linux特权用户_Linux特权升级的四种方式

linux特权用户

The “Principle of Least Privilege” means that applications and processes should only be granted the privileges that they require to complete their tasks. It is a best practice that lowers the risk of system compromise during an attack.

“最低特权原则”意味着应仅向应用程序和进程授予完成任务所需的特权。 最佳做法是降低攻击过程中系统受损的风险。

For example, when an application requires only read access to a file, it should not be granted any write or execute permissions. Because if an attacker hijacks an application that runs with high privilege, the attacker can gain its permissions.

例如，当应用程序仅需要对文件的读取访问权限时，不应授予该应用程序任何写或执行权限。 因为如果攻击者劫持了以高特权运行的应用程序，则攻击者可以获得其权限。

In reality, many applications and services run using high or even root privileges. This is because some systems lack the granular permissions control needed to apply the principle of least privilege. Sometimes, developers and admins forget to apply the best practice. Still, sometimes, developers and admins take a shortcut to avoid dealing with detailed permission control.

实际上，许多应用程序和服务使用高权限甚至根特权运行。 这是因为某些系统缺少应用最低特权原则所需的精细权限控制。 有时，开发人员和管理员会忘记应用最佳实践。 尽管如此，有时开发人员和管理员还是会采取捷径来避免处理详细的权限控制。

Additionally, some applications that are not meant to be run using high privileges do not implement the appropriate safety precautions against attackers. Overprivileged processes thus create a dangerous security weakness that could compromise the entire system.

此外，某些不希望使用高特权运行的应用程序无法实施针对攻击者的适当安全预防措施。 因此，特权过高的进程会造成危险的安全漏洞，从而可能危及整个系统。

Today, let’s look at three things that attackers can do when they encounter an overprivileged process running as root.

今天，让我们看一下攻击者遇到以root用户身份运行的特权进程时可以做的三件事。

利用经典的命令注入 (Exploiting a classic command injection)

Let’s say that a web application suffers from a classic command injection attack.

假设Web应用程序遭受经典的命令注入攻击。

<?php[...]$file=$_GET['filename'];
  system("echo $file");[...]?>

The application allows users to read a system file by submitting the filename via a GET request parameter.

该应用程序允许用户通过GET请求参数提交文件名来读取系统文件。

https://example.com/read?filename=abc.txt

This is a pretty bad vulnerability already. The application lacks any input validation on the system call and enables attackers to execute all kinds of system commands via command injection.

这已经是一个非常糟糕的漏洞。 该应用程序在系统调用上没有任何输入验证，并且使攻击者能够通过命令注入执行各种系统命令。

https://example.com/read?filename=abc.txt;ls

But what if the web application has root privileges? Then the attacker can do a lot worse because the command injection will also run under root privileges. For example, “/etc/passwd” is only editable by users with root privileges. The attacker can add themselves as a root user by editing the “/etc/passwd” file.

但是，如果Web应用程序具有root特权，该怎么办？ 然后，攻击者可能会做得更糟，因为命令注入还将在root特权下运行。 例如，“ / etc / passwd”只能由具有root特权的用户编辑。 攻击者可以通过编辑“ / etc / passwd”文件将自己添加为root用户。

In this command below, “0” is the UID of the root user, so adding a user with the UID of “0” will give that user root privileges. This command will add a root user with the username “vickie” and an empty password.

在下面的此命令中，“ 0”是root用户的UID，因此添加UID为“ 0”的用户将为该用户提供root特权。 此命令将添加具有用户名“ vickie”和空密码的root用户。

echo “vickie::0:0:System Administrator:/root/root:/bin/bash” >> /etc/passwd

利用数据库注入 (Exploiting a database injection)

Sometimes, attackers can achieve RCE through a database injection. Many applications and services allow attackers to run system commands through an injection.

有时，攻击者可以通过数据库注入来实现RCE。 许多应用程序和服务都允许攻击者通过注入来运行系统命令。

Let’s look at a PostgreSQL injection for example! If an attacker can gain access to a PostgreSQL database with root privileges, what can they do?

让我们看一下PostgreSQL注入！ 如果攻击者可以使用root特权访问PostgreSQL数据库，该怎么办？

psql --user postgres -h sqlserver

In PostgreSQL 9.3 and above, the “COPY TO/FROM PROGRAM” function allows database superusers to execute code in the context of the database’s operating system user.

