Granting the Root User’s Group Permissions SGID
SGID
also grants temporary elevated permissions, but it grants the permissions
of the file owner’s group, rather than of the file’s owner. This means that,
with an
SGID
bit set, someone without execute permission can execute a file if
the owner belongs to the group that has permission to execute that file.
The
SGID
bit works slightly differently when applied to a directory: when
the bit is set on a directory, ownership of new files created in that directory
goes to the directory creator’s group, rather than the file creator’s group.
This is very useful when a directory is shared by multiple users. All users in
that group can execute the file(s), not just a single user.
The
SGID
bit is represented as
2
before the regular permissions, so a new
file with the resulting permissions
644
would be represented as
2644
when
the SGID bit is set. Again, you would use the
chmod
command for this—for
example,
chmod 2644 filename
.
The Outmoded Sticky Bit
The sticky bit is a permission bit that you can set on a directory to allow a
user to delete or rename files within that directory. However, the sticky bit
is a legacy of older Unix systems, and modern systems (like Linux) ignore
it. As such, I will not discuss it further here, but you should be familiar with
the term because you might hear it in the Linux world.
Special Permissions, Privilege Escalation, and the Hacker
As a hacker, these special permissions can be used to exploit Linux systems
through privilege escalation, whereby a regular user gains root or sysadmin
privileges and the associated permissions. With root privileges, you can do
anything on the system.
One way to do this is to exploit the
SUID
bit. A system administrator or
software developer might set the
SUID
bit on a program to allow that pro-
gram access to files with root privileges. For instance, scripts that need to
change passwords often have the
SUID
bit set. You, the hacker, can use that
permission to gain temporary root privileges and do something malicious,
such as get access to the passwords at /etc/shadow.
Let’s look for files with the
SUID
bit set on our Kali system to try this
out. Back in Chapter 1, I introduced you to the
find
command. We’ll use
its power to find files with the
SUID
bit set.
As you’ll remember, the
find
command is powerful, but the syntax is
bit more complicated than some of the other location commands, such as
locate
and
which
. Take a moment to review the
find
syntax in Chapter 1, if
you need to.
Controlling File and Directory Permissions
59
In this case, we want to find files anywhere on the filesystem, for the
root user or other sysadmin, with the permissions
4000
. To do this, we can
use the following
find
command:
kali >find / -user root -perm -4000
With this command, we ask Kali to start looking at the top of the file-
system with the
/
syntax. It then looks everywhere below / for files that are
owned by root, specified with
user root
, and that have the
SUID
permission
bit set (
-perm -4000
).
When we run this command, we get the output shown in Listing 5-2.
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/kismet_capture
--snip--
Listing 5-2: Finding files with the SUID bit set
The output reveals numerous files that have the
SUID
bit set. Let’s navi-
gate to the /usr/bin directory, where many of these files reside, and then run
a long listing on that directory and scroll down to the sudo file, as shown in
Listing 5-3.
kali >cd /usr/bin
kali >ls -l
--snip--
-rwxr-xr-x 1 root root 176272 Jul 18 2018 stunnel4
-rwxr-xr-x 1 root root 26696 Mar 17 2018 sucrack
u
-rwsr-xr-x 1 root root 140944 Jul 5 2018 sudo
--snip--
Listing 5-3: Identifying files with the SUID bit set
Note that at u, the first set of permissions—for the owner—has an
s
in place of the
x
. This is how Linux represents that the
SUID
bit is set. This
means that anyone who runs the sudo file has the privileges of the root user,
which can be a security concern for the sysadmin and a potential attack vec-
tor for the hacker. For instance, some applications need to access the /etc/
shadow file to successfully complete their tasks. If the attacker can gain con-
trol of that application, they can use that application’s access to the pass-
words on a Linux system.
Linux has a well-developed system of security that protects files and
directories from unauthorized access. The aspiring hacker needs to have a
basic understanding of this system not only to protect their files but also to
execute new tools and files. In some cases, hackers can exploit the
SUID
and
SGID
permissions to escalate privileges from a regular user to a root user.
|