Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software?
the system is patched (per Suse 10 automatic suggestions), it is Suse 10 with KDE.
and what is more important, how do I make sure it has not been compromised?
What if I continue to run the suspicious program (it's java (jar) application)?
I'm definitely not an expert on this, but I think there's not a whole lot malicious software can do from a non-root account (as long as the suid bit isn't set) except trash your home directory. Someone please correct me if I'm wrong, but I think it's even harder to make java do anything virus-like, so you shouldn't have much to worry about.
It is quite hard to write a program that can compromise a computer that is keeped up to date. Having said that, if that unsafe program provides a way for a actual user to get inside, like for example giving him a remote prompt he could be on you machine and try to hack it with the privileges of your user. For example, put an alias for su that will log for him the password and then call the actual su so you don't notice. (although that can also be done by a program)
well, since it is java, and it runs as an application, it can just as well execute arbitrary code (for example, create a shell script and put it in .bashrc or something) ---- the "su" alias is smart, i'll check for that.
just to give you an idea.. I've downloaded a crack for jbuilder 2006.. not that I really need the extra features than the free foundation, but wanted to try it out longer... guilty, i know.
What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software?
If your system is properly configured, then malicious software can at worst wreck your home directory. Of course, first it has to trick you into running it.
What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software? / the system is patched / I'm behind a router.
Next to the already mentioned munging of whatever is in your home directory there are a few things I can think of. Since you're behind a router I'll assert you know how to and do block initial inbound traffic from outside the private network (but how about egress filtering?), and since you patch everything to current the only thing that can hit you on that front seems to be reconnaissance, misconfiguration and o-day exploits. So let's focus on the fact that local (or private network) account users are most likely to be considered "trusted" by local applications or running services in the network. What can we do?:
- Information gathering
Maybe you've got another Firefox/KDE/whatever else o-day you need to retrieve specific version info for? Look at dmesg?[0] See what processes are running or user accounts are used on the box recently?[0] What's the last time root logged in?[0] Look on the private network for servers that are only protected by the router?[1] Or maybe just be interested in local logs, mail or docs for Social Engineering (or why not: extortion)?[2]
- Account bruteforcing
So you set up a drop-app for SSH. But what about local accounts?[3] What's the last time root checked it or got it reported automagically?[4] Are there any users or commands we can sudo to with NOPASSWD?[5]
- Downloading & executing something else
Skype executes traceroute on application start. Does that have any paths prepended or could we manage to execute a fake ./traceroute from the CWD?[6] Or maybe I'm allowed outbound access to open relays or be able to look for proxies on port TCP/80?[1] Or can I wget you Something Completely Different? (apart from Larches).[0], [1]
- Resource starvation
Maybe I'll just fill up your / or /var/log before attempting to do Something Completely Different.[7], [8]
* Some actions are no cause for alarm when reviewed alone but are only interesting when you piece the chain of events together. If any of you think the above is FUD or dismiss it as being hypothetical then you're not looking at what you should be looking at and that's any form of missing access restriction.
and what is more important, how do I make sure it has not been compromised?
Verify against the checksums provided with the package. If none are, bug the developers/maintainers to provide a GPG-signed package or at least MD5 and SHA1 sums. Run under Mandatory Access Controls (MAC)[8]. Run in a sandbox (like Qemu) under strace or something else that does monitor system calls. Use a file integrity checker to monitor changes.
What if I continue to run the suspicious program (it's java (jar) application)?
Noticing how you classify it as "suspect" yourself, then continuing to run it would not be advisable without looking for a qualitatively good replacement or MAC and proper verification.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.