Ceci est une ancienne révision du document !
With Lucas “retiring”, I thought we could fill his space with something that is more of the same, yet different. I want to vault us into some ‘capture the flag’ type-of-stuff, but we need to lay some groundwork first. I will use the words directories and folders interchangeably. The reason for this is that there are GUI jockeys out there who will be reading this, who are not interested in terminal (shell) terminology. I want them to feel welcome reading this piece.
Let’s talk about privilege escalation in Linux. Because Linux has an all powerful user named ‘root’, that is our aim, well… a root shell… Sometimes getting root is as easy as exploiting a program or misconfigured service. Sometimes you have to string things together to step over the wall, so to speak. Sometimes you need to push the enter key 790 times…. But I am getting ahead of myself. We need to talk about permissions first. (What is privilege escalation, but breaking and defying your set permissions?) <play “I want to break free” by Freddy Mercury for dramatic effect> :) When you look at Linux permissions, there are users and groups on one side, and files and folders (directories) on the other. (Yes, ‘others’ too, but I want you to paint a mental picture, OK?)
All users’ passwords are hashed and stored in “/etc/shadow”, but the accounts are still in “/etc/passwd”. You will notice root has a UID of 0, and, depending on your Linux system, users will start at UID 500 or UID 1000. UID 0 has access to everything, thus making it the target for privilege escalation. Groups can have many users, and users can be in many groups. However, all files and folders have one owner and group. Like the other permissions, groups are stored in “/etc/groups”. Permissions granted or denied are by read ®, write (w), and execute (x). Do a ‘ls -la’ in the folder where you are right now. Look at the leftmost column. You will likely see something like “-rw-r–r–” a number, then the owner (user and group). Only the owner or root can change permissions. The very first one is sometimes “d” for directory, so ignore that. Thereafter, the first triplet is for the owner, the next triplet is for the group, then the last triplet is for “other”. “Other” is sometimes called “world”, but do not confuse the (w) for ‘write’ with ‘world’.
On a file ® (w) or (x) is just what they say, but they are slightly different on directories / folders. Here, ® is list contents, (w) allows sub-directories to be created, and (x) is the gatekeeper, allowing you access to the other two permissions. If (x) is not set, you cannot get to ® or (w). But it does not end there. There are SUID and SGID bits. When this bit is set, SUI, files execute with the permissions of the file owner. The same with SGID. SGID also allows sub-directories to inherit group permissions from the parent. You will see an (s) in the (x) position.
Which brings us to “su” and “sudo” and the like. When you change users, you get what is known as an ‘effective ID’, which is not your ‘real ID’. (Thank goodness there are no step-permissions! Hahaha!). The effective ID is used to verify your access more often than the real ID. Now if that was not confusing enough, there is also a “saved ID”. This keeps track of who you really are, when you switch permissions temporarily. When you use the “who” command, you get your effective ID, and when you use the “id” command, you should see your real ID as well as your effective ID. Look for (euid) and (egid). Most of the time, these will be the same as your UID. Run the “id” command as yourself, then run it as “sudo id”, and su before running id and see how it changes.
Processes also have permissions. To see the permissions of your terminal (shell), type: ‘cat /proc/$$/status | grep id’ and in the centre you will see, Uid and Gid. Note that the shell is the current process. If your system is Ubuntu, you should see 1000 repeated a couple of times, and if you used su, you should see 1000 followed by zeroes. (I am assuming that you are the only user on your system). You also need to know that Linux is divided into user space and kernel space. Even your CPU is divided into user mode and protected mode. Are you seeing a pattern here? On the CPU, you usually have “rings” – ring 0 through ring 3 if I remember correctly. (Hello Greg!, I sort of remembered!). However, in modern CPUs, they go into the negative too. Linux uses ring 0 for kernel space and ring 3 for user space. This is why some hackers work so hard on “undocumented features” because, if you can talk to ring 0, you can bypass all the operating system permissions. This is beyond what we are going to cover, but at least you know about it.
Did you learn something today? Did I make a boo-boo? Are you as excited as I am? Let us know. misc@fullcirclemagazine.org
Encart Podcast p. 18 :
Join our new hosts Wayne and Joe as they present you with a short podcast (<10min) with just the news. No chit-chat. No time wasting. Just the latest FOSS/Linux/ Ubuntu news.