- Why Secure the Home Directories?
- Reconnaissance
- Privilege Escalation by Hacking Home Directories
- Traenk's Top 10 Recommendations
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Traenk's Top 10 Recommendations
Consider switching to more modern UNIX versions. Linux does a super job providing group access that also provides security. Linux also ignores most scripts with setuid/setgid bits. Mac OS X allows you to encrypt your home directory files, preventing alteration by others. Some traditional UNIX versions provide a separate UMASK setting for home directories. But sadly, some traditional UNIX versions have problems with large default groups, generous home directory permissions, and setuid/setgid bits.
Review the details behind your vendor's implementation of the /home filesystem. Does it come with permissions that allow anyone with a connection to read all files and traverse all directories? Work with your vendor to get a definitive answer why their system comes this way by default. Work to secure /home.
Now—not tomorrow, but today—learn all the services that allow access to the /home filesystem. Got FTP running? How about NFS? Do you provide WebDAV access to home directories? Is your SAMBA safe? You won't know your true directory permissions until you know all the access paths to your filesystem. See if your services open secret access.
Control any use of the /home directory for workgroups. If you must allow workgroups, have one person be the sole owner/writer of the .profile and other autoexecute files. This prevents one group member from setting a trap for other group members. Make sure that all group members are placed in a specific group and that all files are owned by this distinct group. Put the group's work in a separate filesystem, or monitor filesystem capacity. (You don't want the PC backup to fill all space and stop production work, right?)
Some application vendors put binaries and other program files into the /home filesystem. Why? What's wrong with using directories such as /usr/local/ for your application's binaries? Exert pressure and see whether application vendors will follow more traditional UNIX filesystem standards. By the same token, work with your own company's developers to keep /home directories free of production work.
Consider space-allotment restrictions on /home directories. This will discourage their use for production work or PC backup archives.
Insist on correct permissions and insist that users abide by those rules: Script a directory-permission check. Notify users when they're not in compliance with your security policies. Make sure that the script checks all access paths, including FTP, NFS, Samba shares, etc.
Know how your login process works. Know which files applications consult when starting. Applications such as ssh, Telnet, vi, and many others can store their settings in hidden files. In many cases, these become startup scripts that execute at login or every time an application starts.
Spend more time reading about UNIX security. Yes, you love UNIX for its versatility. Read more about its security to see how many ways security can be unraveled by defaults and by minor configuration mistakes—the mistakes users insist on. Do you control PATH? Are you a root user who puts a dot (.) into root's PATH? Confused why this is bad? Need an article? Respond to this article, and this and other tips will be included in future articles.
Read all you can about UNIX, especially when the writer is one of the great masters. Who are the masters? Read UNIX history and note the names. UNIX has a long history. Most problems were discovered years ago. Some vendors are slow to adopt better standards. You shouldn't be.
Today, fewer administrators are expected to manage more machines. Customers are expected to do more as well. With all the pressure, we're all a little less likely to see the problems created by something as unimportant as home directories. With a little work and discipline, we can all work with greater results once home directories are secured. Without this effort, everyone may lose time to cleaning up a nasty hack (they're lucky if that's all the cleanup they'll have to do).
It's amazing how often information winds up in the wrong hands. Make intruders work for your precious information. Secure your home directories today!