LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-21-2006, 12:32 PM   #1
cynick
LQ Newbie
 
Registered: Jul 2005
Posts: 13

Rep: Reputation: 0
compromise linux system using non-root account?


What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software?

the system is patched (per Suse 10 automatic suggestions), it is Suse 10 with KDE.

and what is more important, how do I make sure it has not been compromised?
What if I continue to run the suspicious program (it's java (jar) application)?

I'm behind a router.

Thanks,
nick

Last edited by cynick; 04-21-2006 at 12:38 PM.
 
Old 04-21-2006, 12:56 PM   #2
burntfuse
Member
 
Registered: Sep 2005
Location: Laurel, MD, USA
Distribution: Slackware 10.1, FC5
Posts: 164

Rep: Reputation: 30
I'm definitely not an expert on this, but I think there's not a whole lot malicious software can do from a non-root account (as long as the suid bit isn't set) except trash your home directory. Someone please correct me if I'm wrong, but I think it's even harder to make java do anything virus-like, so you shouldn't have much to worry about.
 
Old 04-21-2006, 01:21 PM   #3
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
if there is a specific application that you are unsure of, scan it with some sort of anti-virus application. personally i use clamav:
Code:
clamscan --log=jarscan.log *jar
 
Old 04-21-2006, 04:37 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
It is quite hard to write a program that can compromise a computer that is keeped up to date. Having said that, if that unsafe program provides a way for a actual user to get inside, like for example giving him a remote prompt he could be on you machine and try to hack it with the privileges of your user. For example, put an alias for su that will log for him the password and then call the actual su so you don't notice. (although that can also be done by a program)

Java can be decompiled with JAD.
 
Old 04-21-2006, 05:10 PM   #5
cynick
LQ Newbie
 
Registered: Jul 2005
Posts: 13

Original Poster
Rep: Reputation: 0
well, since it is java, and it runs as an application, it can just as well execute arbitrary code (for example, create a shell script and put it in .bashrc or something) ---- the "su" alias is smart, i'll check for that.

just to give you an idea.. I've downloaded a crack for jbuilder 2006.. not that I really need the extra features than the free foundation, but wanted to try it out longer... guilty, i know.

Last edited by cynick; 04-21-2006 at 05:15 PM.
 
Old 04-23-2006, 11:12 AM   #6
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Quote:
What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software?
If your system is properly configured, then malicious software can at worst wreck your home directory. Of course, first it has to trick you into running it.
 
Old 04-24-2006, 04:32 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
What can happen to my linux box, if I, using my regular non-admin account, run some untrusted software? / the system is patched / I'm behind a router.
Next to the already mentioned munging of whatever is in your home directory there are a few things I can think of. Since you're behind a router I'll assert you know how to and do block initial inbound traffic from outside the private network (but how about egress filtering?), and since you patch everything to current the only thing that can hit you on that front seems to be reconnaissance, misconfiguration and o-day exploits. So let's focus on the fact that local (or private network) account users are most likely to be considered "trusted" by local applications or running services in the network. What can we do?:

- Information gathering
Maybe you've got another Firefox/KDE/whatever else o-day you need to retrieve specific version info for? Look at dmesg?[0] See what processes are running or user accounts are used on the box recently?[0] What's the last time root logged in?[0] Look on the private network for servers that are only protected by the router?[1] Or maybe just be interested in local logs, mail or docs for Social Engineering (or why not: extortion)?[2]

- Account bruteforcing
So you set up a drop-app for SSH. But what about local accounts?[3] What's the last time root checked it or got it reported automagically?[4] Are there any users or commands we can sudo to with NOPASSWD?[5]

- Downloading & executing something else
Skype executes traceroute on application start. Does that have any paths prepended or could we manage to execute a fake ./traceroute from the CWD?[6] Or maybe I'm allowed outbound access to open relays or be able to look for proxies on port TCP/80?[1] Or can I wget you Something Completely Different? (apart from Larches).[0], [1]

- Resource starvation
Maybe I'll just fill up your / or /var/log before attempting to do Something Completely Different.[7], [8]

* Some actions are no cause for alarm when reviewed alone but are only interesting when you piece the chain of events together. If any of you think the above is FUD or dismiss it as being hypothetical then you're not looking at what you should be looking at and that's any form of missing access restriction.

and what is more important, how do I make sure it has not been compromised?
Verify against the checksums provided with the package. If none are, bug the developers/maintainers to provide a GPG-signed package or at least MD5 and SHA1 sums. Run under Mandatory Access Controls (MAC)[8]. Run in a sandbox (like Qemu) under strace or something else that does monitor system calls. Use a file integrity checker to monitor changes.


What if I continue to run the suspicious program (it's java (jar) application)?
Noticing how you classify it as "suspect" yourself, then continuing to run it would not be advisable without looking for a qualitatively good replacement or MAC and proper verification.


HTH

--
[0] GRSecurity.
[1] (N)IDS, Host firewall, DMZ.
[2] GPG, FUSE's EncFS, SELinux MAC/GRSecurity RBAC.
[3] PAM Tally.
[4] Logwatch, Swatch.
[5] Be creative?
[6] Tiger, strace.
[7] Monit, for instance.
[8] SELinux MAC/GRSecurity RBAC.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mp3 support in non-root linux account hulkaa Fedora 3 04-18-2006 02:04 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
Just installed Linux, Can't get into root account. Raderick Linux - Newbie 1 07-02-2004 05:17 PM
How to enable Linux Root FTP account ?? chuck77 Linux - General 2 04-25-2003 12:13 AM
OpenSSH Local Root Compromise is Possible jeremy Linux - Security 0 03-07-2002 10:37 AM


All times are GMT -5. The time now is 11:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration