{"id":4175,"date":"2024-09-01T17:12:24","date_gmt":"2024-09-01T15:12:24","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4175"},"modified":"2024-09-01T19:52:33","modified_gmt":"2024-09-01T17:52:33","slug":"linux-security-fundamentals","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4175","title":{"rendered":"Linux security fundamentals"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">The four process ID\u2019s<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For each process, Lin\u00adux man\u00adages four UID\u2019s. When a process from a user with <span class=\"caps\">UID<\/span> 1000 is started\/forked, then the new process has nor\u00admal\u00adly also the <span class=\"caps\">UID<\/span>&nbsp;1000.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">How\u00adev\u00ader, with <span class=\"caps\">SUID<\/span>\/<span class=\"caps\">GUID<\/span> it becomes more com\u00adpli\u00adcat\u00aded, since process\u00ades can get oth\u00ader UIDs than the one of the caller. When a process like <code>passwd<\/code> is cre\u00adat\u00aded from a \u201cnor\u00admal\u201d user, the process runs as&nbsp;root.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ ls -lah \/usr\/bin\/passwd<br>-rw<strong>s<\/strong>r-xr-x 1 root root 139K  7. Jul 15:30 \/usr\/bin\/passwd<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">$ ps aux | grep passw<br><strong>root<\/strong> 16041 0.0 0.0 10148 3200 pts\/4 S+ 17:14 0:00 passw<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We can see al IDs via <code>grep Uid \/proc\/$pid\/status<\/code>. In this&nbsp;case:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ grep Uid \/proc\/16041\/status<br>Uid: 1000 0 0 0<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The four num\u00adbers mean the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real <span class=\"caps\">UID<\/span><\/strong> shows who owns the process.<\/li>\n\n\n\n<li><strong>Effec\u00adtive <span class=\"caps\">UID<\/span><\/strong> shows the <span class=\"caps\">ID<\/span> which the ker\u00adnel uses to deter\u00admine the permissions.<\/li>\n\n\n\n<li><strong>Save Set <span class=\"caps\">UID<\/span><\/strong> shows the <span class=\"caps\">ID<\/span> this process can get back lat\u00ader, if it decides to drop the effec\u00adtive <span class=\"caps\">UID<\/span> before. Basi\u00adcal\u00adly, when a process drops high\u00ader per\u00admis\u00adsions, it can get it back&nbsp;later.<\/li>\n\n\n\n<li><strong>Filesys\u00adtem <span class=\"caps\">UID<\/span><\/strong> shows the <span class=\"caps\">ID<\/span> for filesys\u00adtem operations.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Linux capabilities<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Capa\u00adbil\u00adi\u00adties in Lin\u00adux are a more fine-grained access con\u00adtroll mech\u00ada\u00adnism then the tra\u00addi\u00adtion\u00adal user \/ root priv\u00adi\u00adleges. Instead of have root priv\u00adi\u00adleges, a process can be giv\u00aden spe\u00adcif\u00adic pow\u00ader\u00adful privileges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Caba\u00adbil\u00adi\u00adties can be assigned (with +) or removed (with -) to exe\u00adcute\u00adables like&nbsp;this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo setcap cap_net_bind_service=+ep \/opt\/app<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In this exam\u00adple, the capa\u00adbil\u00adi\u00adty <code>cap_net_bind_service<\/code> is grant\u00aded to the <code>\/opt\/app<\/code> bina\u00adry. This means, that the appli\u00adca\u00adtion can bind to all ports, also &lt;1024 as a nor\u00admal user. With\u00adout capa\u00adbil\u00adi\u00adties, only a root user can bind to ports below&nbsp;1024.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To see the capa\u00adbil\u00adi\u00adties of a binary:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">getcap \/usr\/bin\/myapp<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation\/linux-capabilities\">More infos on hacktricks.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">AppArmor \/ ApplicationArmor<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">AppAr\u00admor is a ker\u00adnel mod\u00adule for lin\u00adux which can restrict access of process\u00ades. It can restrict the access of a process to spe\u00adcif\u00adic resources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Each bina\u00adry can be pro\u00adtect\u00aded via a AppAr\u00admor con\u00adfig\u00adu\u00adra\u00adtion, which is usu\u00adal\u00adly in the <code>\/etc\/apparmor.d\/<\/code> direc\u00adto\u00adry. An example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/bin\/myapp {<br>    # Capabilities<br>    capability net_bind_service,<br><br>    # Network Access<br>    network inet stream,<br>    <br>    # File Access Rules<br>    \/etc\/myapp\/config r,<br>    \/var\/log\/myapp\/ rw,<br>}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This appli\u00adca\u00adtion can only bind to net\u00adwork ser\u00advices, acces the net\u00adwork and read \/ write the spe\u00adcif\u00adic&nbsp;files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The sta\u00adtus can been seen this&nbsp;way:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aa-status<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>The four process <span class=\"caps\">ID<\/span>\u2019s For each process, Lin\u00adux man\u00adages four <span class=\"caps\">UID<\/span>\u2019s. When a process from a user with <span class=\"caps\">UID<\/span> 1000 is started\/forked, then the new process has nor\u00admal\u00adly also the <span class=\"caps\">UID<\/span>&nbsp;1000. How\u00adev\u00ader, with <span class=\"caps\">SUID<\/span>\/<span class=\"caps\">GUID<\/span> it becomes more com\u00adpli\u00adcat\u00aded, since process\u00ades can get oth\u00ader UIDs than the one of the caller. When a process like passwd&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[33,506],"class_list":["post-4175","post","type-post","status-publish","format-standard","hentry","category-general","tag-linux","tag-suid"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4175"}],"version-history":[{"count":8,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4175\/revisions"}],"predecessor-version":[{"id":4193,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4175\/revisions\/4193"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}