LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 09-26-2010, 10:01 AM   #1
Hi_This_is_Dev
Member
 
Registered: May 2009
Location: India
Distribution: On my PC I use RHEL, at office AIX, Solaris, HP-UX, RHEL.
Posts: 254

Rep: Reputation: 18
Security Concern on LINUX


Well, it is an ordinary discussion here. I ask questions which sometimes make IT Professionals or Gurus react in a way that instead of answering the questions they show their reactions about the World Security.

I often get responses from people who first say: "Are you sure? You want your network to be exposed to the outside world?" Blah! Blah!

I am not experimenting on a Production Server of NASA or any Security Concern Department.

Friends, there is no harm in experimenting on your personal computer or on a test computer which is isolated from the production environment.

Look at hackers! What do they do? If they don't know how security is breached then how would they come up with security measures?

If my question reads... "How to let any user perform Administrative Tasks on a Linux System irrespective of his/her privileges on that particular system?" then I would not get the right answers in the first place. They will say... "You are letting everyone destroy your system... are you sure you want to do that?"

My question is: Why should we restrict ourselves from experimenting even if it sounds weird to other people?

I give you an example where it is desirable to let an unprivileged user perform certain tasks.

You want to know if there are any employees in your office who are storing videos in their home directory and filling up the disk space to a great amount. You have a department called "Command Center or Data Center Operations or Help Desk" call it whatever you would, whose work is to monitor such activities, and you create an account "monitor" for them to monitor such activities but they are not able to do them:



Code:
[monitor@host-6-15 monitor]$ ls /home/Test/*.avi
ls: /home/Test/*.avi: Permission denied
Would you like to give them root password to perform it? Of course not! So, you create a script that searches all users's home directories for video files and reports it. You want the user "monitor" to be able to run that script without any problem / error such as "Permission denied".

Last edited by Hi_This_is_Dev; 09-26-2010 at 10:15 AM.
 
Old 09-26-2010, 10:52 AM   #2
fuubar2003
Member
 
Registered: May 2004
Location: Orlando, Florida
Distribution: SLES10/11, RH4/5 svrs, Fedora, Debian/Ubuntu/Mint; FreeBSD/OpenBSD
Posts: 63

Rep: Reputation: 26
Sounds like fun experimenting. Wile this doesn't answer your questions....my buddy did some security testing using this scenario:
- between his hardware firewall/dsl router and the dsl modem he placed:
- network hub (not a switch but a dumb hub)
- a test PC with 2 NIC cards, one NIC connected via cat5 twisted pair to the dumb hub with one exception:
- the cat5 cable from NIC to hub is custom with one pair missing, allowing only inbound traffic
- second NIC connected to the firewall/dslrouter
- test PC running snort and iptables firewall configured for routing certain traffic

And he used snort to view the kind of crazy traffic going by on the internet. His snort reports/logs were really interesting. They were an eye opener to all the shiat on the net.

The method he used protected his internal network was as much as possible (theoretically).

You really need to plan and think this through however. Creating a honeypot is not easy and it could become host to any number of nefarious applications such as:
- spam relay
- part of a botnet
- anonymous tor server
- ?

....and many more. Once that happens you are essentially contributing to some quite evil stuff....it's irresponsible on your part if anything like that happens with or without your knowledge and it continues with or without your detection.

Hope my point there comes across. I'm not trying to be holier-than-thou but this is worth seriously considering and you shouldn't do anything w/o a plan.

Last edited by fuubar2003; 09-26-2010 at 10:53 AM. Reason: tweak
 
Old 09-26-2010, 11:21 AM   #3
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,105

Rep: Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720
Quote:
Originally Posted by Hi_This_is_Dev View Post
Well, it is an ordinary discussion here. I ask questions which sometimes make IT Professionals or Gurus react in a way that instead of answering the questions they show their reactions about the World Security.

I often get responses from people who first say: "Are you sure? You want your network to be exposed to the outside world?" Blah! Blah!

I am not experimenting on a Production Server of NASA or any Security Concern Department.

Friends, there is no harm in experimenting on your personal computer or on a test computer which is isolated from the production environment.

