Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Secure Linux" Primer
Search
Toshiharu Harada / 原田 季栄
November 21, 2008
Technology
0
68
"Secure Linux" Primer
Toshiharu Harada / 原田 季栄
November 21, 2008
Tweet
Share
More Decks by Toshiharu Harada / 原田 季栄
See All by Toshiharu Harada / 原田 季栄
ジョブズは言う、「愛するものを見つけるんだ」と
haradats
0
97
メインライン化のご報告
haradats
0
110
2009年の「今」、セキュリティについて考える
haradats
0
66
Kernel Development: Drawing Lessons from Mistakes
haradats
0
320
What Does It Mean Being an Open Source Project Manager in Enterprise (Enterprise Edition)
haradats
0
160
What Does It Mean Being an Open Source Project Manager in Enterprise (Open Source Spirit Edition)
haradats
0
44
僕より少し遅く生まれてきた君たちへ
haradats
0
45
Realities of Mainlining - case of the TOMOYO Linux project -
haradats
0
55
TOMOYO Linux for Secure Embedded
haradats
0
53
Other Decks in Technology
See All in Technology
What’s new in Android development tools
yanzm
0
320
Core Audio tapを使ったリアルタイム音声処理のお話
yuta0306
0
190
使いたいMCPサーバーはWeb APIをラップして自分で作る #QiitaBash
bengo4com
0
2k
Geminiとv0による高速プロトタイピング
shinya337
1
270
KubeCon + CloudNativeCon Japan 2025 Recap Opening & Choose Your Own Adventureシリーズまとめ
mmmatsuda
0
280
American airlines ®️ USA Contact Numbers: Complete 2025 Support Guide
airhelpsupport
0
390
Operating Operator
shhnjk
1
590
Should Our Project Join the CNCF? (Japanese Recap)
whywaita
PRO
0
340
整頓のジレンマとの戦い〜Tidy First?で振り返る事業とキャリアの歩み〜/Fighting the tidiness dilemma〜Business and Career Milestones Reflected on in Tidy First?〜
bitkey
3
17k
改めてAWS WAFを振り返る~業務で使うためのポイント~
masakiokuda
2
270
20250707-AI活用の個人差を埋めるチームづくり
shnjtk
6
3.9k
開発生産性を測る前にやるべきこと - 組織改善の実践 / Before Measuring Dev Productivity
kaonavi
12
5.3k
Featured
See All Featured
Designing Experiences People Love
moore
142
24k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Optimizing for Happiness
mojombo
379
70k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Git: the NoSQL Database
bkeepers
PRO
430
65k
Designing for humans not robots
tammielis
253
25k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Optimising Largest Contentful Paint
csswizardry
37
3.3k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
How STYLIGHT went responsive
nonsquared
100
5.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
281
13k
Transcript
'SFFEPN)&$5BJQFJ ༑ف೦తߨԋ l4FDVSF-JOVYz1SJNFS 5IFNPTUVOEFSTUBOEBCMFJOUSPEVDUJPOUPlTFDVSF-JOVYz /PWFNCFS ݪాقӫ 5PTIJIBSV)BSBEB /55%"5"$03103"5*0/
*BNQSPKFDUNBOHFSPG50.0:0-JOVY 50.0:0-JOVYJTPOFPGUIFBDUJWJUJFTUPlNBLF -JOVYNPSFTFDVSFz 4FDVSJUZJTOPUFBTZUPVOEFSTUBOEOPSVTFS GSJFOEMZ CVUJU`TJOEJTQFOTBCMF *XBOUFEUPIFMQZPVTUBSUZPVSKPVSOFZCZUIJT QSFTFOUBUJPO "CPVU
USJFTUPHJWFZPVUIFWFSZCBTJT GVOEBNFOUBM JOGPSNBUJPOPO-JOVYTFDVSJUZ *USJFEUPFYQMBJOCZJNBHFTJOTUFBEPGXPSET 1MFBTFSFMBY GFFMBOEFOKPZ 5IJTQSFTFOUBUJPO
l4FDVSF-JOVYzEPFTOPUFYJTU *U`TUIFVMUJNBUFHPBMUIBUXFDBOOFWFSSFBDI 4UJMMXFDBOUSZ UIBOL-JOVTGPSNBLJOH-JOVY PQFOTPVSDF 5IFSFBSFOVNCFSPGQSPKFDUTUSZJOHUP lFOIBODF-JOVYTFDVSJUZz l4FDVSF-JOVYz
4&-JOVY 4FDVSJUZ&OIBODFE-JOVY EFWFMPQFE CZ/4"JTEJTUJOHVJTIFEBOESFTQFDUFEGSPN PUIFSBUUFNQUTUPXBSETUIFHPBM 8IBUNBLFT4&-JOVYTQFDJBM *U`TlJOUSFFz QBSUPGUIFTUBOEBSE-JOVY TPVSDFDPEF *U`TGVMMZGVODUJPOBMBOENPTUQPXFSGVM
4&-JOVY
:FT5IFSFBSFNBOZ5PNBLFUIFXPSLlJOUSFFz JTBESFBNGPSEFWFMPQFST "QQ"SNPSCZ/07&--BOE50.0:0-JOVYCZ /55%"5"$03103"5*0/BSFSFMBUJWFMZOFX -,.- -JOVY,FSOFM.BJMJOH-JTU JTUIFQMBDFUP QSPQPTFBOEEJTDVTT-JOVYQSPHSBN )PXBCPVUlPVUPGUSFFz
4NBDL 4JNQMJpFE.BOEBUPSZ"DDFTT$POUSPM ,FSOFM EFWFMPQFECZ$BTFZ4DIBVqFSJTUIF PUIFSlJOUSFFzJNQMFNFOUBUJPO :PVDBO`UVTF4&-JOVYBOE4NBDLBUUIFTBNF UJNF5IJTJTEVFUPUIFMJNJUBUJPOPG-4. -JOVY 4FDVSJUZ.PEVMFT UIFTFDVSJUZGSBNFXPSLPG
-JOVY "OZPUIFSlJOUSFFz
8IZEPXFOFFEUPlFOIBODFz -JOVYTFDVSJUZ )PXDBOUIBUCFEPOF $IBQUFS
Prologue Why do we need to enhance Linux security?
None
None
ແ
ແ
උ
DAC The owner can set the access attributes for his/her
resource. This is called DAC (Discretionary Access Control). example: % chmod 600 my_diary
ڻ
None
None
• Unfortunately, DAC can be overridden • You should set
DAC carefully, but should not trust it • When is DAC broken?
જ
None
None
root user root user is not affected by DAC. root
user is the God (if your Linux is not “security enhanced” Linux)
જ
જ
None
ዼ
setuid a process invoked by a program with setuid attribute
will be given root privilege. that’s why you can change your password stored in /etc/ shadow which is posessed by “root”.
Why he lost his bonzes?
.BOEBUPSZ"DDFTT$POUSPM l4FDVSF-JOVYzCBTJD $IBQUFS
-JOVYIBTHPPEPMETFDVSJUZDBMMFE%"$ %JTDSFUJPOBSZ"DDFTT$POUSPM #VU%"$JTOPUTV⒏DJFOU 1BSUJDVMBSMZJGTPNFPOFTUPMFSPPUQSJWJMFHFPG ZPVSTZTUFN ZPVBSFBCTPMVUFMZPVUPGMVDL l1SJWJMFHFzJTUIFLFZ -FTTPOT-FBSOFE
$PVOUFSNFBTVSFT &MJNJOBUJOHSPPUBDDPVOUBOEQSJWJMFHFTDBOOPU TPMWFUIFQSPCMFN 4PUIFJTTVFJTIPXUPMJNJUUIFQSJWJMFHFT *UIBTCFFOTUVEJFEBOEJTOPXXFMMLOPXOBT l-FBTU1SJWJMFHFzQSJODJQMF DPNNPOUPFWFSZ PQFSBUJOHTZTUFNT
."$ .BOEBUPSZ"DDFTT$POUSPM 5IFTIPSUBHFTPG%"$BOEQPUFOUJBMUISFBUT %"$DBODBVTFIBWFCFFOTUVEJFEGPSPWFS UXFOUZZFBST ."$IBTCFFOJOUSPEVDFEUPBDIJFWFUIF-FBTU 1SJWJMFHFQSJODJQMF %"$%JTDSFUJPOBSZ"DDFTT$POUSPM ."$.BOEBUPSZ"DDFTT$POUSPM
)PX."$XPSLT ."$DPOUSPMTBDDFTTSFRVFTUTJO-JOVYLFSOFM l$POUSPMzNFBOTKVEHFNFOUTUPFMJNJOBUFSFKFDU JOBEFRVBUFBDDFTTSFRVFTUT )PXDBO."$EJTUJOHVJTIJOBEFRVBUFSFRVFTUT GSPNPUIFST QMFBTFUIJOL
."$JTBUPPM ."$EPFTOPU PSDBOOPU EJTUJOHVJTI JOBEFRVBUFSFRVFTUTGSPNPUIFST *UJTBMXBZTIVNBOUPKVEHFXIFUIFSSFRVFTUT BSFBEFRVBUF OFFEFE PSOPU
l1PMJDZz "ENJOJTUSBUPSTIBWFUPUFMM."$HPPEBOECBE SFRVFTUJOUFSNTPGBDDFTTSVMFEFpOJUJPOT 5IPTFEFpOJUJPOTBSFDBMMFElQPMJDZz "QQ"SNPS DBMMTEFpOJUJPOTBTlQSPpMFTz *G."$JTBOFOHJOFPGBDBS QPMJDZJTBGVFM :PVOFFEUPNBOBHFQPMJDJFT
1PMJDZJTJNQPSUBOU ."$KVTUXPSLTBTJUXBTUPME *GZPVGPSHFUUPHJWFSFRVJSFEBDDFTT ZPVS -JOVYCPYXJMMGBJMUPTFSWF *GZPVHJWFFYDFTTJWFBDDFTT ZPVXJMMIBWFNPSF DIBODFTUPDSBDLFST
lTFDVSF-JOVYzJNQMFNFOUBUJPOTUSZUPSFKFDU JOBQQSPQSJBUFBDDFTTSFRVFTU lJOBQQSPQSJBUFzNFOT NBMJDJPVTBDDFTT DSBDLJOH NJTTPQFSBUJPO ."$JTOPUPOMZGPSTFDVSJUZ
MBCFMFETFDVSJUZBOE QBUIBONFCBTFETFDVSJUZ $IBQUFS
MBCFMWTQBUIOBNF 5IFSFBSFUXPLJOETPGJNQMFNFOUBUJPOTGPS -JOVY."$ MBCFMCBTFEBOEQBUIOBNFCBTFE
-BCFMCBTFE4FDVSJUZ EFpOFlMBCFMzpSTU TQFDJGZQPMJDZVTJOH MBCFMT lMBCFMzJTTUPSFEBTBUUSJCVUFTPGYBUUS FYUFOEFE BUUSJCVUFT "TJOPEFJTUSVTUBCMFBT%/" %FPYZSJCP /VDMFJD"DJE
MBCFMJOGPSNBUJPOTUPSFECPVOEXJUI JOPEFJTUSVTUBCMF
