System and Network Administration

lecture in color

First, a true life story

How to set up a 'secure CGI script' or
Lessons in file protection, security, and arrogance.

The problem: your group definition script

Wanted to execute a CGI program.
CGI program modifies files.
Wanted to be able to store sensitive information.

Extenuating circumstances

CGI programs run as user web, group web.
Data files have to be writeable to user web or group web.
Scripts have to be readable to user web or group web.
Students shouldn't have direct access to scripts or data.
Want to use password authentication.
The only user who can see passwords is root.

Solution

Web server conbrio is closed to students (by use of /etc/csh.people).
Files live only on the server (in unshared space).
I'm in group web.
```
web:*:615:couch,web
```

All directories have group web, group inheritance bit set, unreadable to other.

conbrio{couch}105: cd /var/local/g/150NET
conbrio{couch}106: ls -l
total 140
drwxrws---   2 couch    web          512 Feb 10 13:30 DB
-rw-r--r--   1 couch    web          250 Feb  3 10:56 NOTES
drwx------   2 couch    web          512 Feb 10 13:29 OLD
drwxrws---   3 couch    web         1024 Feb  3 09:15 Provide
-rwxr-x---   1 couch    web         8375 Feb  9 08:57 annex.cgi
drwxr-s---   2 couch    web          512 Feb  7 18:25 bin
drwxrwsrwx   2 couch    web          512 Feb 10 13:03 locks
-rwxr-x---   1 couch    web         4552 Feb  3 09:15 register.cgi
-rw-rw----   1 couch    web        50198 Feb 10 00:25 register.txt
conbrio{couch}107: ls -l DB
total 22
-rw-rw----   1 couch    web        10576 Feb 10 13:03 students.db
conbrio{couch}108: ls -l bin
total 2
-rwsr-xr-x   1 root     faculty      515 Feb  7 18:42 getpass

So the CGI can modify files but you can't see them!
Most difficult challenge: password authentication.

Sometimes only root will do: execute a setuid program getpass:

-rwsr-xr-x   1 root     faculty      515 Feb  7 18:42 getpass

that does this:

contents of net-old/getpass...
#! /local/bin/perl 

# this setuid root script gives out passwords to processes 
# with real uid root, couch, or web and dies silently otherwise. 

exit 0 if $< != 0 and $< != 30 and $< != 13141; 
$ENV{'PATH'} = "/usr/sbin:/usr/bin"; # protect against hackers
$uid = $ARGV[0]; &untaint($uid);     # get user id to check

# run nismatch as ROOT to get password. 
open(FILE,"/usr/bin/nismatch uid=$uid passwd.org_dir|") or exit 0; 
$line = <FILE>; close FILE; chomp $line; 

# extract password
($name,$passwd,$uid,$gid,$comment,$dir,$shell) = split(/:/,$line);

# return to calling program
print "$passwd\n"; 

sub untaint { $_[0] =~ /^(.*)$/; $_[0] = $1; }
...end of net-old/getpass

So if you type

getpass 30

it prints my encrypted password.

Finally, write code that calls that setuid program:

contents of net-old/validate.pl...
# start with $login: login name
#            $password: plaintext password

# get user id for user

($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell)=getpwnam($login);
if (! defined $uid) { 
    print "You did not give a valid username.\n";
} else {
    $uid = $pw[2]; #user id is third field in /etc/password

    # get password from setuid program
    open(FILE,"/var/local/g/150NET/bin/getpass $uid|") 
        or die "can't get password: $!"; 
    my $encrypted = <FILE>; close FILE; chomp $encrypted; 

    # validate password with 'crypt' function
    # if the plaintext encrypted with the FIRST TWO 
    # characters of the encrypted password is the
    # encrypted password, we're golden!
    $salt = substr($encrypted, 0, 2);
    if (crypt($password, $salt) eq $encrypted) {
       print "Your password is correct.\n";
    } else { 
       print "Your password is incorrect.\n";
    }
}
...end of net-old/validate.pl

and knows whether you've typed your real password or not!

