成為駭客的前一哩路
Chapter 5 - Controlling File and Directory Permissions
Finally, you will see how a hacker’s understanding of permissions might help them exploit a system.
Different Types of Users
- root 最全能,它可以做所有事情
- 其他使用者會有更多限制,有限的能力與權限。幾乎從不擁有根使用者擁有的存取權。
- 其他使用者通常會被歸到具有相似功能的群組中,被授予相同的權限
Granting Permissions
- 每個檔案必須為使用它的不同身分指派特定層級的權限。
- 主要有三種權限:
r
唯讀,只能打開跟瀏覽檔案
w
寫入,允許使用者可以瀏覽及編輯檔案
x
執行,允許使用者可以執行檔案(不一定要瀏覽及編輯)
- 檔案擁有者 或 root使用者 可以對不同使用者或群組賦予不同權限
Granting Ownership to an Individual User
- 要將檔案擁有權轉移至其他使用者,使他們能控制權限,可以使用
chown
指令 (change owner)
意思是將 bobsfile 的檔案擁有權賦予給 bob 使用者
Granting Ownership to a Group
- 要將檔案擁有權從一個群組轉移到其他群組,可以使用
chgrp
指令 (change group)
駭客通常都獨自一人工作,也會一群人參與
意思是將 newIDS 這個程式所有權轉移給 security 群組
Checking Permissions
- 可以使用
ls -l
顯示該資料夾底下檔案的長格式內容,裡面包含各檔案的權限
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
- d 第一個英文字代表檔案類型 eg: d 為資料夾, - 為檔案
- rwxr-xr-x 剩下的英文字代表檔案擁有者(owner)、群組(group)、及使用者(users)(按照順序)的權限,而且以 rwx 為順序。如果三個都是 - - -,就代表只能讀二進位檔或腳本。
- 2 連結數量
- root root 檔案擁有者、所屬群組
- 69632 檔案大小(bytes)
- Nov 12 23:36 檔案創建時間或最後修改時間
- OpenCL 檔案名稱
- 檔案及資料夾的權限並非固定。作為 root 使用者或檔案使用者,是可以更改權限。
Changing Permissions
- 可以使用
chmod
指令更改權限,當你是 root 或是檔案擁有者。有兩種不同的方法可以更改
Changing Permissions with Demical Notation
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
r
代表 4,w
代表 2,x
代表 1,用加的也行
- 使用八進位表示權限
- 如果要設置 owner, group, all users 為
rwx
,可表示成 777
舉例:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Changing Permissions with UGO
- 除了數字的表示,也可以使用符號更改權限
- UGO (user, group, owner) 語法,提供
u
-> user, g
-> group, o
-> others
- 運算子:
-
為去除, +
為增加, =
為設置
舉例:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
- 可以看到 user 的寫入權限被去除
- 當然也可以一次改兩個,例如
chmod u+x, o+x hashcat.hcstat2
作為一名駭客,常常需要下載新的駭客工具,但在Linux的預設中會自動將所有檔案和目錄權限分別設定為 666 和 777。這代表在預設下,你無法在下載檔案後執行它,嘗試執行會出現 Permission denied
的訊息。所以需要使用 chmod
指令給予自己權限,才能執行檔案。
- 舉例:假設我下載一個駭客工具叫做 newhackertool
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
- 可以看到 newhackertool 的權限沒有執行權限。
雖然這個預設很奇怪,但至少它對系統有保護作用
- 為了賦予它執行權限,使用
chmod
指令:
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Setting More Secure Default Permissions with Masks
- 使用
umask
(user file-creation mask) 更改配置檔案及資料夾的預設權限
uamsk
指令表示要從檔案或目錄的基本權限中刪除的權限(暫時性)
- 通常預設檔案權限為 666 ,資料夾權限為 777。如果
umask
設置 022,就代表移除寫入功能,預設就會變成 644 和 755
Special Permissions
Granting Temporary Root Permissions with SUID
- 在程式上設定 SUID (Set User ID) bit,可暫時授予擁有者執行權限。 e.g. root 給予 users 執行更改密碼的檔案
- 設置 SUID:在常規權限前面輸入 4
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
- 可以看到使用者權限為 rws,s 即為 SUID 的權限旗標
Granting the Root User's Group Permissions SGID
- 跟 SUID 很像,但 SGID (Set Group ID) 是暫時授予擁有者所在群組執行的權限
- 當在目錄設定 SGID,該目錄中新建立的檔案的擁有者群組將是目錄創建者的群組。方便於資料夾共享
- 設置 SGID:在常規權限前面輸入 2
The Outmoded Sticky Bit
- Sticky Bit (SBIT) 在目錄上設定權限,允許一個使用者刪除或重新命名該目錄中的檔案
- 可防止他人刪除及移動目錄中的檔案
- 因為 SBIT 是 UNIX 系統遺留特性,現在系統會忽略。但在 Linux 中還是會討論
Special Permissions, Privilege Escalation, and the Hacker
- 在某些情況下,駭客會利用 SUID 和 SGID 權限將一般使用者的權限升級為 root 使用者,然後就會在電腦上做任何事。(e.g. 存取 /etc/shadow 的密碼)
總結
Linux 利用權限保護使用者或群組的檔案及資料夾。你必須要知道如何管理權限,並知道如何利用此安全系統的弱點,特別是 SUID 跟 SGID bits