1BUIOBNFCBTFE 4FDVSJUZ *OQBUIOBNFCBTFE."$MJLF50.0:0-JOVY BOE"QQ"SNPS QPMJDJFTBSFXSJUUFOBOETUPSFE VTJOHlQBUIOBNFz OPUlMBCFMz 5IPVHIUIFZBSFBMPUFBTJFSUPVTF lQBUIOBNFzJTTVCKFDUUPDIBOHFCZ
PQFSBUJPOTTVDIBTmountBOEchroot
8IJDIJTCFUUFS 'SPNJOGPSNBUJPOqPXDPOUSPMQPJOUPGWJFX MBCFMCBTFEBQQSPBDIJTTVQFSJPS 8IJMFMBCFMCBTFEBQQSPBDIIBTHPPEIJTUPSZ BOEBDBEFNJDBMMZQSPWFO QBUIOBNFCBTFE BQQSPBDIJTUPUBMMZBOFXDPNFS 1BUIOBNFCBTFEJNQMFNFOUBUJPOTBSFHPPE FOUSZQPJOUTUPTUVEZFYQMPSFS."$
l4FDVSF-JOVYzJOUSPEVDUJPO $IBQUFS
4FDVSJUZ&OIBODFE-JOVY 5IFpSTUlJOUSFFz."$JNQMFNFOUBUJPOPG-JOVY %FWFMPQFENBJOMZCZ/BUJPOBM4FDVSJUZ"HFODZ #BTFEPOUIF'MBTLTFDVSJUZBSDIJUFDUVSF 4&-JOVY IUUQXXXOTBHPWTFMJOVY
l4JNQMJpFE.BOEBUPSZ"DDFTT$POUSPM,FSOFMz 5IFTFDPOElJOUSFFz."$JNQMFNFOUBUJPOUP -JOVY TJODF %FWFMPQFECZBOJOEJWJEVBM $BTFZ4DIBVqFS 'VODUJPOBMJUJFTBSFESBTUJDBMMZTJNQMJpFEBTJUT OBNFTBZT 4NBDL IUUQTDIBVqFSDBDPN
1BUIOBNFCBTFE."$JNQMFNFOUBUJPOMJLF 50.0:0-JOVY /PUJOUFOEFEUPQSPUFDUUIFXIPMFTZTUFNMJLF 4&-JOVYEPTF"JNFEUPQSPUFDUTQFDJpD TFSWJDFTMJLFXFCTFSWFS "WBJMBCMFPO0QFO464& (FOUPPBOE6CVOUV "QQ"SNPS IUUQFOPQFOTVTFPSH"QQ"SNPS
1BUIOBNFCBTFE."$EFWFMPQFECZ/55%"5" $03103"5*0/ +BQBO )BTVOJRVFlMFBSOJOHNPEFz -JWF$%BWBJMBCMFGPS6CVOUVBOE$FOU04 50.0:0-JOVY IUUQFMJOVYPSH5PNPZP-JOVY IUUQUPNPZPTPVSDFGPSHFKQ
8BOUUPMFBSONPSF :PVDBOOPUDPNQBSFUIFNVOMFTTZPVQMBZXJUI UIFN BUMFBTUPOFPGUIFN *IBWFNZWFSTJPOPGBTJNQMJpFEDPNQBSJTPO DIBSU IPQFUIJTIFMQT IUUQUPNPZPTPVSDFGPSHFKQXJLJF 8IBU*T
5PPMT $IBQUFS
#SPXTJOHBOETFBSDIJOH-JOVY TPVSDFDPEFXJUIPVUEPXOMPBEJOH
Trademarks • Linux® is a registered trademark of Linus Torvalds
in the United States and other countries. • AppArmor® is a registered trademark of Novell, inc in the United States and other countries. • TOMOYO® is a registered trademark of NTT DATA CORPORATION in Japan.
Concept and story by Toshiharu Harada (NTT DATA CORPORATION) Illustration
by Yumiko Tatsumoto (NTT DATA CORPORATION) and Akira Igarashi in association with Studio Padre Special thanks to ͔͑Δ of NTT DATA CORPORATION ݟ ࠶
None