akde/infosec

Information security is ultimately about managing risk

Linux security fundamentals

,

The four process ID’s

For each process, Lin­ux man­ages four UID’s. When a process from a user with UID 1000 is started/forked, then the new process has nor­mal­ly also the UID 1000.

How­ev­er, with SUID/GUID it becomes more com­pli­cat­ed, since process­es can get oth­er UIDs than the one of the caller. When a process like passwd is cre­at­ed from a “nor­mal” user, the process runs as root.

$ ls -lah /usr/bin/passwd
-rwsr-xr-x 1 root root 139K  7. Jul 15:30 /usr/bin/passwd
$ ps aux | grep passw
root 16041 0.0 0.0 10148 3200 pts/4 S+ 17:14 0:00 passw

We can see al IDs via grep Uid /proc/$pid/status. In this case:

$ grep Uid /proc/16041/status
Uid: 1000 0 0 0

The four num­bers mean the following:

  • Real UID shows who owns the process.
  • Effec­tive UID shows the ID which the ker­nel uses to deter­mine the permissions.
  • Save Set UID shows the ID this process can get back lat­er, if it decides to drop the effec­tive UID before. Basi­cal­ly, when a process drops high­er per­mis­sions, it can get it back later.
  • Filesys­tem UID shows the ID for filesys­tem operations.

Linux capabilities

Capa­bil­i­ties in Lin­ux are a more fine-grained access con­troll mech­a­nism then the tra­di­tion­al user / root priv­i­leges. Instead of have root priv­i­leges, a process can be giv­en spe­cif­ic pow­er­ful privileges.

Caba­bil­i­ties can be assigned (with +) or removed (with -) to exe­cute­ables like this:

sudo setcap cap_net_bind_service=+ep /opt/app

In this exam­ple, the capa­bil­i­ty cap_net_bind_service is grant­ed to the /opt/app bina­ry. This means, that the appli­ca­tion can bind to all ports, also <1024 as a nor­mal user. With­out capa­bil­i­ties, only a root user can bind to ports below 1024.

To see the capa­bil­i­ties of a binary:

getcap /usr/bin/myapp

More infos on hacktricks.

AppArmor / ApplicationArmor

AppAr­mor is a ker­nel mod­ule for lin­ux which can restrict access of process­es. It can restrict the access of a process to spe­cif­ic resources.

Each bina­ry can be pro­tect­ed via a AppAr­mor con­fig­u­ra­tion, which is usu­al­ly in the /etc/apparmor.d/ direc­to­ry. An example:

/usr/bin/myapp {
    # Capabilities
    capability net_bind_service,

    # Network Access
    network inet stream,
    
    # File Access Rules
    /etc/myapp/config r,
    /var/log/myapp/ rw,
}

This appli­ca­tion can only bind to net­work ser­vices, acces the net­work and read / write the spe­cif­ic files.

The sta­tus can been seen this way:

aa-status

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';