Thoughts on the Eee PC and its security

Robhogg · 09-21-2008, 05:22 AM

I've just taken delivery of a brand new Eee PC 901 (Linux, of course). Hardware-wise, its a very neat bit of kit. The keyboard is cramped but usable, and the display is very nice. There are nice aspects of the default distro, as well. As well as very speedy boot, It recognised my USB HSDPA modem automatically. I did have to tweak some things, of course, such as using update-alternatives to change the default terminal to konsole, so that I could set the font size to something readable on a 9" screen, and hacking the simpleui.rc xml file that defines the default tabbed user interface.

Where I have serious concerns, though, is over security, for the following reasons:

sudo is set to allow the user to run any command without a password. Removing the NOPASSWD directive from the relevant line in /etc/sudoers, and setting passwd_timeout, leaves you without a user interface on boot.
There is no support for iptables in the default kernel, and so no firewall.
samba and portmap are enabled by default (for some reason, services are launched from a script - /usr/sbin/services.sh and the standard rc*.d directories appear to be ignored)
The Antivirus package - ESET - (not normally needed in Linux, but I think necessary, given the above) doesn't seem to have a setting for scheduled scans, and is set by default to scan only the user's "My Documents" folder (so ignoring any possibly compromised system folders).

I feel that this version of linux is actually less secure than Windows XP. So, what to do? Install one of the major distros, modified so that it won't thrash the SSD drive? Install XP (since there's so much non-free software here anyway that there's not much moral highground in sight)? Or continue trying to mod the Eee's distro?

If I could just find a list of the specific programs that have to run with sudo but no password, I'd be quite content. I have contacted Asus asking them to address the concerns, but not sure how they will respond.

unSpawn · 09-21-2008, 06:30 AM

Quote:

Originally Posted by Robhogg

sudo is set to allow the user to run any command without a password. Removing the NOPASSWD directive from the relevant line in /etc/sudoers, and setting passwd_timeout, leaves you without a user interface on boot. (..) If I could just find a list of the specific programs that have to run with sudo but no password

Commands should be logged?

Quote:

Originally Posted by Robhogg

There is no support for iptables in the default kernel, and so no firewall.

Auch. What kernel does it run anyway?

Quote:

Originally Posted by Robhogg

samba and portmap are enabled by default (for some reason, services are launched from a script - /usr/sbin/services.sh and the standard rc*.d directories appear to be ignored)

Comment out services in /usr/sbin/services.sh plus TCP wrappers for those daemons that adhere to it? Not having a firewall sounds kinda odd though. Could you post an nmap scan of th machine?

Quote:

Originally Posted by Robhogg

The Antivirus package - ESET - (not normally needed in Linux, but I think necessary, given the above) doesn't seem to have a setting for scheduled scans, and is set by default to scan only the user's "My Documents" folder (so ignoring any possibly compromised system folders).

Not that necessary, but could be changed but I think on-access scanning is a performance hit (more than having a kernel with firewalling IMHO) plus lowers the MTBF.

Quote:

Originally Posted by Robhogg

Or continue trying to mod the Eee's distro?

I'd go for that. Modding it sounds interesting plus you'll be helping others. You can always install another distro later on, right?

Robhogg · 09-21-2008, 08:58 AM

Quote:

Originally Posted by unSpawn

Commands should be logged?

When I first checked, logging seemed to be very sparse and syslogd was not running. I'd added a line to the services.sh to start it, but just checked and found that it had stopped again. Seems like an update I installed earlier today replaced this script. I've added again, so I'll see what I can see there.

Quote:

Auch. What kernel does it run anyway?

uname -r shows it as 2.6.21.4-eeepc, so custom but not that old.

Quote:

Comment out services in /usr/sbin/services.sh plus TCP wrappers for those daemons that adhere to it? Not having a firewall sounds kinda odd though. Could you post an nmap scan of th machine?

