Difference between revisions of "Privilege escalation"

Privilege escalation is the process by which a user executes processes with more rights than they normally are entitled to use. This can be both good and bad.

For example, allowing a user to change their own password requires write access to the /etc/passwd and/or /etc/shadow file. Under normal circumstances, users can only read /etc/passwd, and do nothing with /etc/shadow:

 # ls -l /etc/{passwd,shadow}
 -rw-r--r--    1 root     root         3215 Jun 30 10:28 /etc/passwd
 -rw-------    1 root     root         2829 Oct 24 12:05 /etc/shadow

However, to edit these files, users can run the passwd, which has the setuid bit set. This escalates the priviledge level of the user so that it can perform a very specific action (edit /etc/passswd and /etc/shadow) as the root user:

$ ls -l /usr/bin/passwd
-r-sr-xr-x  1 root  bin  25152 Sep 11 20:07 /usr/bin/passwd

Priviledge escalation is also a frequent goal of a cracker (causing a DoS is another). Typically, a cracker will attempt to exploit a bug to gain "Unauthorized Priviledge Escalation" (usually targeting the root user), in order to take control of a system.

see permissions and setuid

perl

You should also change $( and $) in order to set the real and effective group IDs as well:

($<,$>) = (getpwnam('nobody'),getpwnam('nobody'));