A study in arrogance

This worked well for me, so
I wrote a memo to all CompSci faculty explaining how to write CGI's, but
left out the part about being in group web (for 'simplicity').
This forced faculty to make their scripts world readable and their databases world writeable in order for CGI's to work.
Result: students can ftp to conbrio, and if they know where things are, can read scripts and modify databases!
Oops.......back to the old drawing board.
A solution is only as secure as its weakest link.

Basic networking concepts

Networking:

Reference: Chapter 1 of TCP/IP Network Administration

OSI Reference Model:

 +---------------------+
 | Application Layer   |  how devices agree on the meaning of data
 +---------------------+     mayor
 | Presentation Layer  |  how devices agree on the format of data
 +---------------------+     town meetings
 | Session Layer       |  how neighboring devices establish channels of info
 +---------------------+     community cable
 | Transport Layer     |  how to avoid communication errors between devices
 +---------------------+     libel suits/lawyers
 | Network Layer       |  how non-neighboring devices communicate 
 +---------------------+     gossip
 | Data Link Layer     |  how neighboring devices communicate
 +---------------------+     talking over the fence
 | Physical Layer      |  how devices are physically connected 
 +---------------------+     back fences

The _9_ layers of the OSI reference model:

 +---------------------+
 | Political Layer     |  how devices agree on what to spend. 
 +---------------------+
 | Financial Layer     |  how devices agree on what to buy. 
 +---------------------+
 | Application Layer   |  how devices agree on the meaning of data
 +---------------------+     
 | Presentation Layer  |  how devices agree on the format of data
 +---------------------+     
 | Session Layer       |  how neighboring devices establish channels of info
 +---------------------+    
 | Transport Layer     |  how to avoid communication errors between devices
 +---------------------+   
 | Network Layer       |  how non-neighboring devices communicate 
 +---------------------+  
 | Data Link Layer     |  how neighboring devices communicate
 +---------------------+
 | Physical Layer      |  how devices are physically connected 
 +---------------------+

General comments:

network devices understand layers from the BOTTOM UP.
the more levels a device understands, the more sophisticated it is and the more involved to configure.

we roughly name devices according to the level of information they can interpret.

 +---------------------+
 | Application Layer   | 
 +---------------------+ 
 | Presentation Layer  |  gateways
 +---------------------+ 
 | Session Layer       |  
 +---------------------+
 | Transport Layer     |  
 +---------------------+  routers (first to know about global address)
 | Network Layer       |  
 +---------------------+  switches (MAC (local) address layer) 
 | Data Link Layer     |  hubs, repeaters
 +---------------------+         
 | Physical Layer      |  transceivers
 +---------------------+

This set of layers acts like a STACK (protocol stack).
Each layer uses the one beneath it to communicate.
Information to be sent starts at a particular level and gets sent downward in the stack until it is sent on the physical level.

The receiver interprets the info by allowing it to propogate upward to the appropriate level.

 +---------------------+                         +---------------------+
 | Application Layer   | v                     ^ | Application Layer   |  
 +---------------------+ |                     | +---------------------+ 
 | Presentation Layer  | |                     | | Presentation Layer  |  
 +---------------------+ |                     | +---------------------+ 
 | Session Layer       | |                     | | Session Layer       |  
 +---------------------+ |                     | +---------------------+
 | Transport Layer     | |                     | | Transport Layer     |  
 +---------------------+ |                     | +---------------------+
 | Network Layer       | |                     | | Network Layer       | 
 +---------------------+ |                     | +---------------------+
 | Data Link Layer     | |                     | | Data Link Layer     | 
 +---------------------+ |                     | +---------------------+ 
 | Physical Layer      | +---------------------+ | Physical Layer      |
 +---------------------+                         +---------------------+

