)

Cryptographic protocol that provides secure communication between computers, typically a client and server.

Secure Shell (SSH)

A standard to connect to the remote computer over a network in a secured way. There are multiple implementations with openssh being the most popular one.

Transport Layer Security (TLS)

Successor of SSL.

Wired Equivalent Privacy (WEP)

Security algorithm for wireless networks. This is now considered to be weak and since been replaced by WPA.

Wi-Fi Protected Access (WPA)

WPA and WPA2 are two security protocols developed to secure wireless computer networks. This is considered to be strong and recommended for personal/home networks

Secure remote connection without password

If you ssh, scp and/or rsync very often and annoyed to enter the password every time, then this information is for you.
Execute the following command from your host machine as the usual user. This will generate a public-private key for this user on that host.
ssh-keygen
The keys will by default be created under ~/.ssh and usually named as id_rsa (private key) id_rsa.pub (public key)
Now the public key can be copied to any number of remote computers and all further secure log-ins to those hosts will not prompt for the password.
ssh-copy-id user@machine

Perl command line execution

Following parameters are very important when executing the perl commands from the command line. Following is the general format.

perl <options> -e '<perl commands>' <input file>

Following options are very important.

-i.bak ==> reads the input file and backs it up (as <filename>.bak) and all the output will be written to the input file. The backup extension can be customised. However this option is useful only when used with the below options

-n  ==> Each line of the input file is passed to the expression as $_.

-p ==> Same as -n. Each line of the input file is passed as $_ to the expression. And adds a implicit print $_ at the end of the expression. If the expression modified $_ ( search & replace for e.g.) then the modified string will be written.

Ideally-p or -n will be used along with -i. 

For e.g. I have my input file

>cat temp.txt

1

2

3

4

5

>perl -n -e 'print "My $_"' temp.txt

My 1

My 2

My 3

My 4

My 5

>perl -p -e 'print "My $_"' temp.txt

My 1

1

My 2

2

My 3

3

My 4

4

My 5

5

>perl -pi.bak -e 's/1/ONE/' temp.txt

>cat temp.txt

ONE

2

3

4

5

>cat temp.txt.bak

1

2

3

4

5

Effectively using history command

1) To display timestamp with commands  

# set HISTTIMEFORMAT='%F %T '# history

2) To search the command line history, press Ctrl + R and start typing the command. The closest match from the history will be displayed. When the expected command appears press enter to execute. Press the right arrow to select the command and start editing. 

3) To execute a particular command from history, find out the command number. Command number can be found from the left most column when the history command is executed. Then type !<command number>. For e.g. !5 to execute the command with number 5.

4) To execute a previous command from history that starts with a particular word, type !<starting few letters of the command>. Then the immediate previous command that start with those words will be executed.

5) By default the history file is stored in ~/.bash_history

6)  To avoid duplicates in the command history

export HISTCONTROL=ignoredups