Privilege escalation: Difference between revisions
No edit summary |
mNo edit summary |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
Privilege escalation is the process by which a user executes [[process|processes]] with more rights than they normally are entitled to use. This can be both good and bad. | |||
For example, allowing a user to change their own password requires write access to the <code>/etc/passwd</code> and/or <code>/etc/shadow</code> file. Under normal circumstances, users can only read <code>/etc/passwd</code>, and do nothing with <code>/etc/shadow</code>: | |||
# ls -l /etc/{passwd,shadow} | |||
-rw-r--r-- 1 root root 3215 Jun 30 10:28 /etc/passwd | |||
-rw------- 1 root root 2829 Oct 24 12:05 /etc/shadow | |||
However, to edit these files, users can run the <code>passwd</code>, which has the [[setuid]] bit set. This escalates the priviledge level of the user so that it can perform a very specific action (edit <code>/etc/passswd</code> and <code>/etc/shadow</code>) as the root user: | |||
$ ls -l /usr/bin/passwd | |||
-r-sr-xr-x 1 root bin 25152 Sep 11 20:07 /usr/bin/passwd | |||
Priviledge escalation is also a frequent goal of a [[cracker]] (causing a [[DoS]] is another). Typically, a cracker will attempt to exploit a [[bug]] to gain "Unauthorized Priviledge Escalation" (usually targeting the [[root]] user), in order to take control of a system. | |||
see [[permissions]] and [[setuid]] | |||
== perl == | |||
You should also change $( and $) in order to set the real and effective group IDs as well: | |||
($<,$>) = (getpwnam('nobody'),getpwnam('nobody')); | |||
Latest revision as of 09:04, 30 May 2008
Privilege escalation is the process by which a user executes processes with more rights than they normally are entitled to use. This can be both good and bad.
For example, allowing a user to change their own password requires write access to the /etc/passwd and/or /etc/shadow file. Under normal circumstances, users can only read /etc/passwd, and do nothing with /etc/shadow:
# ls -l /etc/{passwd,shadow}
-rw-r--r-- 1 root root 3215 Jun 30 10:28 /etc/passwd
-rw------- 1 root root 2829 Oct 24 12:05 /etc/shadow
However, to edit these files, users can run the passwd, which has the setuid bit set. This escalates the priviledge level of the user so that it can perform a very specific action (edit /etc/passswd and /etc/shadow) as the root user:
$ ls -l /usr/bin/passwd -r-sr-xr-x 1 root bin 25152 Sep 11 20:07 /usr/bin/passwd
Priviledge escalation is also a frequent goal of a cracker (causing a DoS is another). Typically, a cracker will attempt to exploit a bug to gain "Unauthorized Priviledge Escalation" (usually targeting the root user), in order to take control of a system.
see permissions and setuid
perl
You should also change $( and $) in order to set the real and effective group IDs as well:
($<,$>) = (getpwnam('nobody'),getpwnam('nobody'));