在PostgreSQL 9.3及更高版本中，“ COPY TO / FROM PROGRAM”功能允许数据库超级用户在数据库操作系统用户的上下文中执行代码。

First, the attacker needs to create a table to hold the system command’s output.

首先，攻击者需要创建一个表来保存系统命令的输出。

> CREATE TABLE cmd_exec(cmd_output text);

Then, they can run the system command via the COPY TO/FROM PROGRAM function.

然后，他们可以通过COPY TO / FROM PROGRAM功能运行系统命令。

> COPY cmd_exec FROM PROGRAM 'id';

The damage that such an attack can cause if limited if the database runs as a low-privilege user. The attacker might be able to read some files and gain more information about the machine. But if the database is running as root, then things can become much worse.

如果数据库以低特权用户身份运行，则这种攻击可能造成的损害(如果受到限制)。 攻击者可能能够读取一些文件并获得有关计算机的更多信息。 但是，如果数据库以root用户身份运行，那么情况可能会变得更糟。

> COPY cmd_exec FROM PROGRAM 'echo “vickie::0:0:System Administrator:/root/root:/bin/bash” >> /etc/passwd';

利用路径遍历漏洞 (Exploiting a path traversal vulnerability)

Let’s say that a path traversal attack exists on this endpoint in a web application.

假设在Web应用程序的此端点上存在路径遍历攻击。

https://example.com/read?filename=abc.txt

An attacker can read files outside of the current directory by using the sequence “../” in the filename parameter.

攻击者可以使用filename参数中的序列“ ../”读取当前目录之外的文件。

https://example.com/read?filename=../../../../etc/shadow

The “/etc/shadow” file is a file in Linux systems that contains the hashed passwords of system users. If the web application has the permissions to view the “/etc/shadow” file, an attacker can utilize the path traversal vulnerability to gain access to this file. Then, the attacker can crack the passwords they found in this file to gain access to privileged users’ accounts on the system.

“ / etc / shadow”文件是Linux系统中的文件，其中包含系统用户的哈希密码。 如果Web应用程序有权查看“ / etc / shadow”文件，则攻击者可以利用路径遍历漏洞来访问此文件。 然后，攻击者可以破解在此文​​件中找到的密码，以访问系统上特权用户的帐户。

利用Redis (Exploiting Redis)

Let’s look at another example. If an attacker gains access to an overprivileged Redis instance, they can utilize Redis to escalate their privileges on the system.

让我们看另一个例子。 如果攻击者可以访问特权较高的Redis实例，则他们可以利用Redis提升其在系统上的特权。

Let’s dive into how the attack works. Attackers can use Redis to write their RSA public key to the “/root/.ssh/authorized_keys” file and gain root access through SSH.

让我们深入研究攻击的工作原理。 攻击者可以使用Redis将RSA公钥写入“ /root/.ssh/authorized_keys”文件，并通过SSH获得root访问权限。

Let’s say that an attacker was able to gain access to an unprotected Redis server.

假设攻击者能够访问不受保护的Redis服务器。

First, the attacker needs to locally generate an SSH public and private key pair with the ssh-keygen command. Then, they pad the top and bottom of the file with newlines.

首先，攻击者需要使用ssh-keygen命令在本地生成SSH公钥和私钥对。 然后，它们用换行符填充文件的顶部和底部。

$ ssh-keygen -t rsa -b 2048$ (echo -e “\n\n”; cat ~/.ssh/id_rsa.pub; echo -e “\n\n”) > 

The attacker can then connect to the exposed Redis service to write the key file.

然后，攻击者可以连接到公开的Redis服务以写入密钥文件。

$ cat public.txt | redis-cli -h 

Finally, the attacker configures Redis and writes the public key file into the “authorized_keys” file in “/ root/.ssh”.

最后，攻击者配置Redis，并将公钥文件写入“ / root / .ssh”中的“ authorized_keys”文件中。

$ redis-cli -h 
> config set dir /root/.ssh/
> config set dbfilename "authorized_keys"
> save

This will add the attacker’s public key into “/root/.ssh/authorized_keys”, granting the attacker root access over SSH. The attacker can then log in to the server with their corresponding private key.

