• The Outmoded Sticky Bit
  • Special Permissions, Privilege Escalation, and the Hacker
  • Granting the Root User’s Group Permissions SGID




    Download 7,3 Mb.
    Pdf ko'rish
    bet67/115
    Sana27.11.2023
    Hajmi7,3 Mb.
    #106243
    1   ...   63   64   65   66   67   68   69   70   ...   115
    Bog'liq
    linuxbasicsforhackers

    Granting the Root User’s Group Permissions SGID
    SGID
    also grants temporary elevated permissions, but it grants the permissions 
    of the file owner’s group, rather than of the file’s owner. This means that, 
    with an 
    SGID
    bit set, someone without execute permission can execute a file if 
    the owner belongs to the group that has permission to execute that file.
    The 
    SGID
    bit works slightly differently when applied to a directory: when 
    the bit is set on a directory, ownership of new files created in that directory 
    goes to the directory creator’s group, rather than the file creator’s group. 
    This is very useful when a directory is shared by multiple users. All users in 
    that group can execute the file(s), not just a single user.
    The 
    SGID
    bit is represented as 
    2
    before the regular permissions, so a new 
    file with the resulting permissions 
    644
    would be represented as 
    2644
    when 
    the SGID bit is set. Again, you would use the 
    chmod
    command for this—for 
    example, 
    chmod 2644 filename
    .
    The Outmoded Sticky Bit
    The sticky bit is a permission bit that you can set on a directory to allow a 
    user to delete or rename files within that directory. However, the sticky bit 
    is a legacy of older Unix systems, and modern systems (like Linux) ignore 
    it. As such, I will not discuss it further here, but you should be familiar with 
    the term because you might hear it in the Linux world.
    Special Permissions, Privilege Escalation, and the Hacker
    As a hacker, these special permissions can be used to exploit Linux systems 
    through privilege escalation, whereby a regular user gains root or sysadmin 
    privileges and the associated permissions. With root privileges, you can do 
    anything on the system.
    One way to do this is to exploit the 
    SUID
    bit. A system administrator or 
    software developer might set the 
    SUID
    bit on a program to allow that pro-
    gram access to files with root privileges. For instance, scripts that need to 
    change passwords often have the 
    SUID
    bit set. You, the hacker, can use that 
    permission to gain temporary root privileges and do something malicious, 
    such as get access to the passwords at /etc/shadow.
    Let’s look for files with the 
    SUID
    bit set on our Kali system to try this 
    out. Back in Chapter 1, I introduced you to the 
    find
    command. We’ll use 
    its power to find files with the 
    SUID
    bit set.
    As you’ll remember, the 
    find
    command is powerful, but the syntax is 
    bit more complicated than some of the other location commands, such as 
    locate
    and 
    which
    . Take a moment to review the 
    find
    syntax in Chapter 1, if 
    you need to.


    Controlling File and Directory Permissions
    59
    In this case, we want to find files anywhere on the filesystem, for the 
    root user or other sysadmin, with the permissions 
    4000
    . To do this, we can 
    use the following 
    find
    command:
    kali >find / -user root -perm -4000
    With this command, we ask Kali to start looking at the top of the file-
    system with the 
    /
    syntax. It then looks everywhere below / for files that are 
    owned by root, specified with 
    user root
    , and that have the 
    SUID
    permission 
    bit set (
    -perm -4000
    ).
    When we run this command, we get the output shown in Listing 5-2.
    /usr/bin/chsh
    /usr/bin/gpasswd
    /usr/bin/pkexec
    /usr/bin/sudo
    /usr/bin/passwd
    /usr/bin/kismet_capture
    --snip--
    Listing 5-2: Finding files with the SUID bit set
    The output reveals numerous files that have the 
    SUID
    bit set. Let’s navi-
    gate to the /usr/bin directory, where many of these files reside, and then run 
    a long listing on that directory and scroll down to the sudo file, as shown in 
    Listing 5-3.
    kali >cd /usr/bin
    kali >ls -l
    --snip--
    -rwxr-xr-x 1 root root 176272 Jul 18 2018 stunnel4
    -rwxr-xr-x 1 root root 26696 Mar 17 2018 sucrack
    u
    -rwsr-xr-x 1 root root 140944 Jul 5 2018 sudo
    --snip--
    Listing 5-3: Identifying files with the SUID bit set
    Note that at u, the first set of permissions—for the owner—has an 
    s
    in place of the 
    x
    . This is how Linux represents that the 
    SUID
    bit is set. This 
    means that anyone who runs the sudo file has the privileges of the root user, 
    which can be a security concern for the sysadmin and a potential attack vec-
    tor for the hacker. For instance, some applications need to access the /etc/ 
    shadow file to successfully complete their tasks. If the attacker can gain con-
    trol of that application, they can use that application’s access to the pass-
    words on a Linux system.
    Linux has a well-developed system of security that protects files and 
    directories from unauthorized access. The aspiring hacker needs to have a 
    basic understanding of this system not only to protect their files but also to 
    execute new tools and files. In some cases, hackers can exploit the 
    SUID
    and 
    SGID
    permissions to escalate privileges from a regular user to a root user.



    Download 7,3 Mb.
    1   ...   63   64   65   66   67   68   69   70   ...   115




    Download 7,3 Mb.
    Pdf ko'rish

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Granting the Root User’s Group Permissions SGID

    Download 7,3 Mb.
    Pdf ko'rish