4.16. Obtaining Higher Privileges

4.16. Obtaining Higher Privileges

In conclusion of the security subject, it is necessary for you to become acquainted with the sudo command, which allows programs to be executed on behalf of another user .

I already mentioned in Section 2.7 that it is highly undesirable to work in the system as the root. The reasons for this are the following:

  • Programs started by the root run with root rights. Should there be a vulnerability in such a program, it can be used by hackers to obtain root rights.

  • Entering some command erroneously can impair the entire system. And to make a mistake when entering a command is not that difficult, because Linux provides powerful regular expression capabilities.

If there is no user account without administrator rights in the system, add it now. Then log into the system using this account and try to view the /etc/shadow file by executing the cat /etc/shadow command.

The system will respond with a message that you are denied permission to view the file. Now execute the same command using sudo:

 sudo cat /etc/shadow 

The system will respond with the message that your account is not the sudoers (/etc/ sudoers ) file. This is the file, in which users who are permitted to use the sudo command are listed. An example of this file's contents is shown in Listing 4.2.

Listing 4.2: The contents of the /etc/sudoers configuration file
image from book
 # sudoers file # This file MUST be edited with the 'visudo' command as root. # See the sudoers man page for the details on how to # write a sudoers file. # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root      ALL  =  (ALL) ALL # Uncomment to let people in group wheel run all commands # %wheel  ALL = (ALL)       ALL # Same thing without a password # %wheel  ALL = (ALL)       NOPASSWD: ALL # Samples # %users  ALL = /sbin/mount /cdrom,/sbin/umount /cdrom # %users  localhost  =  /sbin/shutdown -h now 
image from book
 

There is only one entry that is not commented out in this file. This is the following:

 root   ALL=(ALL) ALL 

There are the following three fields in this entry:

  • In the first field, the user (or group) allowed to execute the specified command is designated. I recommend listing specific users here. A hacker can become a member of a group but cannot obtain access to running high-privileged commands as having no rights for this.

  • In the second field, the name of the machine, on which the permitted user can execute commands as the superuser is specified.

  • In the third field, the commands that the permitted user can execute as the superuser are listed after the equals sign.

Thus, to enable a regular user to view the /etc/shadow file, the corresponding rights have to be specified for this user in the /etc/sudoers file. You created the regular user robert earlier. Add the following entry for him to the /etc/sudoers file:

 robert ALL=ALL 

Now the user robert can use the sudo command to perform any administrator tasks . You can verify this by executing the cat command via sudo again: sudo cat /etc/shadow .

This time the command should execute without any complaints from the system. You will have to enter the administrator's password to use the sudo feature.

Giving permission to execute all commands contradicts the secure system principles. Thus, you have to place certain restrictions.

It is difficult for one person to maintain a server that processes numerous user connections daily and runs various services. In most cases, this task is shared by many people. One person is responsible for the system, another maintains the Web server, yet another takes care of the MySQL database, and so on. It is not necessary for all administrators to have the same rights; each of them only has to be permitted to execute those commands that he or she needs to perform the specific task assigned. Thus, rights for each user must to be clearly specified for example, as follows :

 robert     ALL=/bin/cat /etc/shadow 

Note that the absolute paths to the cat program and the shadow file are given; otherwise , executing the command will produce an error message.

For example, you want to give some user extended rights and allow him or her not only to view the password file but also to mount the CD-ROM. For this, edit the entry by adding permission to execute the mount command:

 robert     ALL=/bin/cat /etc/shadow, /bin/mount 

Note that this only gives read permission for the /etc/shadow file by explicitly specifying the cat utility to access it with. It makes sense, because it is edited using the passwd command. You could simply give permission for executing the cat command as follows:

 robert     ALL=/bin/cat, /bin/mount 

But in this case a hacker can view any files in the system as root, including those that a regular user cannot see.

No parameters were specified for the mount command. In this way, the user can specify the parameters himself or herself. Specifying the CD-ROM as an argument explicitly lets the user mount only this device:

 robert     ALL=/bin/cat /etc/shadow, /bin/mount /dev/cdrom 

In the examples considered , the computer parameter was specified as ALL , which means any machine. Never use this value in a real system. Always specify the particular computer, to which the entry applies. Most often, this will be a local server.

