Linux Privilege Escalation

Table of Contents

Privilege Escalation ......................................................................................................................... 2

Privilege Escalation ......................................................................................................................... 3

sudo -1 ............................................................................................................................................ 5

sudo -2 ............................................................................................................................................ 7

s udo Security A dvantages ............................................................................................................. 8

s udo Security D isadvantages ...................................................................................................... 10

/ etc / sudoers ............................................................................................................................... 12

Notices .......................................................................................................................................... 14

Page 1 of 14

Privilege Escalation

34

Privilege Escalation

**034 Jeff Arsenault: Okay, so in this section we'll look at privilege escalation; privilege escalation in terms of how to securely escalate yourself to have super- to have escalated permissions, such as root or other permissions that a normal user wouldn't have; and also how to protect yourself from other people that you don't want to have special permissions on your hosts.

Page 2 of 14

Privilege Escalation

35

Privilege Escalation

Best practice• Never use the root account by default

— In some distributions, trying to login as root remotely will add your system to hosts.deny.

— If multiple users login as root, it’s hard to tell what they’ve done to a system.

If commands need elevated access in order to run use sudo.

**035 So the best practice is never to use root. So in some distros, like Ubuntu, you can't log in as root. You don't even know the root password. The only way you're going to get root permissions is using sudo. In other ones, and specifically in Red Hat, you can- you set the root password when you set up and you can actually log in as root; and you can su as root also. And su means super-user where you can change your personality. So you type just su; and it's going to ask for the root password; and you type it in and now you have a command prompt as root. So any user has that.

Page 3 of 14

But the problem is there's no accountability that way and there's no control who can do it. Anyone can type su; and if they know the password they'd be able to do it. So that's what we have sudo for. So sudo will allow us to actually say even if you-- you don't need to know the root password; you have to have permission to have- you have to be in a group that says you're allowed to be root. So you type sudo and the command you're going to run; and then it'll say- ask you for your password. So you put in your personal password, the same password you logged in with; and then it'll check you against the file- the config file to see if you have permission to run that command that you typed; and if you do it'll run the command and then get you back to your regular prompt. So you never actually have a root command prompt. So that's a very good way of separating out privileges. So you don't just have blanket root, you have specific permissions based off the config file. So you have permissions to run just certain programs. They don't even necessarily have to be- they don't even necessarily have to be root programs. They could be programs that just have extra permissions. Like you could have- just be able to start Apache. So you kind of create a group of users who are allowed to

Page 4 of 14

start and stop Apache without giving them full root permission to the entire box; kind of segregation.

sudo -1

36

sudo -1

Takes a command as an argument and executes it as root

Looks at the configuration file and determines who is authorized to do what

• If a user is allowed to execute a certain command, their password is required.

• There is a timeout that can be configured to allow additional commands to be executed without entering a password again.

— The timeout ensures that if a user steps away from the system, the user will not have elevated privileges for long.

**036 So takes a command as an argument and executes it as root. Looks at the configuration file and determines who's authorized to do what. And so and then it'll-- you can set the timer but so you set the timer for like-- I think the default might be 30 seconds or 15 seconds, around there. So if you type in multiple commands, it caches that password you typed in.

Page 5 of 14

So if you're doing a bunch of the same kind of stuff, it'll cache your credentials. But you can set it to be a one-time use only also. So as soon as you type that one command and you type in your password, every time you do that you're going to have to type your password again and it's-- but you can also have a short window. So if it's someone who's a frequent system admin, you can give them a little bit of a window where they're not going to have to keep retyping their password every time they type a command that requires root access.

Page 6 of 14

sudo -2

37

sudo -2

Keeps a log of• Each command that was run as sudo• The user who ran the command• The directory in which the command was run from• Timestamp of command execution

The sudoers file is designed to be used for multiple hosts.

Permission specifications include• User who the line applies to• Hosts where the users should have access• Commands the user can run• The user in which the command can be run as for that user

**037 One of the big things, it keeps a log. So a failed attempt or a non- a successful attempt is going to be logged. It's going to show the user who tried to do it; what command they tried to run; and, you know, what time they tried to do it. So if there's someone who's banging away, trying to try different passwords or trying to run a specific command, you're going to see it in your log files. So you'll have a heads up that someone's trying to do something they're not supposed to. So permission specifics include-- so the user who the line applies to; hosts where the users should have

Page 7 of 14

access. So you could also limit it by hostname, who can do the sudo commands. A big thing is the commands a user can run.

s udo Security A dvantages

38

sudo Security Advantages

Lines in the sudoers file must include the full path name• Ensures sudoers cannot execute their own scripts• Implements least privilege for system administrators

— Privileges can be revoked without changing the root password.• Keeps real password secure

Integrity is maintained because of command logging.

