6 - 1
Unix Security - SANS
©2001
1
Unix for Security Professionals
Security Essentials
The SANS Institute
All material in this course Copyright © Hal Pomeranz and Deer Run Associates, 2000-2001. All
rights reserved.
Hal Pomeranz * Founder/CEO *
Deer Run Associates * PO Box 20370 * Oakland, CA 94620-0370
+1 510-339-7740 (voice) * +1 510-339-3941 (fax)
/>6 - 2
Unix Security - SANS
©2001
2
Agenda
• A Brief History of Unix
• Booting Unix
• The Unix File System
• Manipulating Files and Directories
• Unix Privileges
This page intentionally left blank.
6 - 3
Unix Security - SANS
©2001
3
Agenda (cont.)
• Unix Processes
•Networking
• System Services

•Unix Backups
•Wrap Up
This page intentionally left blank.
6 - 4
Unix Security - SANS
©2001
4
Unix Backups
This section covers the basic utilities for backing up Unix systems. Enough to help you make and
emergency backup (and restore the data later), or to make a backup of a compromised system for
later forensic analysis.
A great deal of time, energy, and thought has been put towards the subject of enterprise-wide
backups for large organizations, but these issues are beyond the scope of this presentation. For a
good introduction to the larger world of Unix backups, see:
Nemeth et. al., Unix System Administration Handbook
, Prentice Hall, ISBN 0-13-151051-7
6 - 5
Unix Security - SANS
©2001
5
Three Options
• tar – Portable archive format, easy to
use, good for quick backups
• dump/restore – standard full-featured
Unix backup utilities
•dd– Copies raw file system information,
can capture "deleted" data
There are several different commands available under Unix for archiving and later restoring files.
Which one you choose depends a lot on your situation and your reason for making the archive.
•The tar (tape archive) command takes a list of files and/or directories and gathers them

together into a single file– which can be written to tape or disk. The tar archive file (usually we
just say "tar file") preserves the file owner, group owner, and timestamp information on all files
and directories in the archive. The tar archive format is portable, so for example a tar file
written on a Linux Intel (little-endian) workstation can be read on a Solaris Sparc (big-endian)
system.
•The dump command creates a backup of a Unix partition which can later be recovered using the
restore program. dump and restore have all of the features you would want in a normal
backup regimen– the ability to do "incremental" backups (back up only the files that have
changed since the last backup), split backups across multiple tapes, easily restore both individual
files as well as entire partitions, etc. However, the format of the archive file written by dump is
dependent on the OS (Linux and Solaris machines write different dump formats), the processor
architecture (big-endian vs. little-endian), and the underlying file system type (Solaris UFS vs.
BSD FFS, for example)– generally, it's a good bet that you will be able to read back your dumps
only on another system of the same type.
•The dd command is used to copy raw data from one place to another. dd has many uses (some
of which we'll cover shortly), but one common use is to dump an image from a raw disk device to
tape (or some other location) for forensic analysis. Because dd is blindly copying the raw bits off
the disk drive, it will pick up even the currently "unused" data blocks in the file system– which
might contain data from files or directories which have been deleted by the attacker.
6 - 6
Unix Security - SANS
©2001
6
tar
Pro
– Can be used on "active" file systems
– Byte-order independent format
Con
– Can't span multiple volumes
– Various versions have some limitations

tar is the portable archive format for Unix systems. Tar files made on one machine can be read
almost anywhere (including by some Windows-based utilities). This is why so much of the
software and source code, which is available on the Internet, is made into tar archives for easy
downloading.
tar operates by simply working its way through the list of files and directories that the user
specifies on the command line. If one of the targets for the archive file is a directory, tar simply
recursively descends through the directory and gathers up all files and subdirectories into the
archive. Because tar gathers files/directories "one-by-one" as it were, you can use tar to
archive file systems which are currently "active"– that is, which have one or more users
adding/deleting/modifying files while the archive is happening (this turns out not to be true for
dump).
One downside to tar is that it doesn't handle splitting an archive across multiple tapes (some
tar implementations claim to have this feature, but they usually don't work properly). This used
to be more of an issue in the old days when tapes didn't hold much information. Of course, it's
always possible to make several separate archives which backup all of your data into archives
which will fit on your available media.
Different versions of tar have also had various odd (mostly historical) limitations. For example,
some versions of tar can't handle pathnames longer than some fixed limit (some as low as 100
characters), some won't back up device files or other special sorts of files, etc. However, GNU
tar has none of these limitations and is portable across a wide variety of systems. If you will be
making heavy use of tar, it's a good idea to download (from
and install GNU tar on all of your systems (if it's not
there already).
6 - 7
Unix Security - SANS
©2001
7
dump/restore
Pro
– Supports multiple volumes

