Enabling user with ROOT privileges WITHOUT using sudo

fanoflq · 03-10-2017, 06:03 PM

# Q0 : Is there a better way to allow root privilege
WITHOUT using sudo for any user?
(Yes, I understood the dangers.
This is just for learning. )

I checked this site: http://stackoverflow.com/questions/2...entos#25303137

#log in as user1, but "su -" to become root.
#Change user1 user ID, change not allowed.

Code:

[root@Centos7-1024ram-minimal ~]# usermod -o -u 0 user1       
usermod: user user1 is currently used by process 2349
[root@Centos7-1024ram-minimal ~]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),10(wheel)

#check process used by user1

Code:

[root@Centos7-1024ram-minimal ~]# ps aux | grep 2349
user1     2349  0.0  0.2 140772  2120 ?        S    15:12   0:00 sshd: user1@pts/0
root      2433  0.0  0.0 112648   916 pts/0    S+   15:32   0:00 grep --color=auto 2349

#kill user1's process

Code:

[root@Centos7-1024ram-minimal ~]# kill -s SIGKILL 2349
Connection to 192.168.122.167 closed by remote host.
Connection to 192.168.122.167 closed.

#log back in as root.

Code:

host@server ~ $ ssh root@192.168.122.167
... ... ...

#Failed to change user1's user Id to 0 (root)
#so I can run without using sudo.

Code:

[root@Centos7-1024ram-minimal ~]# usermod -u 0 user1
usermod: UID '0' already exists

#change user1's id with non-unique user id option works.

Code:

[root@Centos7-1024ram-minimal ~]# usermod -o -u 0 user1
[root@Centos7-1024ram-minimal ~]# cat /etc/passwd | grep -i user1
user1:x:0:1000:user1:/home/user1:/bin/bash
[root@Centos7-1024ram-minimal ~]# exit
logout
Connection to 192.168.122.167 closed.

#login as user1

Code:

host@server ~ $ ssh user1@192.168.122.167
user1@192.168.122.167's password: 
Last login: Fri Mar 10 15:12:41 2017 from 192.168.122.1

#The prompt string does not display user1@Centos7-1024ram-minimal.
# Q1: Is there away to display prompt string as user1@... instead of root@... when user's id has been changed to 0 (root)?

Code:

[root@Centos7-1024ram-minimal ~]# usermod -u 1000 user1      
usermod: user user1 is currently used by process 1 
#But I am actually login as user1
[root@Centos7-1024ram-minimal ~]# who
user1    pts/0        2017-03-10 15:12 (192.168.122.1)

#Log out. Then log in as root to change user1's user id back
# the original user id, 1002.

Code:

host@server ~ $ ssh root@192.168.122.167    
root@192.168.122.167's password: 
Last login: Fri Mar 10 16:24:05 2017 from 192.168.122.1

#Failed to change user1's user id.
#But I cannot kill process id 1 since it is systemd (system manager)
# Q2: How do I change user1's user id from 0 back to her original user ID?

Code:

[root@Centos7-1024ram-minimal ~]# usermod -u 1000 user1
usermod: user user1 is currently used by process 1
[root@Centos7-1024ram-minimal ~]#

Summary questions:
# Q0 : Is there a better way to allow root privilege WITHOUT using sudo for any user?
(Yes, I understood the dangers..... This is just for learning. )

# Q1: Is there away to display prompt string as user1@... instead of root@... when user's id has been changed to 0 (root)?

# Q2: How do I change user1's user id from 0 back to the original user ID?

astrogeek · 03-10-2017, 07:01 PM

Don't do that. Ever.

Use sudo or su, or login as root, or you are definitely on your own!

fanoflq · 03-10-2017, 07:06 PM

Quote:

Originally Posted by astrogeek

Don't do that. Ever.

Use sudo or su, or login as root, or you are definitely on your own!

Thanks.
Summary questions:
# Q0 : Is there a better way to allow root privilege WITHOUT using sudo for any user?
(Yes, I understood the dangers..... This is just for learning. )

# Q1: Is there away to display prompt string as user1@... instead of root@... when user's id has been changed to 0 (root)?

# Q2: How do I change user1's user id from 0 back to the original user ID?

astrogeek · 03-10-2017, 07:08 PM

Define "better". What are you trying to acheive?

If the user UID is 0 then that user IS root.

fanoflq · 03-10-2017, 08:07 PM

Quote:

Originally Posted by astrogeek

Define "better". What are you trying to acheive?

If the user UID is 0 then that user IS root.

Yes, I found that out.
Better means when I enabled a user to be root (temporary, perhaps),
its name also shows up in the prompt string rather than root's name.

In addition, it also means I can also remove root privilege from that
user easily.

Again, all these done in such a way that user
do not have to use sudo command.

Is this possible?

wpeckham · 03-10-2017, 08:57 PM

There are many different ways to escalate privileges (calife, chiark-really, or emulations or hacks like fakeroot) but I suspect that none of them really do what you want. But then, I am not sure I do understand what it really IS that you want.

If someone becomes root, no matter what tool they use, they become root. You can still run a command to get their logname (the name they logged in under before becoming ANYONE else), but the current ID will be root and there is no way to get around that other than to not let them become root.

Another option is to NOT let them become root, but use sudo (or one of the other utilities) to run certain COMMANDS as root without actually taking on that ID.