**038 Must include the full path name. So don't just put in- just don't- just don't put in the filename. It needs to know where it lives; because it's living in etc. So it doesn't know where you live. So you have to put the full path name. So if you're doing a user add, put /sbin/useradd. And so- and the key is no one knows the root password because they're

Page 8 of 14

using their own password; and because of the configuration file, you're giving those extra permissions. So you're starting to see-- so sudo has been around for a really long time-- you're starting to see it now in user access control in Windows. You see that now where you'll get that popup window and a username and password to enter in; and that's a username that's, you know, an admin user or someone that's been designated permission to perform those actions. That's Windows' version of sudo. But it's more a GUI interface. You see it in the common- you see it now in the GUI interfaces that come with like Gnome and some of the other- KDE. They now have built in ways of accessing the sudo. So if you're trying to run an application, it's going to give you a popup window to put your password in; and it'll cache for a little while. Especially if you're trying to run GUI programs as root. So if you try to like install a program that traditionally requires root, it'll pop up that box and ask you: Okay, what's your password? And if you're not in that group of users who are part of the admin group-- we'll call it, to keep it kind of in the same vein as Windows-- it won't allow you to run it. But sudo's been around a lot longer than they've been doing it in Windows.

Page 9 of 14

s udo Security D isadvantages

39

sudo Security Disadvantages

Any compromise to a sudoer is a compromise of the system if full root access is given in the sudoers file.

sudo command logs can be tricked into not logging commands or by running sudo sh or sudo su that switches the user to root.

**039 So a single point of failure is that file. So if someone does get on and gets access to the sudoer's config file then- well then you're out of luck; they're going to get everything. So there's still a single of point of failure. So that would be a file that you'd definitely want to be running MD5 checks on; and keep an eye on permission changes for-- because that's-- if they get in there then they can add a regular user account to that file and that user account will now have all the privileges. And they don't need to know a root password, they just need to know their own password.

Page 10 of 14

Now so one of the things you can limit in the sudoer files-- and I'll be just as guilty of this as anyone. I'm used to before sudo; and I used to su and get my root prompt; and I could do everything as root. I never had to type my password ever; and I could once actually in root /etc. But. So you could still kind of cheat- if the sudoer's file was not configured right, you could still kind of cheat. Because remember, you're typing sudo and running a command. So that command's going to run as you. So if I run sudo, space, bash, that means I'm going to launch a shell as root. So basically I've got a root command prompt again. It's the equivalent of doing su or-- So that's what those examples are there. But I've been guilty of doing that too. I'll type sudo, space, base, or sh, and then I basically have a command prompt again. And that's what you're trying to avoid. Because then the rest of my actions after that aren't logged. Because everything I do in the BASH session are then going to be logged by sudo. Because sudo's already done its job; it gave me- it gave me my root credentials to run a program that I asked for; and I was allowed to do to it because the sudoer's file says. So that's something that-- one of the things you want to lock down in the sudoer's file is saying they can't run

Page 11 of 14

shells. And so you just list the shells and their full path and say deny. That's a very important note. Now I've never done it on a production system, for the record. It was always on my own. Virtual machines.

/ etc / sudoers

40

/etc/sudoers

**040 So here's an example of the sudoer's file. So commonly what'll happen is-- so you can do it by individual users; like you see in the circle.

Page 12 of 14

Another common way to do it is there's a group called Real that-- so just like we showed in the /etc/group files, in the /etc/group file there'll be a group called Real. It'll have its own GID. And then we assign users to that group; and those users, then we can just specify the group in the sudoer's file instead of-- So it's kind of a different use. We're not using groups for file permissions. But we are using it as a way to identify groups of users. So we can define additional groups as needed; say, you know- you know, allow it to run Apache group and create a group, you know, Apache Admin. And then in here we can use that to say what permissions they're allowed to have. So you can delegate; instead of giving away the whole house.

Page 13 of 14

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 14 of 14