top of page
Search
  • Writer's pictureExploit Security

Demystifying Linux Special Permissions

Updated: Feb 22


Linux File Permissions

For those seasoned nix users and admins, the concept of special permissions is not a new topic, however when it comes to evaluating a nix system upon engagement, paying special attention to how these permissions are setup can sometimes lead to privilege escalation, through misconfiguration.


Linux File Permissions

In order to understand just what a linux special permission is, we first have to unpack the concept of permissions within a Linux file system.


Permissions, within Linux file systems provide a level of access control to files through assignment of three basic file permission types:



  1. Read (r) - Allows for a user the ability to read the associated file

  2. Write (w) - Allows for a user the ability to write to an associated file

  3. Execute (x) - Allows for a user the ability to execute an associated file


Moreover these file permission can be granted to groups, where again this comes in threes


  1. Owner (u) - This group encompasses the original creator of the file by default

  2. Group (g) - This group encompasses a group of users

  3. All Users (o) - This group describes all other users within the system


To view the current permissions of a file within the system, a quick ls -l can be used to view these permissions



Breaking down the above image:



In the above example the file "file.txt" is of type file (denoted by the first '-'). The user (u) has read/write permissions. The group (g) has read/write permissions and all other users (o) have read permissions. The user in this case is 'ubuntu', denoted by the enrty in the third field and the group is 'ubuntu' shown by the entry in the 4th field.


Allocating Linux File Permissions

To assign linux file permissions we have to get a grasp on two main 'modes' of operation, namely Absolute (numeric) and Symbolic. In Linux the method in which to assign permissions to a file is through the use of the CHMOD (change mode) utility.


Absolute Mode (numeric)

This mode of operation uses the concept of the octal numbering system to allocate permissions, let's break this down a little bit.


The Octal Numbering System is the numbering system also known as base8. This contrasts to our standard numbering system base10, where in base10 we utilise numbers between 0-9 in combination, base8, simply uses numbers between 0-7 to represent a valid numeral.


In order to further understand this, let's use a file permission of rwx as an example and see how Linux Represents each file permissioning attribute using the Octal Numbering System. If we consider the highest value within the system i.e. 7 and we break this down into three silo's we find that the best way to represent this is to consider each permission being represented by a binary representation.


Lets look at an example.


Read is represented by the value 4, which in binary is 100

Write is represented by the value 2, which in binary is 010

Execute is represented by the value 1, which in binary is 001


Now, lets say we only wanted to assign the user (u) read permissions, we can use the Absolute mode of linux permissioning to assign a 4 to the user bit


Example

chmod 400 file.txt

This resultant file permission will be read for the user and no other permissions for group or other.


If we wanted to set a combination of both read and write, first need to work out the octal representation for this.


Read = 4

Write = 2


So combining these gives us 6

chmod 600 file.txt
Symbolic Mode

This mode of setting Linux File permissions uses 'symbols' to assign permissioning to file for specific users, where Linux will take care of the mathematics for you. It allows for the use of an specific operator used to set things as you see fit.


Operators

'+' - Adds a permission to a file or directory

'-' - Removes a permission from a file or directory

'=' - Sets permissions and overwrites existing permissions


Users (Owners)

'u' - User/Owner

'g' - Group

'o' - All other users on the system

'a' - User, group and other will be set


Let's say we wanted to copy the above and assign the user (u) read permissions, we can do this using the following syntax


Example

chmod u+r file.txt

Setting the combination of both read and write can be achieved like this

chmod u+rw file.txt

Now that we have a basic understanding of how Linux File Permissions are allocated and assigned, lets look into the fourth permission type.


Special Permissions

Special file permissions are used to allocate additional privileges to files and directories, where each of these special permissions corresponds to the previously mentioned access level, namely User, Group and Other


SUID - This special permission can be allocated at the user (u) level and simply allows execution of the file as the user who owns the file

SGID - Allows execution of the file as the group that owns the file and if set on a directory will allocate the ownership of newly created files to the group ownership of the directory

Sticky - Restricts deletion of a file to the original owner (and root) of that file


The special file permissions are allocated using the most significant bit within the file attribute


SUID = 4

SGID = 2

Sticky = 1


Lets allocate the SUID bit, using both Absolute and Symbolic modes. We will also set the read, write and execute attribute of the file aswell to the user (u)


Using Absolute Mode

chmod 4700 file.txt

Using Symbolic Mode

chmod u+rws file.txt
How to capitalise on this upon engagement

Ultimately it may be possible to escalate privileges when weak permissions are found on a target system. There are many examples out there that prove this to be true.


Our following example uses the concepts learnt within this blog, to first search for file types that contain the special linux permission and then subsequently uses this weakness to escalate privilege from low to root for the win !


We utilise the find command to first search for interesting file types

find -perm -u=s -type f 2>/dev/null

./home/ubuntu/file-permissions/shell

./bin/mount

./bin/fusermount

./bin/umount

./bin/su

./bin/ping

./usr/bin/find

./usr/bin/chfn

./usr/bin/newgidmap

We stumble across many of these types of files as listing above.


We hone in on the find utility, which has the facility to execute commands within its syntax. As the find command has the SUID bit set it can be used to execute a command in the context of the root user.

ls -al /usr/bin/find

-rwsr-xr-x 1 root root 238080 Nov 5 2017 /usr/bin/find

We can now execute using the following syntax

whoami

ubuntu

touch randomfile

find randomfile -exec "whoami" \;

root

Summary


As can be seen in this short Linux refresher, Linux Permissions, if not configured securely can lend themselves to misuse and in some cases full system compromise. The Security Team hope that this information was found to be useful and thank-you for broadening your knowledge through curiosity.


38 views

Comentários


Os comentários foram desativados.
bottom of page