On Wed, 4 Feb 2004, Colm MacCarthaigh wrote:
> With a privilege escalation attempt, there's the luxury of having
> root to hide the steps if the attack is successful.
> I doubt it, there are simply too many avenues to consider.
> LD_PRELOAD is a nice one, unlikely to be caught by even the
> majority of this list I'd say. Unless you're looking for it, it's
> always easy *then* ;)
But you must have access to the session being used. If you remotely
compromise the account, you surely can not set LD_PRELOAD in another
session (we're back to the fanatical admin who disables
> > If we go back to the common case (CAP_SYS_PTRACE available, user who
> > doesnt fanatically check their environment after login) what if the
> > system used some kind of smartcard authentication? Eg, a
> > challenge/response smartcard (see safeword.com for an example of one
> > with PAM support).
> You can still get root, simply get an alias, hacked shell or
> whatever to add some arguments to su (or similar) and then fake an
> error condition. Though yes, it makes it much harder.
Ok, so the fanatical admin:
- sets his shell to /bin/sh (making sure /etc/profile exists and does
not source any user owned files. bash apparently doesnt read
~/.bashrc if invoked as sh)
- removes CAP_SYS_PTRACE from the permitted and inherited sets very
early on in boot (ie in init or before init runs)
(hmm... shame you cant allow just root to have this capability)
That should remove most avenues if we presume it is the account which
is compromised (not a session).
Add some kind of smartcard authentication for all accounts,
/including/ root, and you're there (?). (indeed, you could probably
retain CAP_SYS_PTRACE if you never used the static password to
authenticate to root, except for direct root logins (boot to single
user / console)).
> Highly recommended though, we've been using SecureID's for
> everything for some time now, and it's absolutely brilliant. The
> mental savings of not having to remember as many passwords are
> worth it alone.
Problem is they're expensive. Havnt found yet that is supported by
MIT krb5 either sadly. (havnt looked that hard though).
Paul Jakma paul at clubi.iepaul at jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam at dishone.st
There was a phone call for you.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!