– Supports "incremental" backups
– "Interactive" mode for restore
Con
– Format is byte-order dependent
– Can get confused if file system is active
– Can only back up one partition at a time
dump and restore are the common utilities for doing normal Unix backups. If a file system
is so large that the backup doesn't fit on a single tape, dump will split the backup across multiple
tapes automatically.
dump supports the notion of "dump levels"– level 0 through level 9. Level 0 means dump
everything. Higher dump levels will only dump files that have been modified since the last dump
with a lower dump number. For example, if you start off with a level 0 dump and then do a level
5 dump, the level 5 dump only captures the changes since the level 0 dump. If you later do a
level 9 dump, then you only get the changes since the level 5 dump. If you follow that with a
level 4 dump, you get everything that's changed since the original level 0 dump (and you can
throw away or re-use the level 5 and level 9 tapes).
restore can be used to bring back an entire dump, or selectively restore individual files.
restore has a very nice "interactive" mode which allows the administrator to view the files in
the dump archive as if they were actually in the Unix file system and selectively mark files which
they want to restore (more on this later). Note that a full restore of a lost file system generally
means restoring your last level 0 dump, and then "overlaying" all active incremental dumps
you've made since that time (again, more on this a bit later).
As we mentioned earlier, however, the format of the dump archive is incredibly system-
dependent and not at all portable. Also, dump only works on a single partition at a time, so
backing up a complete Unix file system generally involves several successive dumps. The big
problem with dump, though, is that it actually dumps the file system using several "passes“. The
first pass maps the file system, the next pass dumps the directory structure to tape, and the final
pass backs up the actual file information. If the file system changes while the dump is being
performed, your backup may actually get corrupted and be useless. This is why dumps should be
performed late at night when nobody is using the system, or in "single-user" mode by an admin

on the console of the system.
6 - 8
Unix Security - SANS
©2001
8
dd
Pro
– May capture data that other tools miss
– Can perform data conversions as well
Con
– Must usually be used with other tools
– Odd command line syntax
dd is not an archiving utility per se, rather a means of copying raw data from one place to another
(disk-to-tape, disk-to-disk, tape-to-tape, etc.). This generally means that you will need to use dd in
combination with some other utility (like tar or dump/restore) in order to actually read and
interpret the data. The plus side is that dd captures everything– even data that other archiving
programs might miss. This makes dd a useful tool when performing forensic analysis on
compromised systems.
Also, as we'll see shortly, dd does have some nice data conversion features which make it possible to
migrate data from one type of system (even old mainframe systems) to another.
dd is one of the oldest Unix utilities (in fact, it actually pre-dates the Unix operating system), so it
has a funny "non-Unix" command line syntax.
6 - 9
Unix Security - SANS
©2001
9
Digression: Tape Devices
Examples:
/dev/nrst0
First tape device, raw, no rewind

/dev/rst1
Second tape device, raw mode
/dev/st0
First tape device, "blocked" mode
/dev/nrst0
"No rewind"
"Raw" SCSI tape
Device instance
Before we get into examples of how to use tar, dump, dd, etc., it's useful to know how to
locate and name the tape device(s) under Unix.
These days, tape devices are usually found at /dev/st? on most Unix systems. The "st"
means SCSI-attached tape device (older tape devices may have a non-SCSI interface, and these
are generally accessed via /dev/mt?–"mt" for "magnetic tape"). The number after the "st"
specifies a particular tape device. The first tape drive is /dev/st0, the second tape drive
/dev/st1, and so on.
The letters before the "st?", specify tape handling options. An "r" means that data is
read/written from the tape one byte at a time ("raw mode"), rather than in blocks of data. The
standard Unix backup utilities all use raw mode when accessing tapes. Generally if you make a
mistake and don't specify the raw tape device, the backup utility you're using will transparently
grab the raw tape device instead.
The "n" specifies "no rewind" mode. By default, any time you access a tape on a Unix
system, the tape will rewind to the beginning before your command is executed and again once
the operation you're performing is completed. However, let's suppose you wanted to dump
several partitions onto a single large tape. If the tape rewound after each dump, then each dump
would overwrite the one before it (and, trust me, plenty of sites have been burned by this
throughout the history of Unix)! It's generally a good practice to always specify the no rewind
tape device unless you're absolutely certain of what you're doing. We'll talk about commands for
rewinding and repositioning tapes at the end of this section.
Note that SYSV machines (notably Solaris) use a different device naming scheme for tapes.
Raw tape devices are found under /dev/rmt/? (even if the tape is a SCSI tape), and the no