Since I am unsure of your true goal, I am not sure how well this applies.

fanoflq · 03-10-2017, 09:16 PM

Quote:

@wpeckham:
.... Since I am unsure of your true goal, I am not sure how well this applies.

This is just for learning about privilege escalation.

astrogeek · 03-10-2017, 10:29 PM

Quote:

Originally Posted by fanoflq

This is just for learning about privilege escalation.

Actually, when put like that and without an example use case, the question seems not so much one of learning "about", but more like asking "how to".

In fact, you are specifically asking how to escalate to root privileges in a user's login shell, but without the user's knowledge (i.e. concealing it in the prompt). As such, it is probably not an appropriate question for LQ.

As I have participated in the discussion I will defer that judgment to other mods.

fanoflq · 03-10-2017, 11:09 PM

Quote:

Originally Posted by astrogeek

Actually, when put like that and without an example use case, the question seems not so much one of learning "about", but more like asking "how to".

In fact, you are specifically asking how to escalate to root privileges in a user's login shell, but without the user's knowledge (i.e. concealing it in the prompt). As such, it is probably not an appropriate question for LQ.

As I have participated in the discussion I will defer that judgment to other mods.

"How to" is not same as "learning about"?

OK, here is how one can "conceal" a user's sudo privilege in /etc/sudoers:

Code:

user1 ALL:NOPASSWD: ALL

The prompt string for user is unchanged.
User can run sudo without password.
Same end result.

In any case, I do not think it is possible to do what I was experimenting with.
Sudo without password is probably the way to do, but user beware!

fanoflq · 03-10-2017, 11:42 PM

Is this question unsolvable?

# Q2: How do I change user1's user id from 0 back to the original user ID?

astrogeek · 03-10-2017, 11:43 PM

Quote:

Originally Posted by fanoflq

"How to" is not same as "learning about"?

"Is there a better way to allow root privilege WITHOUT using sudo?" is not the same as "How can I escalate privileges without the user being aware it has happened?"

Unless you can define "better" as asked, and provide an intended legitimate use case example, the answer to the first form must be "no".

Quote:

This is just for learning about privilege escalation.

... does not answer either part of...

Quote:

Define "better". What are you trying to acheive?

Without such context the question is not about learning, only about how to do something obviously harmful.

Quote:

Originally Posted by fanoflq

OK, here is how one can "conceal" a user's sudo privilege in /etc/sudoers:

Code:

user1 ALL:NOPASSWD: ALL

The prompt string for user is unchanged.
User can run sudo without password.
Same end result.

That conceals nothing and is a very different scenario from the original question. With sudo:

1. The user may run without password, but only with permission and never without being aware of it - they must type sudo
2. The system is aware because they are in the sudoers list, and their actions are logged
3. No norml system method or protection is circumvented
4. ONLY the process run as sudo has escalated privileges - not the login shell
5. Because of 5, the prompt is NEVER deceptive and ALWAYS reflects the owning UID

It is absolutely not the same result as modifying the passwd file or otherwise covertly changing the user's UID!

Please try to understand that difference, and the reasons for it as crucial of your learning experience.

frankbell · 03-10-2017, 11:44 PM

Quote:

Sudo without password is probably the way to do, but user beware

And thus, you, too, can give Linux the advanced security features of Windows 3.1 on DOS 5.

Oh, my.

fanoflq · 03-10-2017, 11:52 PM

Quote:

astrogeek:
That conceals nothing and is a very different scenario from the original question. With sudo:

1. The user may run without password, but only with permission and never without being aware of it - they must type sudo
2. The system is aware because they are in the sudoers list, and their actions are logged
3. No norml system method or protection is circumvented
4. ONLY the process run as sudo has escalated privileges - not the login shell
5. Because of 5, the prompt is NEVER deceptive and ALWAYS reflects the owning UID

It is absolutely not the same result as modifying the passwd file or otherwise covertly changing the user's UID!

Please try to understand that difference, and the reasons for it as crucial of your learning experience.

Thank you.
Those are good reminders.

fanoflq · 03-11-2017, 12:04 AM

Quote:

Originally Posted by fanoflq

Is this question unsolvable?

# Q2: How do I change user1's user id from 0 back to the original user ID?

Here is my solution:

I login as root.
Then delete line containing user1 from :
/etc/passwd
/etc/group
/etc/shadow

And then reboot to see it I caused any problem.
Then I recreate user1 again via useradd command.

Since I did not delete user1's home directory,
those account will become this "new" user1's account.
All is good.

Turbocapitalist · 03-11-2017, 12:09 AM

Quote:

Originally Posted by fanoflq

"How to" is not same as "learning about"?

OK, here is how one can "conceal" a user's sudo privilege in /etc/sudoers:

Code:

user1 ALL:NOPASSWD: ALL

Can you give some examples of what you are really trying to do? There probably is a safe and reasonable way to get it done, but we'll need more information.

The configuration posted above looks like the exact kind of abuse of sudo that I have blogged about since it is so common. A small amount of the fault lies with sudo being very flexible, but I think nearly all of the problem are the awful defaults provided by most sudo-using distros and worse examples provided out on the net.

Most people using sudo could benefit greatly from reading the manual page for sudoers at least once because if you're doing all-or-nothing permissions, you're doing it wrong See also the slides from his other presentation of the same name, sudo: You're Doing It Wrong. I highly recommend going through the slides or the presentation.