UNIX Key Security
No one would order a new home security system and leave a key under the welcome mat. That just doesn't seem right. Why spend thousands of dollars, only to let an intruder in by providing access in expected ways?
Maybe you're one of those with the fake rock that hides your keyyou know, the hunk of plastic that in no way announces itself? The home security sticker warns that the alarm is ready, but the fake rock says something as well.
UNIX security is a lot like this. You have an expensive housea very costly server with all that good information on it. Okay, so far the analogy seems to work. What's as bad as leaving a key under a welcome mat? What's as obvious as those shiny key "hiding" rocks many people put out? Would you believe UNIX home directories? A lot of highly secured servers get betrayed by their user home directories.
What makes home directories so attractive to attackers? What are some things you should consider when putting the locks on your server?
Kicking users off the machine isn't an option. Helping them manage their workspaces is.
Why Secure the Home Directories?
Let's begin by remembering what home directories are and what their purpose is. Years ago, home directories were "drop-off" points. You logged in via Telnet, and the first directory accessed was yours, your home directory. Here you could configure your shell to start in set ways. You could use the storage for minor backups. You could even store a few small scripts you might need for housekeeping.
Home directories were great! The automation features made your experience convenient and predictable.
From these early beginnings, home directory use has expanded to abuse in many organizations. Home directories are used as backup media for PCs. They become shared directories for workgroups, with permissions loosened to allow users to run scriptssometimes even to modify scripts without the owner's intervention. This arrangement begins to impact our security operations.
One enterprising person at an anonymous company realized that home directory disk space was unlimited AND FREE!! He coded major portions of the company's web site in his home directory to evade internal charges. He left the company, and when his home directory was removed along with his user ID, well...
What's the consequence of this abuse? How might this extension of the home directory impact security's integrity, confidentiality, and availability?
When asked this question, many administrators automatically assume that the only reason to secure the /home filesystem is information confidentiality. The home directories have valuable information, right? You only secure them to protect the information in them. By extension, if the home directory has no information worth protecting, then it's acceptable to let those directories go whatever direction the users take them. Right?
What if there's a way to use the directory as a stepping-stone in a privilege-escalation attack? Can the attacker use one open home directory as a key to further explore the "house"?