Typical example of layering in action:

 host        repeater    router      host
 [ App ]>    [ App ]     [ App ]    >[ App ] 
 [ Pre ]|    [ Pre ]     [ Pre ]    |[ Pre ]
 [ Ses ]|    [ Ses ]     [ Ses ]    |[ Ses ]
 [ Trn ]|    [ Trn ]    +[ Trn ]+   |[ Trn ]
 [ Net ]|    [ Net ]    |[ Net ]|   |[ Net ]
 [ Lnk ]|   +[ Lnk ]+   |[ Lnk ]|   |[ Lnk ]
 [ Phy ]+-->+[ Phy ]+-->|[ Phy ]+-->+[ Phy ]

Encapsulation:

A device can initiate transfer of information at almost any level.
A device introduces information in the form of PACKETS that it forwards to lower levels.

Each level adds its own HEADER and TRAILER and forwards the packet to the next level down.

 [ App ]                           DATA
 [ Pre ]                      PreH DATA PreT
 [ Ses ]                 SesH PreH DATA PreT SesT
 [ Trn ]            TrnH SesH PreH DATA PreT SesT TrnT
 [ Net ]       NetH TrnH SesH PreH DATA PreT SesT TrnT NetT
 [ Lnk ]  LnkH NetH TrnH SesH PreH DATA PreT SesT TrnT NetT LnkT
 [ Phy ]

The receiving device UNWRAPS the packet in the same way it was wrapped, removing info upper layers SHOULDN'T KNOW!

TCP/IP: Transmission Control Protocol/Internet Protocol

A PROTOCOL is a mechanism by which two devices communicate.

 [  ?  ]                                 Data
 [ Net ]                  [IP Addresses] Data [no IP trailer]
 [ Lnk ]  [MAC Addresses] [IP Addresses] Data [no IP trailer] [no MAC trailer]
 [ Phy ]

 OSI                     TCP/IP          TCP             UDP
 Application             Application     stream          message
 Session/Transport       Transport       segment         packet
 Network                 Internet        datagram        datagram
 Network                 Network         frame           frame

TCP: Transmission Control Protocol

stream based; handles stream dissassembly and reassembly.
connection: stateful:
- negotiation: two machines start talking
- session: continuous talking.
- closure: stop talking.
- EX: telnet.
reliable: you're assured that your data is sent.
character of ISO Session layer, though book claims ISO Application.

UDP: User Datagram Protocol

packet based.
unreliable: you have no guarantee that the packet you sent got there.
character of ISO Transport layer, though book claims ISO Application.

Let's build ourselves a network:

Physical: Thinnet, Thicknet, Twisted-Pair (10/T)
All 'Ethernet'.
Transcievers, repeaters, hubs translate between media types.

Example: our room:

 mach. room   10/T
 switch ----------- [hub] -----------------[hub]-------tcp (master server)
                   /  |  \                /  |  \
                 e11 e12 e13 ..         e01 e02 e03

Brief Practical Discussion:

thicknet(AUI):

original 'ethernet'
bulky (multi-conductor)
fragile
limited runlength
segments must be multiples of fixed length

thinnet:

coax (two conductor cable)
thin
long run-length,
vampire-taps,
segments must be on multiples of .5 meters.
BNC connectors (like video)
failure takes down network.

twisted pair:

telco-like cable (not telco),
RJ-45 connectors (like two line phones).
six conductors in cable.
robust
point-to-point
multiple failure points, isolated.
wiring cost MUCH higher.
must buy LOTS of hubs!

The link layer: ethernet.

thicknet, thinnet: 'bussed' communication (IEEE 802.3).
IEEE 802.3: standard for
- wiring
- protocol for machine-machine communication.

all machines communicate on the SAME WIRE.

