4.8. Obtaining Root Privileges

Now that you have enough knowledge about access principles, I can consider typical techniques used by crackers to obtain root rights and to conceal their presence in the system.

Suppose that a hacker obtains a capability to execute commands with root rights. To continue using this account will be too dangerous and provoking. Moreover, the root password cannot be changed.

So how can you log into the system and retain maximum rights at the same time? Recall how Linux manages access rights. The information about user accounts is stored in the /etc/passwd file in the following format:

 robert:x:501:501::/home/robert:/bin/bash

The third and fourth parameters are the UIDs and GIDs, respectively. When a file system object is given access permissions, the system only stores the object's identifiers. In practical terms, it means the following: Suppose there already is a user named robert, who is assigned the identifier 501. When another user account is created and given the same identifier, no matter what its name may be, it will have the same access rights as the original account with this identifier.

Of what use can this possibly be? Check out the identifier of the root user: It is zero. And it is a zero identifier, not the name root, that specifies maximum rights. Now, edit the robert entry in the passwd file, changing the UIDs and GIDs to zero. When done, this entry should look like the following string:

 robert:x:0:0::/home/robert:/bin/bash

Now log into the system as this user and try to open and edit the /etc/passwd file or try to add a new user. You will be successful, even though only the root can edit the /etc/passwd file and add a new user. The system determines the user account's rights using its identifier, which in this case is zero and grants the user maximum rights.

Because the user name is of no importance, I recommend deleting the root user in the /etc/passwd and /etc/shadow files and replacing it with a user with a different name but with the zero UIDs and GIDs. If hackers try to penetrate your system, they will try to pick a password for the root login. They will get nowhere because there will be no such login.

On the other hand, you can leave the root user but change its identifier to greater than zero. I sometimes create a user account named root and set its ID to 501 or greater. When a hacker sees this account, he or she thinks that it possess maximum privileges although it is just a regular user.

Each successful attempt to mislead an attacker increases the chances of him or her panicking. Having entered a system illegally, even a professional hacker experiences a great psychological pressure, fearing to be found out. Quite a few hackers are mentally unstable. It does not mean that they are crazy. They are normal people under normal circumstances, but when perpetrating a break-in they experience great mental pressure and, if something goes wrong, can panic easily.

As you can see, once a hacker has penetrated the system with root rights, he or she may not continue using this account. Instead, the attacker can create another user with any name but with the zero UID and make further exploits using this new maximum-rights account. Server administrators should watch for such shenanigans and prevent any attempts to change UIDs.

UIDs and GIDs can be found with the help of the id command. When executed without any options, the command displays the identifiers of the current user. To obtain the identifiers for a specific user, the command is executed with the user name as the argument, as follows :

 id user_name

Examine the identifiers of the user account robert. Execute the following command:

 id robert

It should display the following string:

 uid=501(robert) gid=501(robert) group=501(robert)

If you edited the passwd file as described earlier, the result will be this:

 uid=0(robert) gid=0(robert) group=0(robert

Thus, you can always determine the identifier of any user and his or her real rights.