Linux all in one desk reference for dummies phần 8

Tham khảo tài liệu linux all in one desk reference for dummies phần 8, công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả
Nội dung trích xuất từ tài liệu:
Linux all in one desk reference for dummies phần 8 491 Protecting Files and DirectoriesA default umask of 022 is good for system security because it translates tofiles that have read and write permission for the owner and read permis-sions for everyone else. The bottom line is that you don’t want a defaultumask that results in files that are writable by the whole wide world.Checking for set user ID permissionAnother permission setting can be a security hazard. This permission setting,called the set user ID (or setuid for short), applies to executable files. Whenthe setuid permission is enabled, the file executes under the user ID of thefile’s owner. In other words, if an executable program is owned by root andthe setuid permission is set, no matter who executes that program, it runs Book VIas if root is executing it. This permission means that the program can do a Chapter 2lot more (for example, read all files, create new files, and delete files) thanwhat a normal user program can do. Another risk is that if a setuid programfile has some security hole, crackers can do a lot more damage through such Securing a Linux Hostprograms than through other vulnerabilities.You can find all setuid programs with a simple find command:find / -type f -perm +4000 -printYou see a list of files such as the following:/usr/bin/chage/usr/bin/gpasswd/usr/bin/chfn/usr/bin/chsh/usr/bin/newgrp/usr/bin/passwd/usr/bin/at/usr/bin/rcp/usr/bin/rlogin/usr/bin/rsh/usr/bin/sudo/usr/bin/crontab... lines deleted ...Many of the programs have the setuid permission because they need it, butcheck the complete list and make sure that there are no strange setuid pro-grams (for example, setuid programs in a user’s home directory).If you want to see how these permissions are listed by the ls command,type ls -l /usr/bin/passwd and you see the permission settings:-r-s--x--x 1 root root 16128 Jun 5 23:03 /usr/bin/passwdThe s in the owner’s permission setting (r-s) tells you that the setuid per-mission is set. TEAM LinG - Live, Informative, Non-cost and Genuine !492 Encrypting and Signing Files with GnuPGEncrypting and Signing Files with GnuPG Linux comes with the GNU Privacy Guard (GnuPG or, simply GPG) encryption and authentication utility. With GPG, you can create your public- and private- key pair, encrypt files using your key, and also digitally sign a message to authenticate that it’s really from you. If you send a digitally signed message to someone who has your public key, the recipient can verify that it was you who signed the message. Understanding public-key encryption The basic idea behind public-key encryption is to use a pair of keys — one private and the other public — that are related but can’t be used to guess one from the other. Anything encrypted with the private key can be decrypted only with the corresponding public key, and vice versa. The public key is for distribution to other people while you keep the private key in a safe place. You can use public-key encryption to communicate securely with others; Figure 2-1 illustrates the basic idea. Suppose Alice wants to send secure mes- sages to Bob. Each of them generates public key and private key pairs, after which they exchange their public keys. Then, when Alice wants to send a message to Bob, she simply encrypts the message using Bob’s public key and sends the encrypted message to him. Now the message is secure from any eavesdropping because only Bob’s private key can decrypt the message — and only Bob has that key. When Bob receives the message, he uses his pri- vate key to decrypt the message and read it. hKgDpkUz Bobs public key Mar0u4UB BN9iYtNB yr841FDV DZAFEKzv ImUSPasZ SDJYLhno +aqjYapv Alice ...