  ---------+------------+----------+-----------+----------
           |            |
          machine 1   machine 2

messages on the wire are expressed as binary voltage differences between ground and a reference voltage.
each message is called an `ethernet packet'.
messages are binary streams of 1's and 0's.
each 1 or 0 is expressed by a TRANSITION in voltage (manchester encoding)
one bit 'bus'. anyone can transmit or receive on it.
to communicate, machines listen on the wire for activity. A machine starts sending a message when it THINKS the wire is free of communication between other machines.
there can be COLLISIONS due to the delay between a machine's inference that the line is free and the machine's transmission of a packet.
Messages from all machines are wire-or'd into one data stream. 0 = -V, 1 = 0v. +----------+ gnd differ by V in voltage. => no transitions +----------+ -V => nothing on wire. 0 0 +----------+ shorts V to ground, makes WHOLE bus ground.. +----------+ 0 V between wires on bus. 1 0
```
    [[[[[[[[[ is a packet. 
    -----------[[[[[[[[[------------------[[[[[[[[------------------ M1
  + -----------------------[[[[[[[[[[[------------------------------ M2
  + ---------------------------------------------------[[[[[[[[----- M3
  = -----------[[[[[[[[[---[[[[[[[[[[[----[[[[[[[[-----[[[[[[[[----- result
```
logical 'or' of packets can result in clean packet or COLLISION.

Packet structure

Each packet starts with a preamble that determines source and destination MAC addresses.
Each machine reads and writes two kinds of packets:
- BROADCASTS intended for all machines (special MAC address)
- DIRECTED PACKETS intended for one and only one machine.
Each machine reads all broadcasts and only those directed packets that are intended for that one machine. (unless you configure it differently).
EXCEPT in promiscuous mode': read EVERY packet whether or not it's for you. nice for stealing passwords.

Modern ethernet: 10/T, 100/T:

10/T: 10 MegaBits/second transmit rate
100/T: 100 MegaBit/second transmit rate
point to point.
hubs replace busses, contain complex electronics ($).
`twisted pair'

Wiring 10/T:

4 conductor phone wires, RJ-11 8 conductor jack, using only pins:

   DTE mapping: on the back of a workstation
   1  TX+             [  Transmit pair
   2  TX-             [
   3  RX+             [  Receive pair
   4  UNUSED
   5  UNUSED
   6  RX-             [
   7  UNUSED
   8  UNUSED
 
   DCE mapping: on the back of a hub or concentrator
   1  RX+             [  Receive pair
   2  RX-             [
   3  TX+             [  Transmit pair
   4  UNUSED
   5  UNUSED
   6  TX-             [
   7  UNUSED
   8  UNUSED

DTE: Data Terminal Equipment: End-user node, server node.
DCE: Data Communications Equipment: hub, router, switch, modem, etc.

Crossover:

you can always connect DTE DIRECTLY to DCE by means of a CROSSOVER cable (NULL cable) :

   1 ----- 3   (transmit to receive, receive to transmit) 
   2 ----- 6
   3 ----- 1
   6 ----- 2

Comments on all ethernet link layers:

collisions: packets get lost
protocol: complex requirements for avoiding collisions and for packet recovery when lost.
- half hardware, half software,
- usually contained on the 'ethernet board'. older: software.
lies, damn lies, and bandwidth estimates.

Collisions:

MACHINES TRY to avoid sending messages at the same time.
- look at wire
- if someone talking, desist.
- if no one talking, you can send a packet.
- if this process fails, COLLISIONS occur.
- happens when two machines find a free wire at roughly the same time.
```
    -----------[[[[[[[[[------------------[[[[[[[[------------------ M1
  + ------------[[[[[[[[[------------------------------------------- M2
  = -----------[XXXXXXXX[-----------------[[[[[[[[------------------ result
                ^^^^^^^^ collision between two packets. both packets lost
```
- collisions are DETECTED via use of CHECKSUMS:
- sum up words in message, and append sum to end of message.
- if the words you get don't sum up to the sum you get, oops!
- The result of a collision is a garbled message.
- 802.3: After a collision, BOTH MACHINES TRY AGAIN with increasing delays between tries (exponential backoff).
- This guarantees that eventually, one machine will send its message before the other can mistake the channel for blank:
- distance between packets in time is shorter than time it takes to set up communication after seeing a clear line. DETERMINES line length limits!
```
    -----[[[[[[[[---------[[[[[[[[----------------------------------
    ------[[[[[[[[------------........------------------------------
         ^^^^^^^^ sends too close for collision avoidance: oops!
                          ^^^^^^^^^ here machine 1 gets the wire 
                              ^^^^^^^^ machine 2 checks the wire, loses the race
```