I'd already commented them out, though they were uncommented by the aforementioned update. Not done anything before with TCP wrappers, but I'm not sure I need any of these services running (at the moment, anyway). I'll look at getting a scan of it - netstat shows the following (with the services running):

Code:

/home/user> sudo netstat -A inet -p --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:netbios-ssn           *:*                     LISTEN     1947/smbd
tcp        0      0 *:sunrpc                *:*                     LISTEN     1564/portmap
tcp        0      0 localhost.localdoma:ipp *:*                     LISTEN     1517/cupsd
tcp        0      0 *:microsoft-ds          *:*                     LISTEN     1947/smbd
udp        0      0 *:netbios-ns            *:*                                1944/nmbd
udp        0      0 *:netbios-dgm           *:*                                1944/nmbd
udp        0      0 *:bootpc                *:*                                1800/dhclient3
udp        0      0 *:sunrpc                *:*                                1564/portmap
udp        0      0 *:ipp                   *:*                                1517/cupsd
/home/user>

Quote:

Not that necessary, but could be changed but I think on-access scanning is a performance hit (more than having a kernel with firewalling IMHO) plus lowers the MTBF.

I have also been considering trying to install tripwire, to monitor the important folders (for suspicious activity, or for updates changing things annoyingly).

Quote:

Modding it sounds interesting plus you'll be helping others. You can always install another distro later on, right?

That's what I was thinking. However, I'm trying to work out how to get started. At the very least, I need a usb CD-ROM drive so that I can boot it after a failure, to see what is being logged. Also, my skills at the moment are not up to any really ambitious modding - it would be more a case of seeing which programs are refusing to run with sudo secured, then creating specific exceptions for them (and perhaps a modified kernel with iptables enabled).

Cheers,
Rob

unSpawn · 09-21-2008, 10:10 AM

Wrt logging, if you have another machine available on your LAN you could let the other machine serve as syslog server (but if you intend to carry your EEE around a lot you should script some simple logic to make it not log to remote outside of your own LAN). Wrt your kernel maybe rebuilding the eee kernel on eeePC could help enable slash disable some stuff to make it faster slash safer? And if you don't need those services I'd kill them (even though there's not that much, on a public hotspot you probably wouldn't want to advertise any of those to world). Wrt tripwire and booting after SNAFU's, if you have another machine you could use webjob to make the remote handle tripwire binary and logs (the Rootkit Hunter tarball has an example if you want a quick 'n dirty HOWTO). Finally while making backups would be first priority, if the machine has a PXE boot capable NIC then you might want to look into that if you're short on peripherals slash slots.

Robhogg · 09-23-2008, 01:52 PM

A little update - after a bit of use, /var/log/auth/auth.notice shows the following commands as having been run with sudo (excluding some that I have sudo'd myself, that I can't see have any particular system purpose):

Quote:

/bin/fuser
/bin/rm
/bin/sh
/opt/3gmpt/delpin.sh
/opt/3gmpt/delpppd.sh
/opt/3gmpt/delroute.sh
/opt/3gmpt/pin
/opt/3gmpt/reset_huawei.sh
/opt/3gmpt/route.sh
/opt/3gmpt/ui
/opt/3gmpt/warn
/opt/xandros/bin/xandrosncs-servicedb
/sbin/fastreboot.sh
/sbin/fastshutdown.sh
/usr/bin/eject
/usr/bin/pkill
/usr/bin/sessreg
/usr/bin/xandrosncs-proxy
/usr/sbin/dmidecode
/usr/sbin/pppd

I'll try setting the system to only allow sudo to run these programs NOPASSWD, when I have a moment to backup everything and then restore from "brick" mode.

The entry for /bin/sh is problematic, though. The full command-line in this case is:

/bin/sh -c DEFAULTUSER=user USER=user DEFAULTWORKGROUP=%notset% DEFAULTPASSWORD=secret GID=1000 HOME=/home/user netserv

Is it possible in /etc/sudoers to specify a program to be run only with certain parameters?

Edited to add:
BTW, thanks for the link on recompiling the kernel on the Eee. I'll check it out.

unSpawn · 09-23-2008, 04:11 PM

Quote:

Originally Posted by Robhogg

Is it possible to specify a program to be run in /etc/sudoers only with certain parameters?

