Privilege escalation: Difference between revisions
No edit summary |
Details. |
||
| Line 1: | Line 1: | ||
Privilege escalation is the process by which a user executes [[processes]] with more rights than they normally are entitled to use. This can be both good and bad. | |||
For example, allowing a user to change their own password requires write access to the <code>/etc/passwd</code> and/or <code>/etc/shadow</code> file. Under normal circumstances, users can only read <code>/etc/passwd</code>, and do nothing with <code>/etc/shadow</code>: | |||
# ls -l /etc/{passwd,shadow} | |||
-rw-r--r-- 1 root root 3215 Jun 30 10:28 /etc/passwd | |||
-rw------- 1 root root 2829 Oct 24 12:05 /etc/shadow | |||
However, to edit these files, users can run the <code>passwd</code>, which has the [[setuid]] bit set. This escalates the priviledge level of the user so that it can perform a very specific action (edit <code>/etc/passswd</code> and <code>/etc/shadow</code>) as the root user: | |||
$ ls -l /usr/bin/passwd | $ ls -l /usr/bin/passwd | ||
-r-sr-xr-x 1 root bin 25152 Sep 11 20:07 /usr/bin/passwd | -r-sr-xr-x 1 root bin 25152 Sep 11 20:07 /usr/bin/passwd | ||
see [[setuid]]. | Priviledge escalation is also a frequent goal of a [[cracker]] (causing a [[DoS]] is another). Typically, a cracker will attempt to exploit a [[bug]] to gain "Unauthorized Priviledge Escalation" (usually targeting the [[root]] user), and so take control of a system. | ||
see [[setuid]],[[permissions]]. | |||
Revision as of 12:32, 24 October 2005
Privilege escalation is the process by which a user executes processes with more rights than they normally are entitled to use. This can be both good and bad.
For example, allowing a user to change their own password requires write access to the /etc/passwd and/or /etc/shadow file. Under normal circumstances, users can only read /etc/passwd, and do nothing with /etc/shadow:
# ls -l /etc/{passwd,shadow}
-rw-r--r-- 1 root root 3215 Jun 30 10:28 /etc/passwd
-rw------- 1 root root 2829 Oct 24 12:05 /etc/shadow
However, to edit these files, users can run the passwd, which has the setuid bit set. This escalates the priviledge level of the user so that it can perform a very specific action (edit /etc/passswd and /etc/shadow) as the root user:
$ ls -l /usr/bin/passwd -r-sr-xr-x 1 root bin 25152 Sep 11 20:07 /usr/bin/passwd
Priviledge escalation is also a frequent goal of a cracker (causing a DoS is another). Typically, a cracker will attempt to exploit a bug to gain "Unauthorized Priviledge Escalation" (usually targeting the root user), and so take control of a system.
see setuid,permissions.