Look at hackers! What do they do? If they don't know how security is breached then how would they come up with security measures?
Since you're saying you don't want the "blah blah" answers, then don't ask the question, and do what you want. If you ask for someones opinion, you'll get it. If you're going to ignore advice and do what you want anyway, then why waste everyones time asking the question in the first place?
Quote:
If my question reads... "How to let any user perform Administrative Tasks on a Linux System irrespective of his/her privileges on that particular system?" then I would not get the right answers in the first place. They will say... "You are letting everyone destroy your system... are you sure you want to do that?"

My question is: Why should we restrict ourselves from experimenting even if it sounds weird to other people?

I give you an example where it is desirable to let an unprivileged user perform certain tasks.

You want to know if there are any employees in your office who are storing videos in their home directory and filling up the disk space to a great amount. You have a department called "Command Center or Data Center Operations or Help Desk" call it whatever you would, whose work is to monitor such activities, and you create an account "monitor" for them to monitor such activities but they are not able to do them:

Code:
[monitor@host-6-15 monitor]$ ls /home/Test/*.avi
ls: /home/Test/*.avi: Permission denied
Would you like to give them root password to perform it? Of course not! So, you create a script that searches all users's home directories for video files and reports it. You want the user "monitor" to be able to run that script without any problem / error such as "Permission denied".
Wrong. If you have a "Command Center", that's where your systems admins will be. They'll have rights to do ANYTHING on ANY systems...that's their JOB. Monitoring scripts are a different matter, and (if you write/implement them correctly), can run as any user, as root, or whatever, and work correctly. Put them in CRON, schedule them to monitor your systems, and report the results to your admins, so THEY can make the decisions.

In your example, you're using video files as a 'bad' thing. What if that person is in advertising or marketing?? Those could be work-related commercials, productions, etc., that you'll then go delete, because they're video files. Report it, then let the admins make decisions.

You say "I ask questions which sometimes make IT Professionals or Gurus react in a way that instead of answering the questions they show their reactions about the World Security."...which goes to show a lack of concern about a very real problem. You THINK that you're safe, but you're not thinking about things well. Sure, your machines at that IP address are just 'test' boxes now...but are you going to reuse that address later? Same connection? Same provider?? All you've done is advertise the fact that there are systems on that connection, and trust me, they'll be watched. And unless you're going to totally erase/format ALL the systems on that test net afterwards, you're going to risk your production network if you plug ANY of them in later.

Why do you think professionals react that way, just for fun??? It should occur to you that its for a reason, and that you ignore it at your own risk.
 
Old 09-26-2010, 12:25 PM   #4
Hi_This_is_Dev
Member
 
Registered: May 2009
Location: India
Distribution: On my PC I use RHEL, at office AIX, Solaris, HP-UX, RHEL.
Posts: 254

Original Poster
Rep: Reputation: 18
Important thing noted:

Quote:
Monitoring scripts are a different matter, and (if you write/implement them correctly), can run as any user, as root, or whatever, and work correctly. Put them in CRON, schedule them to monitor your systems, and report the results to your admins, so THEY can make the decisions.
Thanks!

By the way, I do not experiment crazy things at office. I do them at home on my PC and on http://linuxzoo.net/ which lets us use a UML which is safe to test (possibly) anything on it.

About the Videos example, I do not really need to delete them. That is just an example. In my current project, the Admin team sits in a different remote location. And, yes, I would love to bug them when there was something only they could do.

One thing which may look a matter of "security concern" to somebody, it may look a fun to a hacker to do.


I tell you one example- a real example which an interviewer at a Navy Defense Project asked me:

Design a Web Interface that lets anybody change the network settings and restarts the network service when the new settings are submitted.

I did not dare to ask him: "Are you really going to do that in your Defense Project?"

There were some more questions like that one. I didn't know the exact answer so I was not selected. That is why I am doing crazy things to see what we can and cannot do on a Linux box.

The capability of knowing what you can do and what you can't plays an important role when you are going to do something really serious.

And one more thing, I am not upset when they say "Blah! Blah!" I rather expect a view that I can think over. Like how fuubar2003 has presented an example from his friend's experiment.

Have a nice time, sir!
 
Old 09-26-2010, 01:00 PM   #5
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,105

Rep: Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720
Quote:
Originally Posted by Hi_This_is_Dev View Post
By the way, I do not experiment crazy things at office. I do them at home on my PC and on http://linuxzoo.net/ which lets us use a UML which is safe to test (possibly) anything on it.

About the Videos example, I do not really need to delete them. That is just an example. In my current project, the Admin team sits in a different remote location. And, yes, I would love to bug them when there was something only they could do.

