There are two classic ways that Linux newbies open themselves up for pranks and shenanigans (or worse): double-su and startx. The double-su will not cause any holes that a crafty conman couldn’t already have arranged, but the startx trick can actually be a serious back door.<\/p>\n
The double-su is when you su twice from some other user’s shell. Imagine, if you will, that Vidar just called over the admin of the company’s server, pointed to top where a process is running un-niced at 99% and has racked up hours and hours of cpu time. Vidar makes a big fuss about this, so the admin says “fine, move over”, and does the following at Vidar’s terminal:<\/p>\n
He then scampers off to lunch. Spotted the problem? “su” doesn’t switch to another user’s account; UNIX\/Linux doesn’t allow non-root users to do that, even if they have the password. Instead, it starts another shell on top of the old one. Then the admin run su again, creating a third shell on top of the other two. Now, when Vidar exits the third shell, he finds himself back at the second one, with full root access:<\/p>\n The admin clearly should have ended his su-session with If Vidar was evil, he could just as easily have set up a software or hardware keylogger, a spoofed su or simply used strace. This is the reason why the double-su is more of a prank opportunity than an exploit. <\/p>\n Now, startx, on the other hand…! Some users, mostly for leetness, like to log in in text mode and then “startx” to start X, instead of a graphical login. What most of these don’t consider, is that both the shell and startx are still running on the virtual console it was started on. <\/p>\n If the user dutifully locks the screen before attending wetware chores, you can hit Ctrl-Alt-F1 to get to this shell, Ctrl-Z and bg. You now have a shell running as this user. If that isn’t enough, you can This user should at least have used So how serious is this hole? It depends on how far you’re willing to go. Sure, with physical access you can try all sorts of things, like rebooting with a livecd. If you know there’s a bios password you can’t clear, you can take the disk out. If the disk is encrypted, you can try a cold boot attack. But surely by then, the user’s back and is trying to figure out why you’re pouring liquid nitrogen into his hardware. <\/p>\n It might have been easier to hit him over the head before he locked the screen in the first pace.<\/p>\n More seriously, proper startx usage turns getting your stuff from a trivial act of stealthy espionage into a violent crime or an invasive and time consuming thousand-euro procedure. Don’t underestimate that. <\/p>\n If you can think of any other classical security no-nos being reinvented by every new generation of Linux users, do comment!<\/p>\n","protected":false},"excerpt":{"rendered":" There are two classic ways that Linux newbies open themselves up for pranks and shenanigans (or worse): double-su and startx. The double-su will not cause any holes that a crafty conman couldn’t already have arranged, but the startx trick can actually be a serious back door. The double-su is when you su twice from some … Continue reading “Two classic ways of getting owned”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[6,4,22],"tags":[],"class_list":["post-13","post","type-post","status-publish","format-standard","hentry","category-basic-linux","category-linux","category-security"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13"}],"version-history":[{"count":0,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vidarholen.net\/contents\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nvidar@kelvin ~ $ su<\/b>
\nPassword:
\nroot@kelvin:\/home\/vidar# renice 19 3156<\/b>
\n3156: old priority 0, new priority 19
\nroot@kelvin:\/home\/vidar# su vidar<\/b>
\nvidar@kelvin ~ $
\n<\/code><\/p>\n
\nvidar@kelvin ~ $ exit<\/b>
\nexit
\nroot@kelvin:\/home\/vidar# echo \"Want to buy: Baggy pants and a more suitable job. Love, your admin\" >> \/etc\/issue<\/b>
\nroot@kelvin:\/home\/vidar# exit<\/b>
\nexit
\nvidar@kelvin ~ $
\n<\/code><\/p>\nexit<\/code> rather than su originaluser<\/code> Of course, the real<\/i> issue here is using “su” on untrusted hardware and software. <\/p>\nkillall xscreensaver<\/code> and Ctrl-Alt-F7. You now have an unlocked X session:<\/p>\n
\nvidar@kelvin ~ $ startx
\n^Z<\/b>
\n[1]+ Stopped startx
\nvidar@kelvin ~ $ bg<\/b>
\n[1]+ startx &
\nvidar@kelvin ~ $ killall xscreensaver<\/b>
\nvidar@kelvin ~ $ clear; exit;<\/b>
\n<\/code><\/p>\nstartx & exit<\/code> to log off the virtual console when X started. <\/p>\n