The sudo utility can be used to execute commands not only as the root but also as any other user. This is done by using the -u option with it. For example, the following command attempts to view the password file as the flenov user:

 sudo -u flenov cat /etc/shadow 

If the user is not specified, the sudo program requests the root's password. Giving this password to the user robert is not smart for security, because this kills the whole idea of building such a complex security system. Knowing the root's password, the user can log into the system as the administrator and do whatever his or her heart desires with it.

Never reveal the administrator password to those who are not supposed to know it. Use passwords for other user accounts that have the right to work with the necessary files and programs. In this case, the name of the user that was assigned by the administrator to execute the command will have to be specified.

Another way to avoid having to reveal the administrator password is to allow the user to execute commands without authentication. This is done by adding the keyword NOPASSWD followed by a colon between the equals sign and the list of command as follows:

 robert     ALL=NOPASSWD:/bin/cat /etc/shadow, /bin/mount /dev/cdrom 

Now when executing the sudo program the password will not be requested . This is dangerous if you do not list the necessary options but only give the ALL keyword.

 robert     ALL=NOPASSWD:ALL 

If hackers obtain access to the user account robert, the sudo utility will give them the ability to execute any commands in the system. If you list only the permitted options, the degree of harm that can be inflicted upon the system if it is compromised decreases to the extent of the dangerousness of the commands the robert user is allowed to execute and the protection of this account (i.e., how long and strong the password is, how diligent the owner is, etc.)

The sudo utility can be used to allow access for editing files. Never use this capability. Launching a text editor to edit even the most innocent file will give hackers too many opportunities. For example:

  • To execute system commands. Because the editor runs with root rights, the commands will also be executed with root rights, meaning that hackers will have the entire system at their disposal.

  • To open any other file taking advantage of the root privileges.

I never delegate the ability to edit configuration files using a text editor. If this cannot be helped, I never give root rights for this. The configuration files to be edited are assigned to another owner and the user delegated to edit it will launch the sudo program as this new user, thus avoiding running the editor with root rights.

The following commands are potentially dangerous and should not be executed with root rights by other users:

  • File editing commands They would allow a dishonest employee to modify any configuration file, not just the ones specified.

  • The chmod command It allows hackers to lower the access rights to configuration files and then edit them even if they only have guest rights.

  • The useradd command This command allows hackers to create a zero ID user, thus obtaining rights to the entire system.

  • The mount command List only specific devices in the configuration file and allow only trusted employees to execute this command. If hackers are able to mount a device with programs that have SUID bits set or Trojan horse programs, they will be able to take over the entire system.

  • The chgrp and chown commands These are used to change the group or file owner. Taking over the ownership of the password file, hackers will be able to read and even edit it.

Another thing to remember when working with the sudo program is that its SUID bit is set, meaning that it executes with the rights of the owner, that is, with root rights. The 1.5.5 through 1.6.5.p2 versions of the sudo program have a memory-allocation bug. This bug can be exploited by hackers to perpetrate a stack overflow attack. You can check your version by executing the sudo command with the -V option. If executed by the administrator, it displays detailed information about the program as shown in Listing 4.3.

Listing 4.3: The sudo program information
image from book
 Sudo version 1.6.5p2 Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Use a separate timestamp for each user/tty combo Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5 minutes Password prompt timeout: 5 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages:  ***  SECURITY information for %h  ***  Incorrect password message: Sorry, try again. Path to authentication timestamp dir: /var/run/sudo Default password prompt: Password: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi Environment variables to check for sanity:        LANGUAGE        LANG        LC_* Environment variables to remove:        BASH_ENV        ENV        TERMCAP        ...        ... When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all Local IP address and netmask pairs:        192.168.77.1 / 0xffffff00 Default table of environment variables to clear:        BASH_ENV        ENV        TERMCAP        ...        ... Default table of environment variables to sanity check:        LANGUAGE        LANG        LC_* 
image from book
 

The displayed is just a fragment of the file, showing the main information. The first entry displays the program version, 1.6.5.p2 in this case. The most interesting items in this listing are the following three lines:

 Authentication timestamp timeout: 5 minutes Password prompt timeout: 5 minutes Number of tries to enter a password: 3 

The first line sets the time for how long the password is saved in the cache. In this case, it is 5 minutes. If the user executes the sudo command within this time again, the authentication procedure will not have to be gone through.

The following line specifies the time to wait for the user to enter the password. The last line specifies the number of attempts the user can make to enter the password. If the correct password is not entered within this time from the specified number of tries, the program terminates.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net