LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-23-2019, 08:52 PM   #1
TokTok
Member
 
Registered: Oct 2019
Posts: 227

Rep: Reputation: Disabled
Can a hostile script be installed from a web page by itself with out the user password ?


I don`t know where to post this so i`ll ask the question here.
I know that hostile scripts can install themselves in windows but can this occur with Linux Mint or other versions of Linux ? Would the password be needed for it to install itself ? If it can is there any distro that it cannot be done with ? What about rendered files-those hidden in PDF or Image file, if any what kind ?
Mint 19.2 Tina Cinnamom.
 
Old 11-23-2019, 10:11 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,808
Blog Entries: 28

Rep: Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543Reputation: 5543
My tentative answer is a resounding maybe, if you click on a dodgy link and if the script works on Linux. As most malware targets Windows and, sometimes, Macs, the odds are that the script will not work on Linux.

Of course, a javascript script may work in your browser, regardless of the platform. That's why many Linux (and Windows and MacOS) users install Noscript or an equivalent and Privacy Badger to their browsers.

In addition, the Linux security model provides additional protection. The script may invade your home directory, but it will not be able to escape to the remainder of the machine, as root access (and the root password) is required to accomplish this, unless user somehow permits it to do so.

Just my initial thoughts on the matter. I'm sure more knowledgeable persons will correct me if I'm mistaken.

Last edited by frankbell; 11-23-2019 at 10:17 PM.
 
Old 11-23-2019, 11:48 PM   #3
ehartman
Senior Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 1,674

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
Quote:
Originally Posted by frankbell View Post
but it will not be able to escape to the remainder of the machine, as root access (and the root password) is required to accomplish this, unless user somehow permits it to do so.
Except those systems that have setup sudo access without password for their default user (*ubuntu comes to mind).
 
Old 11-24-2019, 01:02 AM   #4
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Arch x86_64 | OpenBSD 6.7 bridge | Virtualbox Guest windows 10 pro
Posts: 577

Rep: Reputation: 277Reputation: 277Reputation: 277
i had my browser (firefox) infected with some kind of malicious script, at least i think it were script.
it loaded NSFW ads and i had to uninstall/reinstall firefox + delete mozilla/firefox ".folders" from my home directory. that fixed it.
 
Old 11-24-2019, 03:22 AM   #5
TokTok
Member
 
Registered: Oct 2019
Posts: 227

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by frankbell View Post
My tentative answer is a resounding maybe, if you click on a dodgy link and if the script works on Linux. As most malware targets Windows and, sometimes, Macs, the odds are that the script will not work on Linux.

Of course, a javascript script may work in your browser, regardless of the platform. That's why many Linux (and Windows and MacOS) users install Noscript or an equivalent and Privacy Badger to their browsers.

In addition, the Linux security model provides additional protection. The script may invade your home directory, but it will not be able to escape to the remainder of the machine, as root access (and the root password) is required to accomplish this, unless user somehow permits it to do so.

Just my initial thoughts on the matter. I'm sure more knowledgeable persons will correct me if I'm mistaken.
Thank`s, do you think ff container plugin-add on,
would do the job of containment without having to reinstall FF or anything else ?
 
Old 11-24-2019, 03:25 AM   #6
TokTok
Member
 
Registered: Oct 2019
Posts: 227

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ehartman View Post
Except those systems that have setup sudo access without password for their default user (*ubuntu comes to mind).
I think i did this when i installed it as i`m asked for my PW every time i add a program etc. so with this you thik everything should be ok ? I posted about FF container extensions do you think this would get the job done so FF does not have to be reinstalled or anything else ?
 
Old 11-24-2019, 04:06 AM   #7
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,860
Blog Entries: 16

Rep: Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438Reputation: 3438
When I was using Ubuntu back in the day, it did ask for a sudo password. Maybe they've changed it since then. On my own systems, I use no-password sudo for shutdown commands only, not for anything that modifies the system. But there are people on this forum who recommend a separate user account without sudo rights for all internet work.

It's worth pointing out that on many systems, the contents of the home partition are actually more precious than those of the root partition. The latter are protected by being owned by root but if they did get corrupted, you could reinstall at a pinch. Losing your lifetime collection of family photographs to a malevolent script acting in your name would be a much worse fate!

Last edited by hazel; 11-24-2019 at 04:09 AM.
 
Old 11-24-2019, 04:22 AM   #8
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,971
Blog Entries: 3

Rep: Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091Reputation: 3091
Quote:
Originally Posted by TokTok View Post
I don`t know where to post this so i`ll ask the question here.
I know that hostile scripts can install themselves in windows but can this occur with Linux Mint or other versions of Linux ? Would the password be needed for it to install itself ? If it can is there any distro that it cannot be done with ? What about rendered files-those hidden in PDF or Image file, if any what kind ?
Mint 19.2 Tina Cinnamom.
The answer is a solid "yes", regardless of OS for any running on the x86 architecture:

Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

That example relies on tricking the visitor into turning on javascript. However, the same method should be available for PDF and, probably, SVG. Image files would be more complicated and need operating-specific exploits in specific libraries. Those are kind of rare.
 
1 members found this post helpful.
Old 11-24-2019, 07:36 AM   #9
yancek
LQ Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 9,585

Rep: Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150Reputation: 2150
I don't use Ubuntu regularly but usually have a current release installed and I have never seen a default Ubuntu that allowed root/sudo access without a password. You can set it to login without a password and modify the sudoers file to allow no password but that can be done on any system with sudoers and sudo enabled.
 
Old 11-24-2019, 03:46 PM   #10
ehartman
Senior Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 1,674

Rep: Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886Reputation: 886
Quote:
Originally Posted by TokTok View Post
I think i did this when i installed it as i`m asked for my PW every time i add a program etc. so with this you thik everything should be ok ?
Not everything, but at least your user cannot install malware for root UNnoticed.
Of course if the malware "installed as you" gets your password then it can use sudo too, because it only needs YOUR password for that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
executing linux commands from web page and outputing it back to the web page ashes_sheldon Programming 9 02-28-2015 01:07 AM
[SOLVED] Web page input executes on command line and output back to web page keif Programming 7 02-26-2014 11:25 AM
User Hostile? Euneek General 46 06-04-2006 11:05 PM
Is Netscape ISP Linux-hostile? ElmosFire Linux - Networking 0 06-26-2004 06:51 PM
email: win2k to linux in linux hostile environment jkcunningham Linux - Networking 4 01-31-2003 01:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration