Lab 10: O.S. Security
Table of Contents
IMPORTANT!!! Must be ssh'ed into
This lab will only work when you are ssh'ed into
midn.cs.usna.edu. It will
not work locally on your VM because of the way the permissions are setup.
Run the following command
Change into the lab directory
All the material you need to complete the lab can be found in the lab directory. All material you will submit, you should place within the lab directory. Throughout this lab, we refer to the lab directory, which you should interpret as the above path.
For this lab, all ubmission should be placed in the following folder:
In the top level of the lab directory, you will find a
file. You must fill out the README file with your name and alpha.
Please include a short summary of each of the tasks and any other
information you want to provide to the instructor.
You are provided a test script which prints pass/fail information
for a set of tests for your programs. Note that passing all the
tests does not mean you will receive a perfect score: other tests
will be performed on your submission. To run the test script,
test.sh from the lab directory.
You can comment out individual tests while working on different parts of the lab. Open up the test script and place comments at the bottom where appropriate.
PART 1: Logger (70 points)
In this part of the lab you will be required to complete two programs that implement a simple logging utility that is set-user-id. The concept is that any user can run this utility and write to a log file in your home directory, and anyone can also read the last n entries in the log file. But, only you have access to read or write from the log file. To do this, you will use set-user-id of the programs. You will also need to be able to properly seek within the log file.
File seeking is the process of moving the read/write head of the file to different positions. For example, moving to the end of the file, or somewhere in the middle, or etc. There are two primary functions used for File streams (note this is not :
long ftell(FILE * stream)return how far into the file
read/write head is currently
int fseek(FILE *stream, long offset, int whence)shift the stream to the given
There are also three values for
SEEK_SET: the start of the file
SEEK_CUR: the current read head
SEEK_END: the end of the file
For example, to set the read head 4 bytes from the start of the file, we would use the following seek:
FILE * stream = fopen("somefile.txt", "r"); fseek(stream, 4, SEEK_SET); //move the read head foreard 4 bytes from //the start of the file
A positive offset moves the read head forward in the file, while a negative offset moves the read head towards the beginning of the file. For example, to set a stream 4 bytes from the end of the file, we can seek negative from the end:
FILE * stream = fopen("somefile.txt", "r"); fseek(stream, -4, SEEK_END); //move the read head 4 bytes from the end //of the file
Change into the
logger directory where you will find two programs
you must complete,
read-log.c. Theses programs
will manipulate a log file to be located in your home directory
Your first task is to complete the
write-log.c program which will
log a message to the log file and record which user wrote the
message. The log file can also be cleared, a protected function. To
clear the logfile, the effective and real user id must be your user
id. You're are required:
- Complete the program and set the user id appropriately so other users can log to your file
- Only you, i.e., your user id, can execute CLEAR
- Only you, i.e., your user id, can read the log file without have
The second task is to complete the
read-log.c program which will
report the last n log entries. To do this, the program again must
be set-user-id, and you must also be able to seek backwards in the
file searching for newlines.
- Complete the program and set the user id appropriately so other users can read the last log entries
To test your program, I have created a special user account and two programs that will simulate running your program as a different user id.
~m999999/lab-10-test/test-write-log: executes your version of write-log as the m999999 user
~m999999/lab-10-test/test-read-log: executes your version read-log as the m999999 user
Here is some sample output simulated using the m179998 user and the m159998 user test program:
aviv@csmidn: logger $ ./write-log "I can write to my own log file (as aviv)" aviv@csmidn: logger $ ~m999999/lab-10-test/test-write-log "user m999999 can also write to my log b/c it's set-user-bit" aviv@csmidn: logger $ ./read-log 1 [Mon Apr 2 13:49:34 2018] (999999) user m999999 can also write to my log b/c it's set-user-bit aviv@csmidn: logger $ ./read-log 2 [Mon Apr 2 13:49:23 2018] (35001) I can write to my own log file (as aviv) [Mon Apr 2 13:49:34 2018] (999999) user m999999 can also write to my log b/c it's set-user-bit aviv@csmidn: logger $ ./read-log 3 [Mon Apr 2 13:49:23 2018] (35001) I can write to my own log file (as aviv) [Mon Apr 2 13:49:34 2018] (999999) user m999999 can also write to my log b/c it's set-user-bit aviv@csmidn: logger $ ~m999999/lab-10-test/test-read-log 1 [Mon Apr 2 13:49:34 2018] (999999) user m999999 can also write to my log b/c it's set-user-bit aviv@csmidn: logger $ ~m999999/lab-10-test/test-read-log 2 [Mon Apr 2 13:49:23 2018] (35001) I can write to my own log file (as aviv) [Mon Apr 2 13:49:34 2018] (999999) user m999999 can also write to my log b/c it's set-user-bit aviv@csmidn: logger $ ~m999999/lab-10-test/test-read-log 3 [Mon Apr 2 13:49:23 2018] (35001) I can write to my own log file (as aviv) [Mon Apr 2 13:49:34 2018] (999999) user m999999 can also write to my log b/c it's set-user-bit aviv@csmidn: logger $ ~m999999/lab-10-test/test-write-log CLEAR ERROR: Unauthorized user attempting to clear the log file aviv@csmidn: logger $ ./write-log CLEAR aviv@csmidn: logger $ ./read-log aviv@csmidn: logger $
Here are some edge cases you might want to consider testing for and handling an cleanly:
- Argument for number of lines is more than the number of lines in the file, then print the entire log file.
- Argument for number of line is negative, that would indicate invalid input, which you could test for and report an error about.
- Argument for number of lines is not-a-number, which you should test for and report an error about.
PART 2: hackme (30+ points)
In this part of the lab you will work to hack four programs that have the set-group bit set. Once you hack them, you can potentially reveal a secret message. You earn 10 points for each secret message you reveal, up to 40 points, a 10 point bonus!
There are three tools that will greatly benefit your investigation:
strings: will print all strings found in an executable file, useful for determining what commands might be run
strace: will print all system calls made of an executable and their arguments.
ltrace: will print out all the library functions used (such as
I will leave it to you to figure this out, but to ease some of the work, the source code for the programs have been provided.
Change into the secret directory which contains a single file called
secret. You will find four sub-directories:
hackme-4. In those directory, there is a source file
(or two) and a file called
secret. Your task is to fill the
files with the secret message associated with each of the hacks.
A compiled version of each of the vulnerable programs is set-group bit version and installed at the following locations:
In each of the
hackme directories in tose locations, there is a
Your task is to hack the program with the right attack to reveal its
associated secret file. Once you've identified the secret message,
save it to the right sub-directory under
secret in your ic221
For example, if done right, you can perform some hack such that
~aviv/lab-10-secret/hackme-1/uwc hackinputsomewhere > ~/ic221/lab/10/hacmke-1/secret
BONUS There may be more than one attack per program. Identify additional attacks in your README for a 2 point bonus per attack per program that it attacks.