rewind option appears after the tape instance number– e.g., /dev/rmt/0n.
6 - 10
Unix Security - SANS
©2001
10
The Tao of tar
tar has three main mode options:
-c
Create a new archive
-x
Extract files from archive
-t
Show archive table of contents
Other useful options:
-f
Specify an archive file or tape dev
-v
Verbose mode
-p
Preserve owner/access times w/
-x
tar generally operates in one of three major modes: You're either creating an archive (-c),
extracting files from an archive (-x), or testing/looking at the table of contents of an archive (-t).
These modes are mutually exclusive, so you'll only ever specify one of –c/-t/-x per command line.
tar has other options as well (for complete information, consult the on-line manual page for the
version of tar your are using). The most important of these is –f for specifying where the archive
should be written. The argument to the –f option is the name of a tape device or just a file name
where you want the file archive created.
–v turns on verbose mode. When writing or extracting files from an archive, -v causes the name of
each file to be printed. Note that printing each file name significantly slows down the process of

reading or writing the archive. When used with the –t option, verbose mode causes a detailed
listing of the archive contents– similar to the output of ls –l.
tar always stores the owner and access times on files in the archive. When extracting files from the
archive, the extracted files will normally be owned by the user who unpacks the tar file and the
access times will be lost. However, the –p option tells tar to preserve the owner and access times of
the original files when the extraction is done. -p generally only works if you're running tar as the
superuser.
6 - 11
Unix Security - SANS
©2001
11
Using tar
Dump entire file system to tape:
tar –cf /dev/rst0 /
# Danger!
Extract that same archive:
tar –xpf /dev/rst0
Get a verbose listing of tape contents:
tar –tvf /dev/rst0
Dump a directory to a file on disk
tar –cf hal.tar /home/hal
# Danger!
The first example shows how to use tar to make an archive of an entire Unix file system. We're
using –c to create a new archive and the archive is going to be written to the tape device
/dev/rst0 (-f /dev/rst0). The list of files to be archived is '/', the root of the directory tree
(and therefore all files and subdirectories below that point). This command is dangerous in a couple
of respects. First, tar will happily traverse NFS mounts, so you may end up capturing file systems
that are mounted from other servers. We'll discuss the other reason this command is dangerous in the
next couple of slides.
If you later wanted to extract all of the files from that archive, you would use –x to specify extract

and –f to specify the tape drive again. In this case, we want to bring the files back with their
original owners and access times, so we also use –p to preserve that information.
We can get a detailed (-v for verbose) listing of the contents of the archive file with –t.
These days, it's actually more common to write tar files to disk rather than to tape. So, instead of
specifying a tape device with the –f option, we just specify a file name, as in our last example. Note
that this last example shares a problem with our first example…
6 - 12
Unix Security - SANS
©2001
12
Warning! Absolute Paths!
tar –cf hal.tar /home/hal
• Standard versions of tar will preserve
full path names
• When this archive is extracted,
/home/hal directory gets overwritten!
• Note that GNU tar automatically strips
off the leading '/'
The problem is that tar preserves complete pathname information from the point in the file system
that you specify. This means that if you create an archive starting at /home/hal, all of the file
names in the archive will start /home/hal/… If you later extract files from that archive, they will
be extracted to /home/hal/…, usually overwriting the current version of the file at that location!
When retrieving files from an archive (whether that archive is made with tar, dump, or some other
utility), you almost always want to extract the files into some temporary directory and then copy the
files into a place where the users on the system can get at them. If you simply overwrite the user's
files, you run the risk of destroying new information that the user may have created since the archive
was made. However, if the pathnames in the archive file are absolute (that is, are rooted from the top
of the file system), then the files you extract from the archive will automatically overwrite the
original file in the appropriate directory.
The moral of this story is that you want to make sure never to create archives with a leading '/' on

path names. In fact, GNU tar is smart enough to automatically strip off leading '/'s when creating
an archive file (though this behavior can be disabled with the –P command line option if you're sure
you know what you're doing).