If root account is removed/disabled, can malware enable root or get just as powerful?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If your login id is a member of the wheel group, then you can simply sudo su, enter your own(!) login password, and ... "there you are!" The shell-prompt has become "#." You're now root.
I do not understand how this applies to the question. No one will be in the sudoers file, so no one can type sudo in the production system. They won't be able to type su either. What would you do against these obstacles?
the question behind the question is "how can i protect myself against attacks" - isn't it?
so, i think one shouldn't get too hung up about root (esp. since this is a hypothetical scenario discussion) and see what else is possible to exploit.
quite a lot is possible without ever gaining root privileges.
quite a lot is possible without even writing to your system.
That's why I mentioned openelec, which can do that without CD. It uses squashfs.
Mainstream distros too, like peppermint, use squashfs when you make a usb flash drive out of the .iso using rufus. Is openelec more attractive because it is true open source or something?
the question behind the question is "how can i protect myself against attacks" - isn't it?
More like, "is this strategy, or anything inspired from this strategy, any good to protect myself against hackers that I knowingly mix with to learn underground security?".
The critical factor is nonpersistency, ie whatever malicious thing happens must be stoppable by unplugging the power supply. Hence the concern about root privileges that can modify the boot drive enough to make the malicious behaviour permanent.
And yes it is possible via privilege escalation attacks through setuid programs (programs that run as root) running on your systems: type find / -perm -4000 -print to find these programs and change them to read only for everyone except for the root user.
They already look like they are read only for everyone but root, here's one, wouldn't it be a major oversight otherwise?
-rwsr-xr-x 1 root root 94792 Nov 24 00:25 /bin/mount
They already look like they are read only for everyone but root, here's one, wouldn't it be a major oversight otherwise?
-rwsr-xr-x 1 root root 94792 Nov 24 00:25 /bin/mount
That is not read-only, your /bin/mount has the execute bit set for groups and others, but granted some programs require the execute bit in order for a regular user to be able launch them (such as /bin/mount and /bin/sudo), and to allow those programs to temporarily do what they need to do as root (then after drop those privileges and assume a less-privileged UID).. But I would take off the execute bit on any setuid program that you don't actually use.. And I agree it would be an oversight but remember that distributions set things up for you and assume what you want (mostly so things just work).. It's up to you to actually configure the system to how you actually want it configured.
Last edited by perfectsecurity; 05-04-2017 at 03:34 PM.
Im not certain with /bin/mount but many programs have surprising capabilities that when combined with setuid or setgid permissions, could result in shockingly bad security.. For instance, with the setuid permission set for ls, one might be able to read the contents of a directory to which one's current user account is not supposed to have access.. Another example, the Vim text editor has the ability to execute shell commands. If Vim is setuid root, then even when it is being used as an unprivileged user one could execute commands from within Vim as if logged in at the shell as the root user account.. And yes giving all users write permissions would be a terrible idea which is why it's not there by default.
Last edited by perfectsecurity; 05-04-2017 at 04:55 PM.
I haven't gotten to into this but something I would definitely do is disable chsh, and make is so that no one can view your /etc/group file.. Also you can audit setuid/setgid system calls..
Last edited by perfectsecurity; 05-05-2017 at 09:35 AM.
I was referring to the typical setup of the sudoers file with regard to the behavior of the wheel group.
"setuid" is another classic hole: if you can arrange for this bit to be turned on, and then for a program to become owned by root(and kindly notice that, frequently, all programs in /bin are owned by this user!), then you have a hole. A trojan horse.
@Ulysses I apologize I meant to say make it so that you they can't view the /etc/group file, if you chmod go-r /etc/passwd then you wont be able to login.. Here's a command you might find useful to change the permissions of setuid programs find / -perm -4000 -print -okdir chmod go-x {} \;
This will go through your list of setuid programs (one by one) and prompt you if you would like to change the permissions to read-only for groups and others. It's a lot faster than chmodding them manually...
Last edited by perfectsecurity; 05-05-2017 at 11:37 AM.
There are many ways attackers use to inject holes into systems. Removing one entry point is unlikely to change their ability.
I agree with this quote.. The problem is code that can be exploited is in most cases still in the program, and patches that try to fix the vuln do it in a way that just forces the attacker to take a different approach to exploit the vulnerable code again.. Like Adobe Flash for example all of their patches fix the same vulnerability. Or another example is disabling/enabling features such enabling airplane mode on your phone, or disabling JS on your browser (their just soft switches, disabling the features in those programs doesn't make the code disappear).. The best you can do is install a hardened kernel, keep up-to-date on CVEs, and keep your head below the firing line (i.e. switch up software or use a different versions of your current program (that are not exploitable), just temporarily until the vuln in your preferred program is fixed).
Last edited by perfectsecurity; 05-05-2017 at 04:15 PM.
Or I switch to a security oriented distro that has all setuid root binaries set up for maximum security as it has everything set up for maximum security. Maybe with SElinux preconfigured with all binaries signed and checked or something.
Maybe one distro for the hypervisor, another for the guest that is exposed to danger. Maybe a bare metal hypervisor too. Any recommendations other than backtrack and kali?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.