Thanks for the update. Sure can: 'man sudoers' shows you some examples. Wildcarding, exclusions, it's all there.

Robhogg · 09-25-2008, 06:22 AM

Just a brief note: I have now modified sudoers, and I can still boot and shutdown successfully. I have added the following to the "Cmnd alias specification" section:

Code:

Cmnd_Alias THREEG = /opt/3gmpt/*
Cmnd_Alias DMIDED = /usr/sbin/dmidecode -s baseboard-product-name
Cmnd_Alias EJECT = /usr/bin/eject
Cmnd_Alias FSHUTDOWN = /sbin/fastshutdown.sh
Cmnd_Alias FUSER = /bin/fuser -s /dev/ttyUSB*
Cmnd_Alias IFCONFIG = /sbin/ifconfig
Cmnd_Alias PKILL = /usr/bin/pkill -9 HWActivator
Cmnd_Alias PPPD = /usr/sbin/pppd call huawei-e220
Cmnd_Alias REBOOT = /sbin/fastreboot.sh
Cmnd_Alias RMDEV = /bin/rm -f /dev/tty*
Cmnd_Alias RMNOLOG = /bin/rm /tmp/nologin
Cmnd_Alias RMOPT = /bin/rm -f /opt/3gmpt/*
Cmnd_Alias SESSREG = /usr/bin/sessreg -a -l \:0.0 -u /var/run/utmp user
Cmnd_Alias SHELARGS = /bin/sh -c DEFAULTUSER\=user USER\=user \
DEFAULTWORKGROUP\=%notset% DEFAULTPASSWORD\=secret GID=1000 HOME\=/home/user netserv
Cmnd_Alias SHELECH = /bin/sh -c echo "ucview" >"/var/lock/xandros-rclock/webcam.owner"
Cmnd_Alias SHELLOCK = /bin/sh -c /usr/bin/lockfile-create
Cmnd_Alias SHRM = /bin/sh -c rm -f "/var/lock/xandros-rclock/webcam.owner"
Cmnd_Alias SHUTDOWN = /sbin/shutdown -h now
Cmnd_Alias TOUCH = /usr/bin/touch /etc/devices/detect.sync
Cmnd_Alias UMOUNT = /bin/umount
Cmnd_Alias XANDROS1 = /opt/xandros/bin/xandrosncs-servicedb
Cmnd_Alias XANDROS2 = /usr/bin/xandrosncs-proxy
Cmnd_Alias NOPASSCMDS = THREEG, DMIDED, EJECT, FUSER, FSHUTDOWN, IFCONFIG, PPPD, PKILL,\
REBOOT, RMDEV, RMNOLOG, RMOPT, SESSREG, SHELARGS, SHELECH,\
SHELLOCK, SHRM, SHUTDOWN, TOUCH, UMOUNT, XANDROS1, XANDROS2

I also modified the rule for user to read:

user ALL=(ALL) ALL, NOPASSWD: NOPASSCMDS

And added a directive to the Defaults line:

Defaults env_reset, always_set_home, env_keep = "XIM_PROGRAM GTK_IM_MODULE XMODIFIERS", \
passwd_timeout = 5

I'm not pretending that this work is complete. The programs I have created NOPASSWD exceptions for are those that show up on my machine. For instance, the THREEG Cmnd_Alias is for the Asus "Mobile Phone Tools" which enable my Huawei 3G modem. I suspect that additional exceptions would be needed for Wireless networking, and wired setup using DHCP. I also haven't been using any desktop tools that would need Sudo'ing.

If you have an Eee, and want to check what has been running on your machine using sudo, first enable the syslogd daemon by adding the following line near the top of the /usr/sbin/services.sh script:

/etc/init.d/sysklogd start

Reboot your Eee, then use it for a bit (possibly restarting several times). Then execute:

sudo grep 'sudo' /var/log/auth/auth.notice | grep -o 'COMMAND=.*' | sed 's/COMMAND=//' | sort -u

Please weed out any commands that you have run with sudo (so that the list only contains those run by the system).

Also, if you spot any flaws in how I've set up the the command aliases, please point them out.

Cheers,
Rob