Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual page 901

Table of Contents

Advertisement

The permissions of the more than 200,000 files included in a SUSE Linux Enterprise
distribution are carefully chosen. A system administrator who installs additional software
or other files should take great care when doing so, especially when setting the permis-
sion bits. Experienced and security-conscious system administrators always use the -l
option with the command ls to get an extensive file list, which allows them to detect
any incorrect file permissions immediately. An incorrect file attribute does not only
mean that files could be changed or deleted. These modified files could be executed by
root or, in the case of configuration files, programs could use such files with the per-
missions of root. This significantly increases the possibilities of an attacker. Attacks
like this are called cuckoo eggs, because the program (the egg) is executed (hatched)
by a different user (bird), just like a cuckoo tricks other birds into hatching its eggs.
A SUSE Linux Enterprise system includes the files permissions, permissions
.easy, permissions.secure, and permissions.paranoid, all in the direc-
tory /etc. The purpose of these files is to define special permissions, such as world-
writable directories or, for files, the setuser ID bit (programs with the setuser ID bit set
do not run with the permissions of the user that has launched it, but with the permissions
of the file owner, in most cases root). An administrator can use the file /etc/
permissions.local to add his own settings.
To define which of the above files is used by SUSE Linux Enterprise's configuration
programs to set permissions accordingly, select Local Security in the Security and Users
section of YaST. To learn more about the topic, read the comments in /etc/
permissions or consult the manual page of chmod (man chmod).
49.1.5 Buffer Overflows and Format String
Bugs
Special care must be taken whenever a program is supposed to process data that can or
could be changed by a user, but this is more of an issue for the programmer of an appli-
cation than for regular users. The programmer must make sure that his application in-
terprets data in the correct way, without writing it into memory areas that are too small
to hold it. Also, the program should hand over data in a consistent manner, using the
interfaces defined for that purpose.
A buffer overflow can happen if the actual size of a memory buffer is not taken into
account when writing to that buffer. There are cases where this data (as generated by
the user) uses up some more space than what is available in the buffer. As a result, data
Security and Confidentiality
883

Advertisement

Table of Contents
loading

This manual is also suitable for:

Suse linux enterprise server 10

Table of Contents