这会将攻击者的公钥添加到“ /root/.ssh/authorized_keys”中，从而通过SSH授予攻击者根访问权限。 然后，攻击者可以使用其相应的私钥登录服务器。

$ ssh –i 

Remember, Redis should run as the Redis user and not as the root user.

请记住，Redis应该以Redis用户而不是root用户身份运行。

如何以较低的特​​权运行进程 (How to run processes with lower privileges)

The three attacks introduced in this post are all introduced by an overprivileged process.

这篇文章中介绍的三种攻击都是由特权进程引入的。

Overprivileged processes can be prevented by carefully configuring permission settings and never using “run as root” as the default solution to permission issues.

可以通过仔细配置权限设置来避免过度特权的进程，并且永远不要使用“以root身份运行”作为权限问题的默认解决方案。

First, you can use “systemctl unit files” to run a service as a particular user or group. In Linux, unit files contain configuration directives that will control a service’s behavior. Custom unit files for system-wide services are located in “/etc/systemd/system/”. And unit files of user packages are located in “/lib/systemd/system/”.

首先，您可以使用“ systemctl单位文件”以特定用户或组的身份运行服务。 在Linux中，单位文件包含将控制服务行为的配置指令。 用于系统范围服务的定制单元文件位于“ / etc / systemd / system /”中。 用户软件包的单位文件位于“ / lib / systemd / system /”中。

A unit file is comprised of three sections, Unit, Service, and Install. You can add a “User” or “Group” directive in the “Service” section of the service’s unit file. Doing so will direct the service to run as the user or group.

单元文件由单元，服务和安装三个部分组成。 您可以在服务的单位文件的“服务”部分中添加“用户”或“组”指令。 这样做将指导服务以用户或组的身份运行。

[Unit][Service]
User=
Group=[Install]

You can read more about unit files here.

您可以在此处阅读有关单位文件的更多信息。

In crontabs, you can specify the user that will execute the command after the entry’s time fields.

在crontabs中，您可以指定将在条目的时间字段之后执行命令的用户。

30 21 * * * USERNAME cd /Users/vickie/scripts/security; ./scan.sh

It’s also a good idea to carry out everyday tasks as a lower-privileged user, rather than constantly be logged in as root. To switch out the current user, you can use the “su” command.

以低特权用户身份执行日常任务，而不是始终以root用户身份登录也是一个好主意。 要切换当前用户，可以使用“ su”命令。

$ su USERNAME

You can also use security controls such as chroot, seccomp, containers, and VMs to limit the capabilities of a process instead. Chroot limits the application to a modified environment that cannot access files and commands outside that environment. Seccomp limits the system calls that can be made by the application. Containers and VMs isolate the processes running inside the environment from the greater outside system, thus limiting the damage that attackers can cause.

您也可以使用chroot，seccomp，容器和VM等安全控件来限制进程的功能。 Chroot将应用程序限制为修改后的环境，该环境无法访问该环境之外的文件和命令。 Seccomp限制了应用程序可以进行的系统调用。 容器和VM将环境内部运行的进程与更大的外部系统隔离开，从而限制了攻击者可能造成的破坏。

特权降低引起的问题 (Problems caused by lowering privileges)

Sometimes execution will break if an application is not run as root. This might be because the application needs access to a file that it does not have permissions to access, or when applications try to bind to port numbers less than 1024. Ports with numbers less than 1024 are privileged ports that only root users are allowed to access.

如果应用程序不是以root身份运行的，则有时执行会中断。 这可能是因为该应用程序需要访问其没有访问权限的文件，或者是当应用程序尝试绑定到小于1024的端口号时。具有小于1024的端口是特权端口，仅允许root用户访问。

To resolve these issues that arise when you lower application privileges, you can consider granting the application or user a single Linux capability rather than running the application as root.

要解决降低应用程序特权时出现的这些问题，可以考虑向应用程序或用户授予单个Linux功能，而不是以root用户身份运行该应用程序。

结论 (Conclusion)

Applications and processes should only be granted the privileges that they require to complete their tasks. Carefully configure process permissions, and you can prevent overprivileged processes from putting your system at risk.

应仅向应用程序和进程授予完成任务所需的特权。 仔细配置进程权限，您可以防止特权过多的进程将您的系统置于危险之中。

翻译自: https://medium.com/swlh/linux-privilege-escalation-in-four-ways-eedb52903b3

linux特权用户