lies, damn lies, and bandwidth calculations

ethernet's ADVERTISED bandwidth is 10 megabits/second.
BUT collision resolution gets completely out of hand when a wire exceeds 3 megabits/second. (30% overhead).
At 50% overhead, almost no information gets through.
Only exception: two machines connected together by an otherwise unfettered wire.
- Point-to-point CAN run at advertised bandwidth.
- HALF DUPLEX: one machine can talk at a time.
- FULL DUPLEX: both machines on a p-to-p link can talk simultaneously.
10 mbit half to 100 mbit full = x30.

RS232 (modem-to-computer) connections: also called SERIAL

DB25 connector (25 pins) or DB9 connector (PC, 9 pins)

Meant to connect a computer and a remote one through a modem:

 computer <------> modem <-------> modem <-------> computer
        DTE      DCE       phone       DCE       DTE
                           line 
 
 DCE pin map: (most common signals)               direction of signal
 1       chassis ground (shield for cable).                 ..
 2       TXD     transmit data                              -> 
 3       RXD     receive data                               <-
 4       RTS     request to send                            ->
                 (1 when terminal ready to send data)
 5       CTS      clear to send                             <-
                 (1 when ok to send it)
                 'hardware flow control' 
 7       signal ground
 8       DCD     data carrier detect                        ->
                 (1 when modem connected to another) 
 20      DTR     data terminal ready                        <-
                 (1 when terminal ready)
 
 DTE pin map: (most common signals)               direction of signal
 1       chassis ground (shield for cable).                 ..
 2       RXD     receive data                               <-
 3       TXD     transmit data                              -> 
 5       RTS     request to send                            ->
 4       CTS     clear to send                              <-
 7       signal ground
 8       DTR     data terminal ready                        <-
 20      DCD     data carrier detect                        ->

Null modems:

connect two serial devices without the modem

utilize _CROSSOVER_ cables between devices.

       1  --------  1
 TXD   2  --------  3  RXD
 RXD   3  --------  2  TXD
 RTS   4  --------  5  CTS
 CTS   5  --------  4  RTS
       7  --------  7
 DCD   8  -------- 20  DTR
 DTR  20  --------  8  DCD

RS232 speeds:

Standard bank of speeds.
300,600,1200,2400,4800,9600,19200,38400,57600,112000 bits per second (baud).
baud/10 =~ characters per second (raw rate)
each character
- starts with a start bit (1)
- has some number of data bits.
- ends with stop bit.
- possible checksum (parity) bit.
```
 101101101
         ^ stop bit
  ^^^^^^^ data bits
 ^ start bit
```
compression technologies allow one to send more.

Point-to-point protocol:

IP over RS232.
one host connected to another through serial link and optional modem.
software unwraps IP packets, sends through interface, re-wraps as IP packets on other end.
two phases in a ppp connection:
- negotiation: two computers talk to one another, figure out what to agree upon for ip addresses, compression methods, etc. Ppp uses a SYMMETRIC NEGOTIATION: either host can specify the appropriate parameters.
- link: use these agreed upon parameters and establish a link.
typical use: home internet access (to be obsoleted by Cable Modems).

Illusions:

If your modem and your computer both compress data, they work _AGAINST_ each other.
compression reduces the length of data, not content.
- compress once -> get to minimal length.
- compress again -> no gain.
This means a slowdown of compression, and decompression!