One thing which may look a matter of "security concern" to somebody, it may look a fun to a hacker to do.


I tell you one example- a real example which an interviewer at a Navy Defense Project asked me:

Design a Web Interface that lets anybody change the network settings and restarts the network service when the new settings are submitted.

I did not dare to ask him: "Are you really going to do that in your Defense Project?"

There were some more questions like that one. I didn't know the exact answer so I was not selected. That is why I am doing crazy things to see what we can and cannot do on a Linux box.
The answer they were probably looking for was "I wouldn't design or implement something that's so unsafe. It would put the organization at risk."
Quote:
The capability of knowing what you can do and what you can't plays an important role when you are going to do something really serious.

And one more thing, I am not upset when they say "Blah! Blah!" I rather expect a view that I can think over. Like how fuubar2003 has presented an example from his friend's experiment.

Have a nice time, sir!
There's nothing wrong with curiosity and experimentation, but the way you presented your original post seemed to suggest that you didn't CARE what anyone said, you were going to do what you wanted, and you couldn't understand why people reacted the way they did. You also really didn't spell out the parameters of your test environment, where you were doing it, or what your goals were, so it's hard for anyone to get any meaningful basis for an opinion from it.

And again....if you put up a 'test' network at home, you are advertising your IP address as being active, and having potential vulnerabilities. You're attracting attention to yourself, with home-grade/easily broken hardware.
 
Old 09-27-2010, 09:02 AM   #6
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,473
Blog Entries: 4

Rep: Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525Reputation: 1525
Hi,

I'll add to this slurry!

When one is independently experimenting then safeguards should be stronger. Most good houses have security that will prevent damage by an experimenter like the OP has suggested.

By setting up things as the OP has suggested then opportunity is available and generally taken advantage of by knowledgeable people to use that same setup to do damage else where. Guess who will be responsible for said damage? One guess now! Yes, that same person who wanted to experiment and learn how to do or prevent the same actions his/her system(s) have accomplished.

Nothing saying a LAN without Internet can be used to experiment but when you put that network on the Internet you had better be protected thus insulated and aware of what's going on.

Experiment responsibly!
 
Old 09-28-2010, 06:48 PM   #7
Hi_This_is_Dev
Member
 
Registered: May 2009
Location: India
Distribution: On my PC I use RHEL, at office AIX, Solaris, HP-UX, RHEL.
Posts: 254

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by onebuck View Post
Hi,

I'll add to this slurry!

When one is independently experimenting then safeguards should be stronger. Most good houses have security that will prevent damage by an experimenter like the OP has suggested.

By setting up things as the OP has suggested then opportunity is available and generally taken advantage of by knowledgeable people to use that same setup to do damage else where. Guess who will be responsible for said damage? One guess now! Yes, that same person who wanted to experiment and learn how to do or prevent the same actions his/her system(s) have accomplished.

Nothing saying a LAN without Internet can be used to experiment but when you put that network on the Internet you had better be protected thus insulated and aware of what's going on.

Experiment responsibly!


Totally agreed, Guru!
 
Old 09-28-2010, 09:01 PM   #8
jefro
Guru
 
Registered: Mar 2008
Posts: 12,095

Rep: Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521Reputation: 1521
People answer question based on what they know and how they best feel they can help your issue. The two may be in conflict with what you believe you want to hear.

One should consider that once a worm or virus in in your system it may be much harder to get rid of than imagined. It may be on flash drives and disks and in routers and who knows where else.

At some point you may want to save your Kylie Minogue can't get you out of my head video.

Last edited by jefro; 09-28-2010 at 09:06 PM.
 
Old 09-29-2010, 06:48 AM   #9
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I think sudo will be able to help with the above issues.

As for experimenting, go right ahead ... but do be weary that you at least risk the test machine itself, I'm sure there are ways to cause physical harm to it from within.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Solaris Security Question...A cause of Concern ! as400 Solaris / OpenSolaris 5 11-09-2008 06:20 AM
Possible Security Concern? keysorsoze Linux - Security 2 12-15-2006 02:36 PM
A security concern! Please advise! vharishankar General 5 11-30-2004 11:05 AM
This is an security concern? Then why is it defualt in Slack 8.1? Tarts Slackware 2 08-21-2003 12:06 AM
Security concern linuxRules Linux - General 3 05-22-2002 02:23 PM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration