bo@Aڭ̭nQתOAӦۤ@ӺWsunDQiJڭ̪DɡA
oӺʥ]biJDڨoƪӬy{OpHAѤFӬy{A
A~|o{G
Өtξާ@OpnI
ӧA]~|AѭnpO@ADwoIܤֻA̻@@@C
ʥ]iJDy{
b
¦`ڭ̽ͨLثe[cDnO TCP/IP DA
ӵjsuOVA𫟺SH
TCP ʥ]NC
t~Aھ Server/Client suVP TCP/IP Aڭ̷|Dإߤ@iasuݭn@
Socket Pair UA
Y諸ӷPؼФ IP P port oAHϳsuݥiHQs۹諸γnWC
Wͨ쪺odzOݩ¦Abo̧ڭ̭nͪOAno TCP ʥ]QiJ Linux DWA
Mϥ port ҹnӦstΪɮרtθ귽ɡAٱongLdOH
|ҨӻApGA Linux D} WWW port 80 AȡA port 80 OѤ@ӦW٬ httpd
{ұҰʪAoӵ{]wɬ httpd.conf A Client suniJA Linux D WWW ɡA
|gLqOHWA|gLpUϪXӶqG
![ʥ]iJy{](security-2.png "ʥ]iJy{")
Ϥ@Bʥ]iJy{
- ʥ]LoGIP Filtering Net Filter
niJ Linux ʥ]|qL Linux ֤ߪw]ANO٬ IP Filter Net Filter NNA
²檺ANO iptables oӳnҴѪ\Ciptables o
Linux w]niHwʥ] IP, port, MAC, HγsuAp SYN, ACK ƶiRA
HLow諸ʥ]OI|ҨӻApG IP aaa.bbb.ccc.ddd OӴcNӷA
ANiHzL iptables רӦ۸ IP ʥ]suAHFD\C
oڭ̷|bU@`JAѡC
- ĤGhGTCP Wrappers
qL IP Filter Aʥ]|}l Super daemons
TCP_Wrappers AӬOOH
IFNO /etc/hosts.allow P /etc/hosts.deny ]wɥ\oC
oӥ\]Ow TCP Header iARAP˧AiH]w@ǾөY
IP Port Anӷݪʥ]QγqLF
- A (daemon) \G
eoӰʧ@WO Linux w]\AӳoĤTӨBJNOݩn\FC
|ҨӻAAiHb httpd.conf oӳ]wɤWdY IP ӷϥ httpd oӪAȨӨoDơA
Yϸ IP qLehLoALµLkoD귽In`NOA
pG httpd o{ӴNDܡA client
ݱNiQ httpd n骺|}ӤJIDAӤݭnoD root KXI]A
np߳oDZҰʦbںWnI
ҥHe@ɯŮMOܭnI
- ϥΥDɮרtθ귽G
Q@QAAϥss WWW D̥DnتOHMNOŪD WWW ưաI
WWW ƬOԣHNOɮװڡI^_^IҥHA̲ʥ]OnVDnDɮרtΪưաC
ڭ̳o̰]Anϥ httpd o{ӨotΪɮơA httpd w]OѤ@ӨtαbW٬
httpd ӱҰʪAҥHGAƪvMNOn httpd
o{iHŪ~ڡIpGAeT]w OK A̲v]w~A
ϥΪ̨µLksAƪC
boǨBJ~Aڭ̪ Linux Hάn鳣iٷ|䴩nɰO\A
FOv{AHKz̦bӪ~dPJIA}nRnɪߺDO@wnإߪA
רO /var/log/messages P /var/log/secure oǭɮסI
MUjDn Linux distribution jhXAXL̦ۤvnɤRMAҦp CentOS
logwatch ALӮMäoAXҦ distributions AҥHզۤvgF@ logfile.sh
shell scriptAziHbU}Uӵ{G
nFAھڳoǬy{AAıoڭ̥iHpO@ۤvDOH
D@O@G
v]wBMsBSELinux
b
¦g̭eXڭ̽ͨܦhɮv譱`NƶA
ؿ̭nO w (igJ)vAܩɮרӻA
r (iŪ) ]OD`nIӥѫe@p`
Ϥ@ڭ̤]DAȨNOѥDɮ귽 client ݨӬd\NOFC
ھڳo˪kAAiHDApGAYǤQnQŪƦbDWܡA
NӸƪv]wQYǺAŪpA
NF̰¦O@FCҥHzɮvnڡIܭnIOܡH
vn
``bWҪɭԷ|}ApGAunUF@ӫOAAtδNonswˤFI
NOGychmod -R 777 /zAoӫOiOyצMIzIOH]tΤWӴNܦhݭnQO@ơA
Ҧp /etc/shadow H /etc/passwd AרO shadow KXɮסCMYO[KLơA
LOѤFA{b PC tbӧ֤FAӺWSӦhɤO}ѱKXnA
pGA /etc/shadow QoAKKIAKXNy}FzCU@A}YǺAȪܡA
ҦpisunJ ssh Aȩ mail AȡAHiHϥΧADӵnJA
Ϊ̬OQΧADӦADWLϥΪ̪HAIɤjFI
A̡AܦhBͦbDW``wإv drwxrwxrwx ؿӴѨϥΪ̤WǸơA
obOܦMIIpGϥΪ̪\OܡALiHbnp httpd ϥΤWA
ӫإߤ@ǦMI
script
bA drwxrwxrwx ؿApGAp߶iJӥؿA
Sp߰FӴcNϥΪ̩ҫإߪ script A߱z㤤СI
t~ApGAOǮզѮvAFPPǥvq_AA|ƱPǭ̩ҤWǪƤ|QLPǩѨC
AӦpivWdHpGªǥͳqqWǨ@ؿAåBSwSvɡA
YǦPǪƥi|QѨPƻsAGOAiƷ|QYǴcNPǩҧRI
iN·ФFIҥHAv]wuܭnաI
ӰFDzΪv~AƹWثe Linux 䴩@غ٬ ACL B~v觋A
]䴩jƦw SELinux AoӤpFڭ̷|b᭱~СC
Y檺KXnʡG
ܦhϥΪ̬FKOСAѬOtκzGyޡIڪKXiiH²@IڡH
ӳ·ЪڳOIzpGzOӥitκzAAӦp^H
pGAj}KAӥiOwLaI|ҨӻApGA mail server WYӨϥΪ̱b
alex nFAL email address N|OGy alex@your.host.name zA
oӨϥΪ̥ѩϥβߺD}ALNL mail address db Internet WAҥHܦhHDo addressC
DNDA|F_ܡHIF_ܡIpGaåALQn alex HA
LNbLHnWWADAM᰽Jb alex åBJKX alex A
pGAu alex oӨϥΪ̫إߦPWKXAIt(ХxyoA)Io alex
ûLHFI
o٦noIpGA}ݳsunJAȡAaåNiHQ alex oӱbPKXӵnJADA
pGASnvWܡAzI㳡DƳQIi@FI
ҥHAzKXnܡHڥi{I
MsnʡG
ܦhBͥѩ峹YAi|ª Linux distribution ӧ@[xA
|ҨӻAϥ Red Hat 9 Ӭ[BͷQ٬O֪CpGAuQªӶi[]A
ӥBٹ Internet }AȪܡAADN|b@ѪɶQyj[zI
OH]Mn鳣Oi|}ApGASɬ}.....
ǪBͻ{GyڪKX]wY@IAӴNnFaHzuܡHڭ@@@
Ϥ@y{A
ĤTӨBJO_ϥΨ httpd oӵ{\FAU@oӵ{DH
|ҨӻA
žǶBʹgbL|쪺Q|S@pj[Sɺ|} Linux tΡA
QΪNO httpd oӳn骺|}AӤJIL{SO@HWI
ӥBL쪺iO root voIOߪI
ӥBLSJKXAϥΪJI{hO Internet WoC
bWYoӨҤlOnӪBͪ\OAӬOnjaAMɪnʡI
no}ѵ{DbӦhFApGAb̵uɶoMsܡA
ܤָӯ}ѵ{AtδN|ͮġIAD۵MN|wǡC
ӳoӰDbҦ@~tΤWOsbI Windows tΤ]OCӤ륲nXL̪M{ɡA
_h@˷|QΤJIڡIL Linux M|}ɭn֦hFI
SELinux
b̷s Linux 2.6 ֤ߤWҵoi distributions ثew]|Ұʤ@ӦW SELinux ֤ҲաA
o SELinux nb}J֤߮ɴNonJAoӪNOԣNNH
SELinux O Security Enhanced Linux (w[j Linux) YgA
LäO@Ө𪺳nAӬO@ӡywɮרtv@ӳW@ӼҲzC
DzΪ Linux vOTب (owner, group, others) HΤTv (r, w, x)A
ƹWAoTبTvզXõLkĪzҦtΤW daemon sƮɩһݭn欰C
]awKoiXoӥiHӳWɮv\ SELinux FC
ѩ SELinux DnOiɮרtΪӳv]wAҥHQnϥ SELinux tmɡA
ݭn Linux ɮרtΥHΰ¦@~tηnܲMA_hN|ϱoܦhAȵLkTҥΨtθ귽A
ɭPADܦhAȵLkstθơI]Aڭ̭𫎆IJ Linux [BͨӻA
ijA SELinux AT~ Linux ܲ`A
Aӹհtm SELinux oӦ쪺NNI
]NOApGAS SELinux ܡAANonw SELinux iɮvB~tmA
_hAAȴNi|`ҰʡIp SELinux OHAiHo˰G
1. /etc/selinux/config e
[root@linux ~]# vi /etc/selinux/config
# NU]wȧ令oˡG
SELINUX=disabled
2. ק} grub ]w
[root@linux ~]# vi /boot/grub/menu.lst
.....ٲ.....
kernel /boot/vmlinuz-2.6.9 ro root=/dev/hda1 rhgb selinux=0
.....ٲ.....
3. s}
[root@linux ~]# sync; reboot
|
] SELinux nb}ɭԸJAP˪An]ns}~I
]ApGAϥΪOz distributions w]wˡAXG SELinux Ow]ҰʪI
AiH̾ڤWzXӨBJN SELinux As}YiCpG SELinux 쪺ܡA
UsiHѦҬݬݡG
be@p`ڭ̴ Linux tΪvOܭnADzΪvȦTبBTvӤwA
tX
chmod,
umask,
chown,
chgrp
OӶiϥΪ̻Psլv]wCpGniv]wɡA
ҦpYӥؿn}YӯSwϥΪ̨ӨϥήɡADzΪ owner,group,others vkiNLkFC
L٦nAڭ̦ ACL oӪNiHϥΡIoN쪺AUڭ̴Nӽͤ@͡G
O ACLH
ACL O Access Control List YgADnتObѶDzΪ
owner,group,others read,write,execute v~ӳv]wCACL iHw@ϥΪ̡A
@ɮשΥؿӶi r,w,x vWdAݭnSvϥΪpD`UC
ѩ ACL ODzΪ Unix-like @~tvB~䴩ءA]nϥ ACL nɮרtΪ䴩~C
ثejɮרtγ䴩 ACL \A]A ReiserFS, EXT2/EXT3, JFS, XFS C
b SuSE oӪAw]OҰ ACL ALb CentOS hw]SҰ ACLC
ҥH@Unϥ ACL \ɡAAnҰʧAt filesystem 䴩~I
ACL DniHwǤ譱ӱvOHLDniHwXӶءG
- ϥΪ (user)GiHwϥΪ̨ӳ]wvF
- s (group)GwsլHӳ]wvF
- w]ݩ (mask)G٥iHwbӥؿUbإ߷sɮ/ؿɡAWdsƪw]vF
nFAAӬݬݦpAɮרtΥiH䴩 ACL aI
pҰ ACL
nAɮרtΤ䴩 ACL D`²IpnA /home 䴩 ACL ܡAiHo˰G
[root@linux ~]# mount -o remount,acl /home
[root@linux ~]# mount | grep /home
/dev/hda5 on /home type ext3 (rw,acl)
|
ݨ쨺ӥX{ ACL FaINFpGSX{o@AAɮרtάOLk䴩 ACL A
U@`m߱ziNLରOF㨺pGQn@}NAɮרtΤ䴩 ACL OH
Iק /etc/fstab NFINL令UҼˡG
[root@linux ~]# vi /etc/fstab
/dev/hda5 /home ext3 defaults,acl 1 2
|
[J@qSr骺ơAU}N䴩 ACL FI²aI ^_^
ACL ]wޥG getfacl, setfacl
nFAA filesystem Ұ ACL 䴩AUӸӦp]wP[ ACL OH
²AQγoӫONiHFG
- getfaclGoYɮ/ؿ ACL ]wءF
- setfaclG]wYӥؿ/ɮת ACL WdC
ڭ̨@@@ setfacl pϥΧaI
[root@linux ~]# setfacl [-mxdb] ]w
ѼơG
-m G]w@ ACL WdF
-x G@ ACL WdF
-b G ACL WdF
-d G]ww] ACL WdAȯwؿϥΡC
|
̱`ΪNO -m ѼưաIΨөwq@ ACL ]wWdC ACL Ӧp]wOH
PϥΪ̡BsջPw]v]wkIPALAWUoT²]wkG
1. wϥΪ
]wȪWdG u:[ϥΪ̱bC]:[rwx]
Ҧpw dmtsai oӨϥΪ̨ӳWdv rx AhG
[root@linux ~]# setfacl -m u:dmtsai:rx somefilename
2. wsըӳ]w
]wȪWdG g:[sզW]:[rwx]
Ҧpw users oӸsըӳWdv rw AhG
[root@linux ~]# setfacl -m g:users:rw somefilename
3. ww]vӳWdA umask \
]wȪWdG m:[rwx]
Ҧp]w]v rwxAhG
[root@linux ~]# setfacl -m m:rwx somefilename
|
AѤFW]w觋A{bڭ̨ӹھާ@@UaI]G
- AwgN /home oӿWߪ partition ]wF ACL 䴩FA
- åBb /home U]wF@ӦW٬ project ؿA
- ӥؿn eric oӨϥΪ̡ABݩ users oӸsաAw]vӬO 770 F
- ӨϥΪ̱bW٬ jordan ALݩ jordan ӸsաALQniJ project ӥؿӤu@A
NOAjordan bӥؿUݦ w v~F
- ӨϥΪ̥LOLZŪѮvAW٬ tip AsզW笰 tip ALQniJӥؿd\ҦɮơA
OiRPsWu@AYL֦ w vC
bDzΪ Linux ɮvAnFWz\ɡAAon jordan P tip oӨϥΪ̥[J users
Ӹsդ~AO jordan OƱiHbӥؿu@AҥHLn֦ w vA
tip oȯŪAҥHL֦ w vIzIp@ӡANLkWzNƶFI
ɧڭ̥unzL ACL ӳWw tip/jordan oӨϥΪ̨ӳ]wLvoIӬy{iHOo˪G
1. إ߸ӥؿóWnvG
[root@linux ~]# mkdir /home/project
[root@linux ~]# chown eric:users /home/project
[root@linux ~]# chmod 770 /home/project
[root@linux ~]# ls -ld /home/project
drwxrwx--- 2 eric users 4096 Sep 5 15:54 /home/project/
# @IwgNݭnؿWnFIϥΪ/sջPvOKFF
2. إ jordan ϥv(ݭn w)G
[root@linux ~]# cd /home
[root@linux home]# setfacl -m u:jordan:rwx project
[root@linux home]# getfacl project
# file: project <==eTuOXoɦWDz Linux v
# owner: eric
# group: users
user::rwx <==`NݡAoOwyw]ϥΪ̡zv]wF
user:jordan:rwx <==oOw jordan v]w
group::rwx <==oOwyw]sաzv]w
mask::rwx <==oNhOw]ݩʰաI
other::---
# WoӿX@ 8 ڭ̷|bUԲӻI
[root@linux home]# ls -ld project
drwxrwx---+ 2 eric users 4096 Sep 5 15:54 project
# ݬݡIhF@ + лxI
|
getfacl OiHΨӨoYɦW ACL ưաIܩX@ 8 ƧAnoˬݡG
- 1-3 GeT|ܥXoɮת Linux DzݩʡA]AϥΪ̡BsջPɦWAw]| #
}Y@F
- UӪC@檺X|HU榡ӳBzG
w諸ؼ(ϥΪ̡Bsյ]:[UرbC]:[rwx]
w諸ؼХDnG
user ϥΪ
group s
mask w]v
other DsժLϥΪ
UرbCApGSơAp user::rwx AhNw]ϥΪ̱bF
|
DnTAΡy : zӹj}TF
- 4 yuser::rwxzGѩϥΪ̦C줤SgbAҥHNovOww]ϥΪ̡A
YOoӥؿ֦H eric աAO eric vy rwx zN仡I
- 5 yuser:jordan:rwxzGϥΪ jordan boӥؿU㦳 rwx vNաI
- 6 ygroup::rwxzGSgsզW١AҥHPˬOw]sաAYO users oA
ӸsժvyrwxzաF
- 7 ymask::rwxzGw] mask rwx NAo mask Oγ~IU|C
- 8 yother::---zGNOLWwϥΪ̻PsժvF
nFA{b jordan oBͷLiJ /home/project AߨN|֦ rwx vFI
Ӥݭn[J users oӸsթOIuOܤKaIӦnFI
t~AApDYɦW㦳B~ ACL vOHiHѦҤW̲תXGA
|o{ /home/project oӥؿvسMOX{y drwxrwx---+ zOI
ӦhXӪy + zNOܸɦWB~ ACL ذաI
UӦpBz tip OHP˨ϥ ACL ӱG
3. ]w tip oӨϥΪ̪vơG
[root@linux home]# setfacl -m u:tip:rx project
[root@linux home]# getfacl project
# file: project
# owner: eric
# group: users
user::rwx
user:tip:r-x <==@IhXӪNNաI
user:jordan:rwx
group::rwx
mask::rwx
other::---
|
p@ӡA tip oϥΪ̫hȯiJӥؿhŪӤwAӵLkigJʧ@OI
O_ܤKڡIF ACL ثAzNiHNAtΤݭnϥΨSv]wؿiӳ]wA
AtܪXzAwڡI
ACL mask
Mo˴N]wn@ ACL ءALAٻݭnAѨb ACL mask ҥNNqI
bWӤpרҷAڭ̨èSh]wo maskAmask ݭnPϥΪ̪viB (AND) A
~OĪvo(effective permission)I
|ҨӻApGAıoAؿnҦHȮɶȯŪgJɡAiHN ACL mask ]w rx YiA
LHNݭnAB~]wFIݬݩUoӨҤlG
[root@linux ~]# cd /home
[root@linux home]# setfacl -m m:rx project
[root@linux home]# getfacl project
# file: project
# owner: eric
# group: users
user::rwx
user:tip:r-x
user:jordan:rwx #effective:r-x
group::rwx #effective:r-x
mask::r-x
other::---
|
WXO getfacl XGAèS[uڡI ^_^I
쥻 jordan 㦳yrwxzvA mask Ȧyr-xzḀh
y
̳v~|ͮġAN٬v (effective permission) ozI
ҥHAjordan hȷ| rx vӤwڡIo˹ mask ΪkAFܡH
pGADQJIܡAӧA]ѩAѨDʱݭnAҥHb̵uɶo{@ƥA
ӦpwoӳQJIDӭ״_HpGAn״_ܡAAoӺޤHٻݭnB~ޯH
Uڭ̴Nӽͤ@͡C
ޤHB~ޥP
qe@p`RAz|o{ٯuO֪ALݭn@~tΦ@w{תxA
{ǪB@ (process) PvAhݭnAѡI_hN·ФFIF@~tΪ~A
̺ٻݭnԣSޥOHMݭnڡI
@Ḏ`oͰDpA
Oѡy~ΩҲͪzAҥHڡAAuަnDӤwOySkDzաI
UNӽͽͧAٻݭnԣޥOH
AѤOݭnO@eG
ڪѧoA٭nDOݭnO@rHISANOpIѭڭ̪DDJIkA
AѡAunHbzDeAƳi|o͡I]ApGzD۷nA
СynHaIzziHѦҤ@UiJ|byiȡz̭nѨ@qƪxסI ^_^""
oiO}AO«ȧrIoO]쥻b赓qvAaHO¦UlA
ҥHeH̴Nٺ̬ Black hats աIbwo譱̮ɡAFYިnJ~A
ٻݭnSO쥻zDHINڭ̤pӻAnHnBʹNHKLաI
LnwKXOLbۦPnOAzNLIHaΥLKXnJzDAï}azDA
iNovFIpGOj~ܡAuϥκɡA]nŪOI ^_^
DҦwơG
SnAFhߡA٬OhߡIJӪRnɡA``Wݬݳ̷swqiAoO̰¦I
٥]tFḨ֪tקsDMI]AV֧szMANV֥iH«ȪJII
WhqwG
o·Ф@ǰաI]zݭn_մզAաIHǫΤƪw]wI
OHnoOApGzWhqwoӦhɭԡA
@Ӹƫʥ]NngLVhd~৹㪺qLAHiJDIKKI
oiO۷OɶI|yDįणISOdNo@IOI
Yɺ@zDG
N軡AzݭnHɺ@zDA]A𤣬O@g]wNΦbALFI
]AAYKA]||}IoǺ|}]AWh]w}BQθsJINB
Qαz³n骺AȺ|}IҥHAݭnYɺ@zDrIo譱FR log files
~A]iHǥѧYɰӶioӤu@IҦp PortSentry NOZ@MnOI
}nШ|Vmҵ{G
OҦHOqAרM{bTzOMܦh||JqèrI
oӮɭԡAnoOAڭ̹q`SӦhWdApGLΤqhaƫH
ɭ٬OLߪҥHAݭnSOШ|Vmҵ{rIo]OqݭnުD]@I
ƥpeG
ѦAHi֧rIHDɭԷ|ja_Bڭ̤]DɭԷ|Mwбh
ҥHAƥpeO۷nI~AjSH|LDO 100% waI
pGAtγQJIAyƪlɡAAnp_ADڡHI@Ө}nzHA
LɵL卖|i歫nƪƥIܭnڡI
o@аѦҤ@U
¦Dz߽g
Linux DƥeaI
ѫݳsuA SSH `]|@ӫܴΪ rsync uAziH@@I
JI_u@
ҿסyʱK@zڡAHOA`|Ҽ{gpAU@zDN]oy@zɭPQJIFA
ӫHѤWAڭ̪Dy차zOYA]L|bztΤU}ӫ(Back
door)̥iHnJzDAӥBٷ|«z Linux W{Az䤣Ӥ차{IH
ܦhBͳߺDy
ϥunN root KX^ӴNnFz
o˪[IAƹWAˤ@D٬OQ~MIڡIҥHA
U@zDQJIFA̦nk٬OyswLinux z|bI
Ӧpsw˩OHܦhBͤ@AawˡAo@AaQJI㬰OH]LSyOаVzڡII
Uڭ̴Nӽͤ@͡A@QJIDӦp״_nH
- ߧYްuG
JMo{QJIFAĤ@ƱNO\I\²檺@k۵MNOޱuFI
ƹWAu̥Dn\ణFO@ۤv~A٥iHO@P쪺LDCOH|ӳ̪
(2003/08) ofefrnFAL|PVP줧LDIҥHAްuA
ݪ̥ߧYNLkiJz
Linux DAӥBz٥iHO@줺LDڡI
- RnɸTAjMiJI~|G
QJIAMOunsw˴NnAٻݭnB~R
yڪDo@|QJIAOpJIHzA
pGzXDIAz Linux \OߨWjFAD]|VӶVwI
ӦpGzDpXQJIi~|Asw˫AU٬OiQHP˪kJIڡI
·ЪաInFAӦpXJI~|OH
- RnGCŪ cracker
q`ȬOQΤunӤJIztΡAҥHڭ̥iHǥѤR@ǥDnnɨӧX𫍧
IP HΥiD|}CiHR /var/log/messages, /var/log/secure ٦Q
last OӧXWnJ̪TC
- ˬdD}AGܦh Linux
ϥΪ̱``oۤvtΤW}Fh֪AȡHڭ̻LA
CӪAȳ|}Ϊ̬OӱҥΪWjΪ̬Oի\AҥHAXztΤWAȡA
åBˬd@UCӪAȬO_|}AΪ̬Ob]wWFʥAM@Ӥ@ӪzaI
- d Internet WwqG
zLwqAѤ@U̷s|}TAwzDNbWI
- nƳƥG
DQJIAoD۷YAOH]DW۷nưڡI
pGDWSnơAsw˴NnFIҥHAQJIAˬdFJI~|A
AӴNOnƥnƤFCnFAݭӰDAOynzH
who, ps, ls OOnƶܡH٬O httpd.conf ]wɬOnơHSΪ̬O
/etc/passwd, /etc/shadow ~OnơH
IWAnӬOyD
Linux tΤW즳zAҦp /etc/passwd, /etc/shadow, WWW ,
/home ̭ϥΪ̭nɮAܩ /etc/*, /usr/, /var ؿUơANoݭnƥFC
`NGnƥ@ binary ɡA] Linux tΦw˧ӴNoɮסA~A
oɮפ]ܦiywgQ«LFzAƥoǸơAϦӳyUt٬ObI
- sswˡG
ƥFơAAӴNOsw Linux tΤFCӦbowˤA
z̦nܾAXzۤvwˮMYiAnMLwˤWhڡIMII
- M|}ɡG
OoڡAsw˧AХߧYsztήMA_h٬O|QJIաIwbLbҤUN
Internet W|}ɮMUUӡAMN_ӡAM᮳ۤvw˧tΤWAmount
CD LsAsAåB]wFAPɶiU@BJy
βݭnAzAڤ~NuWDdWI
]Twbw˧AsW Internet hsMoqɶA||SJI....
- βݭnAȡG
oӭnʤݭnAFaHIҥζV֪AȡAtηMiHQJIiʴNCC
- Ʀ^_P_Aȳ]wG
ƥƭnƻs^ӨtΡAPɱNtΪAȦAs}AЪ`NA
oǪAȪ]w̦nAT{@UAקK@Ǥ]wѼƦbYI
- sW InternetG
Ҧu@i檺thFA~N讳uWӧaI_DB@FI
gLo@sꪺʧ@AzDӷ|_bҡA٤౼HߡA
̦n٬OѦҨ𪺳]wAåBh譱Ѧ
Internet W@ǦѤ⪺gAnzDiHw@ǡI
- ڦѬOo{ڪtΩǩǪAGIyҼˡAhåiO CPU
tӤjAҥHnhˬd@UtάTCаݡAڸӥHOhˬdڪtάTH
iHϥ top, sar, free, ps -aux, uptime, last \hdߨtΪTIMAH kill ORF
- hçڪtΤWLh㦳 SUID ɮצsbAɭP@ϥΪ̥iHHNo
root vAаݡAڭnpXoǨ㦳 SUID vɮסH
] SUID O 4000 ovҼˡAҥHڥiHo˰G
find / -perm +4000
- ڥѰꤺ@ ftp WUF Red Hat qXMAڷQw˥LASDӮMɮO_QקLI
аݧڸӦpTwoӮMiΩʡH
Qγ² MD5 sXӴդ@UAҦpy md5sum MW١zAAPlMX MD5 ƾڬO_ۦPIH
- pGڵo{ϥΡy setfacl -m u:dmtsai:rwx /path/to/file zɡAtΫoܡysetfacl: Operation not supportedzA
A{O̥XDH
oOѩz filesystem Sҥ ACL 䴩AΪ̬OtΪ֤ߤ䴩C
Хϥ mount -o remount,acl /mount_point լݯ_䴩 ACL AY䴩ɡAhiOѩ֤ߪ¤FC
- pGn]w dmtsai iHϥ /home/project oӥؿ (] /home wg䴩 ACL)Abӥؿ
dmtsai iH֦㪺vCаݸӦp]wӥؿH
Fϥ setfacl -m u:dmtsai:rwx /home/project ~Aٻݭn]w setfacl -m m:rwx /home/project A
] ACL bؿ譱AzLϥΪv mask B~ͮġI
- SELinux O_H
SELinux ëDALOΨӧ@ӳv]w@Ӯ֤ҲաC
- }nKXWOƥDĤ@nȡAа Linux tηAKXɮPWh]wbɮ̭H
KX]wWhb /etc/login.defs ̭IܩKXɮצb /etc/shadow I
- ²A@DQJIAӦpBzH
XDBswˡB|}ɡB٭IаѦҥ̫@`C