Lab 3: Privilege Separation

最新推荐文章于 2023-06-02 11:50:16 发布

语暖心扉

最新推荐文章于 2023-06-02 11:50:16 发布

阅读量986

点赞数

CC 4.0 BY-SA版权

分类专栏：信息安全_权威解读

本文链接：https://blog.youkuaiyun.com/zat111/article/details/41556369

信息安全_权威解读专栏收录该内容

5 篇文章

订阅专栏

本文探讨了服务器安全中权限分离的重要性，通过Touchstone Web Server实例，详细介绍了如何使用gdb进行调试，扩展SQLite3用户表功能，设置Jail保护机制及如何克服Jail保护，最终实现对权限分离的理解与应用。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

课程主页:

http://staff.ustc.edu.cn/~bjhua/courses/security/2014/labs/lab3/index.html

Lab Overview

一个现代的服务器虽然有考虑到一些防护机制,但是还会不可避免的遇到一些很强的对手. 如果所有服务器程序均是以root身份运行,显然就是太危险了.设想一个进程被攻击者以某种方式拿到了控制权,那么它便可以用root的身份来干任何root能干的事,简直太可怕了.

而权限分离便可以很好的解决这样的问题.权限分离的核心思想就是让没一部分都是以最小可以完成任务的权限来运行,如读文件的话,不会需要写权限和执行权限.

还有一层保护机制就是jail的设置, jail的思想就是设置一个假的临时的root目录,这样进程如果通过 "cd ../../../../' 的方式也不会访问到物理的根路径内容.

Part A: The Touchstone Web Server

Exercise 1. In order to gain deeper understanding of the internal architecture 
of the Touchstone web server, let's use gdb to debug the banksv service.

First, launch the server:

  $ sudo ./touchstone

now use gdb to attach to the banksv service:

  $ ps -a
  PID TTY          TIME CMD
  24356 pts/0    00:00:00 touchstone
  24357 pts/0    00:00:00 filesv
  24358 pts/0    00:00:00 banksv
  24359 pts/0    00:00:00 httpd
  $ sudo gdb 
  Password: (enter seed password)
  (gdb) attach 24358

通过gdb调试,了解一下数据的流向即整个web serer的架构的组织情况.

Exercise 2. Finally, you will write some code. Extend the current sqlite3 user 
table, to add more information. For instance, you can add time and IP address to 
the user table, so that when one user has logged in, the web page can display the 
last login time, the current login address, etc.. You may want to read some sqlite3 
documentations.

根据示例代码扩展现有web server的功能, 不再赘述.

Part B: Jail and Jail Breaking

Exercise 3. Modify the code snippet in the browser.c to send a constructed HTTP 
request to the web server to visit /etc/passwd file. That is, you can read that 
file remotely, as follows.

  $ ./browser 80
  sock_client = 3
  Response = HTTP/1.1 200 OK

  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  ......

比如这样构造攻击串 GET ../../../../../../../../../../../ ...

Exercise 4. Add some code to the server.c to add chroot support. Change root 
directory from / to /jail . After this, you can compile and run the new web server:

  $ cd server
  $ make 
  $ sudo ./chroot-setup.sh
   + grep -qv uid=0
   + id 
   + rm -rf /jail
   + mkdir -p /jail
   + cp -p index.html /jail
   + ./chroot-copy.sh touchstone /jail
   + ./chroot-copy.sh httpd /jail
   ...
  $ cd /jail
  $ sudo ./touchstone

Now re-do exercise 3 to visit the file /etc/passwd. If your chroot protection works, 
your browser will behave like this (leaking no sensitive information):

  $ ./browser 80
  sock_client = 3
  Response = HTTP/1.1 200 OK

  File does not exist!

设置 jail 的好处就是安全. 这样,即使某个进程沦陷被拿到了控制权,那么这个进程的活动范围将被限制在一个文件夹内,不会对物理的整个文件系统造成危害. 但是前提是进程没有root权限, 如果有root权限,那样他也会跃出jail的限制,找到真正的文件系统.

Jail Breaking

Challenge! Perform the buffer-overflow attack, as you did in the lab 1, inject shell 
code into the server and execute. The primary task of the shell code is to break the 
jail. And then read or unlink the file /etc/passwd.

jail也是存在被突破的可能性的, 前提是这个进程要拥有root权限.

Part C: Privilege Separation

Exercise 5. Modify your browser code to inject some shell code the server. Your shell 
code attack the httpd daemon and unlink the file /db/users.db. Using ret-to-libc attack 
can make this a little simpler.

突破jail也引出了权限分离的需求,此刻我们需要专门研究权限分离, E5再次阐述了权限没有分离的危害性. user.db属于banksv进程,但是却可以被httpd进程删除,不同的进程拥有的文件,理论上不可以被跨进程删除.

Exercise 6. Modify the function in the file server.c , to set up the user and group IDs 
properly when services are launched. Think carefully about how your code can set the user 
and group IDs by setresuid()、setgroups()、setresgid().

Set file and directory permissions to ensure that the static service cannot read the 
database files from the dynamic service, and vice versa. Try to modify the chroot-setup.sh 
to set the permission for different files.

通过对文件设置不同的权限,对进程设置不同的用户id,这样特定的进程只能访问特定的属于自己的文件.

Exercise 7. Compile the new Touchstone web server:

  $ make 
  $ sudo ./chroot-setup.sh
   + grep -qv uid=0
   + id 
   + rm -rf /jail
   + mkdir -p /jail
   + cp -p index.html /jail
   + ./chroot-copy.sh touchstone /jail
   + ./chroot-copy.sh httpd /jail
   ...
  $ cd /jail
  $ sudo ./touchstone

try to perform buffer overflow attack against the web serve. Can you trick the web server 
into mis-behaving? Is it exploitable?

Challenge! Perform buffer overflow attack on the Touchstone web server. Can you succeed? 
If yes, how?

设置jail并正确控制权限以后,那么进程被突破以后,问题就该解决了.