COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1999 - Lesson 7
Rootly Powers, Process Management
UNIX Rootly Powers
A. Taking on root identity confers certain powers
1. Mount and unmount file systems
2. Root can set "virtual root" via chroot()
3. Creating device files (/dev, mknod)
4. Setting system clock
5. Can access any local file (one way or another)
6. Change file ownership
7. Raise resource limits (datasize, stacksize)
8. Lowering nice values (raising priority)
9. Changing system's hostname
10. Running halt, shutdown
11. Managing print subsystem
12. etc...
B. What limitations are there on root powers?
0. UNIX suffers from "one account has all powers", so
root account is focus of security breakins.
1. Usually root on another machine won't/shouldn't trust you
2. Should be careful that when "root" you know your $PATH!
Beware ordering of file paths in $PATH, esp. current
directory (".").
C. How to become root?
1. Login as "root", if allowed in /etc/ttytab (BSD):
#
# @(#)ttytab 1.7 92/06/23 SMI
#
# name getty type status
#
console "/usr/etc/getty cons8" sun on local secure
ttya "/usr/etc/getty std.9600" unknown off local secure
ttyb "/usr/etc/getty std.9600" unknown off local secure
ttyp0 none network off secure
ttyp1 none network off secure
Field 1: "/dev" device name (e.g., "/dev/ttya")
Field 2: program to monitor that line ("getty", "xdm")
Field 3: Type of terminal (in "/etc/termcap")
Field 4 and up: List of attributes for that line
"on" == start up process in field 2
"local" == use local connection line discipline (or lack thereof)
"secure" == "root" allowed to log on
Chapter 11 in ESA contains more information about hard-wired
terminals and ttytab/gettytab.
2. su
- Substitute user
- "su" with minus flag ("su - jtbauer") invokes a login session
- Good idea to "su - root"
3. sudo
- NOT usually a part of a vendor-supplied UNIX
- Allows a class of users to execute a set of commands
with root privileges
- Logs use
- Does raise some vulnerabilities (yet-another setuid program,
but you can compartmentalize the damage (hopefully)
System Load Average
0. "load average" == average size of ready queue over sample period
1. Shows the 1, 5, and 15 minute load averages
2. Can see with "w", "uptime", "xsysstats" (xi), "xsysinfo" (Linux) or "top"
3. What's a reasonable load average?
--> depends on the machine and the type of jobs running
Idle Time
1. Percentage of time the system is idle
2. Can see with "iostat -c 1", "top", or "vmstat 1" (my fave)
3. What do you want this number to be (depends on machine's raison d'etre :)
Process Monitoring
A. ps - process status
- Window into process table
- Extremely rich command; different options
depending on whether the OS is BSD or System V based.
The BSD "ps" has these columns, which is generally true for the
other "ps" commands:
1. process state
- First letter indicates the runnability of the process:
R - Runnable processes.
T - Stopped processes.
P - Processes in page wait.
D - Processes in non-interruptable waits;
S - Processes sleeping < about 20 seconds.
I - Processes sleeping > 20 seconds
Z - zombie (process with NO resources other than a proc slot)
2. Swapped?
- Second letter indicates whether a process is swapped out;
blank - loaded in memory
W - Process is swapped out.
'>' - Process has specified a soft limit on memory
(imposed by the "limit" command)
3. Niced?
- Third letter indicates whether a process is running with
altered CPU scheduling priority (nice, renice)
blank - normal
N - The process priority is reduced,
< - The process priority has been raised artificially.
# renice +19 PID <- lowest priority (nice)
# renice -19 PID <- highest priority (not nice)
Example "ps" output:
USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND
-----------------------------------------------------------------------
kuncick 7467 40.1 1.3 124 364 pc D < 09:32 0:15 find / -name foo
kuncick 7419 16.6 1.3 124 364 pc D N 09:28 0:11 find ...
kuncick 7529 39.4 1.2 100 320 pc R 09:35 0:01 find / -name foo
kuncick 7528 35.8 1.2 112 324 pc R 09:35 0:15 find / -name foo
root 1 0.0 0.0 52 0 ? IW Dec 18 0:24 /sbin/init -
root 2 0.0 0.0 0 0 ? D Dec 18 0:08 pagedaemon
root 75 0.0 0.4 48 108 ? S Dec 18 12:09 in.routed
bynum 7328 0.0 0.1 48 24 pb S 09:24 0:00 rlogin -8 sed
tajdari 7041 0.0 0.0 68 0 p6 IW 08:59 0:00 -pclab-csh (csh)
leggett 19429 0.0 0.0 80 0 ? TW Jan 21 0:00 pico +7
kohout 7036 0.0 0.0 24 0 p3 TW 08:59 0:00 /bin/sh ltxview
kohout 7008 0.0 0.0 84 0 p3 IW 08:58 0:00 -reg-csh (csh)
root 24818 0.0 0.0 32 0 ? IW 20:46 0:07 in.telnetd
johnson 7297 0.0 0.7 80 192 p8 S 09:22 0:00 pico proj1b.f
root 6842 0.0 0.0 32 0 ? IW 08:52 0:02 in.telnetd
evans 6843 0.0 0.0 76 0 p9 IW 08:52 0:00 -reg-csh (csh)
bynum 7321 0.0 0.0 404 0 pb IW 09:24 0:01 -reg-tcsh (tcsh)
root 6695 0.0 0.2 32 44 ? S 08:47 0:04 in.telnetd
root 7007 0.0 0.0 24 0 ? IW 08:58 0:00 in.rlogind
kuncick 7422 0.0 1.9 264 512 pc R 09:29 0:00 ps -aux
naus 7167 0.0 1.4 1216 384 p4 S 09:10 0:03 tin
healy 7814 0.0 3.4 184 924 ? S 09:47 0:00 xclock -rv -update 1
4. Many more features to "ps"
- Note that "ps" demonstrates the Heisenberg principle
(observing the process table affects the process table :)
- Some of my favorite "ps" variations:
ps -ef (System V)
ps -elf (System V)
ps -lu username (System V)
ps axuw | grep username (BSD)
B. top - NOT part of vendor's UNIX, typically (it is bundled with Linux)
- Dynamically shows processes, idle time, memory usage,
and load averages
C. monitor - beautiful one-page system display (AIX ONLY)
D. "pstree" - nice PD filter that shows family hierarchy of processes
Quick Remedies for sluggish system
1. System clogged by many identical jobs
2. One process has been running for a long time
Long-term Remedies
1. Involve more performance analysis
2. May need faster CPU, more memory or faster I/O
Windows NT Administrator Powers
The NT administrator also suffers somewhat from the UNIX "one account
has all powers" model. Access is limited to the current domain, as
well as any other domains that trust this domain.
NT has default groups, one of which is the Adminstrators group. Adding
a user to the Adminstrator group (via "User Manager for Domains")
gives them the same user rights policies that the Adminstrators
group has (check via "UMFD", "Policies", "User Rights").
NT "powers" are defined as a set of user rights policies, assigned
either individually to an account or via group memberships. The
rights are (page 310, EWNTSA):
Access this computer from network
Add workstations to domain
Back up files and directories
Change the system time
Force shutdown from a remote system
Load and unload device drivers
Log on locally
Manage auditing and security log
Restore files and directories
Shut down the system
Take ownership of files or other objects
NT also provides a set of advanced user rights, mostly for software
developers. Click the "Show Advanced User Rights" checkbox in the
"User Rights Policy" dialog box to access them. Some of the more
interesting ones:
Bypass traverse checking (ignore directory perms)
Act as part of the operating system (system-level access)
Increase scheduling priorities
Lock pages in memory
Log on as a batch job
Log on as a service
Profile system performance
Windows NT Process Management
We already took a look at the Task Manager tool, which presents a
variety of options for display applications and processes. It
allows you to change a processes priority, kill a process, etc.
Windows NT Auditing
You can get good control over a variety of security-related
auditing events (go to User Manager for Domains/Policies/Audit)
The auditing events can be seen in the "Security" log via the
Event viewer. An interesting example is the security log event
auditing the changing of the auditing:
Audit Policy Change:
New Policy:
Success Failure
+ + System
+ + Logon/Logoff
+ + Object Access
+ + Privilege Use
+ + Detailed Tracking
+ + Policy Change
+ + Account Management
Changed By:
User Name: Administrator
Domain Name: JBDOMAIN
Logon ID: (0x0,0x1A11)