|
Granting the Root User’s Group Permissions SGIDBog'liq linuxbasicsforhackersGranting the Root User’s Group Permissions SGID
SGID
also grants temporary elevated permissions, but it grants the permissions
of the file owner’s group, rather than of the file’s owner. This means that,
with an
SGID
bit set, someone without execute permission can execute a file if
the owner belongs to the group that has permission to execute that file.
The
SGID
bit works slightly differently when applied to a directory: when
the bit is set on a directory, ownership of new files created in that directory
goes to the directory creator’s group, rather than the file creator’s group.
This is very useful when a directory is shared by multiple users. All users in
that group can execute the file(s), not just a single user.
The
SGID
bit is represented as
2
before the regular permissions, so a new
file with the resulting permissions
644
would be represented as
2644
when
the SGID bit is set. Again, you would use the
chmod
command for this—for
example,
chmod 2644
filename
.
The Outmoded Sticky Bit
The sticky bit is a permission bit that you can set on a directory to allow a
user to delete or rename files within that directory. However, the sticky bit
is a legacy of older Unix systems, and modern systems (like Linux) ignore
it. As such, I will not discuss it further here, but you should be familiar with
the term because you might hear it in the Linux world.
Special Permissions, Privilege Escalation, and the Hacker
As a hacker, these special permissions can be used to exploit Linux systems
through privilege escalation, whereby a regular user gains root or sysadmin
privileges and the associated permissions. With root privileges, you can do
anything on the system.
One way to do this is to exploit the
SUID
bit. A system administrator or
software developer might set the
SUID
bit on a program to allow that pro-
gram access to files with root privileges. For instance, scripts that need to
change passwords often have the
SUID
bit set. You, the hacker, can use that
permission to gain temporary root privileges and do something malicious,
such as get access to the passwords at /etc/shadow.
Let’s look for files with the
SUID
bit set on our Kali system to try this
out. Back in Chapter 1, I introduced you to the
find
command. We’ll use
its power to find files with the
SUID
bit set.
As you’ll remember, the
find
command is powerful, but the syntax is
bit more complicated than some of the other location commands, such as
locate
and
which
. Take a moment to review the
find
syntax in Chapter 1, if
you need to.
Controlling File and Directory Permissions
59
In this case, we want to find files anywhere on the filesystem, for the
root user or other sysadmin, with the permissions
4000
. To do this, we can
use the following
find
command:
kali >
|
| |
