Network Security tutorial CT037-3-2

Linux Security
1. What type of access control model is Linux based on?

Ans: Discretionary Access Controls (DAC)

2. What are two different types of subjects in this model?

Ans: Users and processes (aka programs and applications)

3. What are the three different types of objects in this model?

Ans: Some possible answers: files, directories, named pipes, special files, symbolic
links, hard links, device files.

4. On Linux systems, what does the sticky bit do?

Ans: The sticky bit limits users' ability to delete things in a directory by only allowing
an object’s user-owner or its parent directory’s user-owner to delete that object,
regardless of the directory or object’s group ownerships.

5. What effect does the “setuid” have on files? On directories?

Ans: A file with setuid on/set will, if executed, run with the privileges of its userowner.
Setuid has no effect on directories.

6. What effect does “setgid” have on directories? On files?

Ans: A file with setguid on/set will, if executed, run with the privileges of its groupowner.
If a directory’s setguid bit is enabled, each object created in that directory
will have the same group-owner as the directory, regardless of who creates the
object..

7. A software vulnerability for which there is no patch is called what?

Ans: Zero-day (0day).

8. What is a rootkit? Why are they hard to detect?

Ans: Either a set of standard system utilities (ls, ps, top, lsof, etc.) that behave
normally except for deliberately omitting information about an attacker’s files
and processes; or a loadable kernel module (or modules) that intercept the results
of system calls and purges them of information about an attacker’s files and
processes (making the attacker’s files and processes are hidden to all local
applications). They are hard to detect because either type of rootkit hides itself in
addition to the attacker’s other files and processes.
Network Security tutorial CT037-3-2

9. On Linux systems, what is antivirus software most commonly used for?

Ans: Linux antivirus servers most typically provide services to non-Linux clients.

10. What is dangerous about a process running as root? Your answer should describe more
than one threat scenario.

Ans: If a process running as root is compromised, then any child-processes the

attacker spawns (such as a remote shell) will also run as root. If such a process
can be used to read data, it will be able to read any local file. If such a process
spawns a process that listens on UDP or TCP ports, that process can be bound to
privileged ports (TCP 22, TCP 80, and all other TCP/UDP ports lower than 1024).
If such a process is merely sloppily coded, the impact of bug behavior may be
much greater than if the process didn’t run as root (overwriting important files,
interfering with other processes, etc.).