General :: Security Dangers Of Executing Malignant Code As A Standard User?
Jan 28, 2011
Slipping some (non-root) user a piece of malignant code that he or she executes might be considered as one of the highest security breaches possible. (The only higher I can see is actually accessing the root user) What can an attacker effectively do when he/she gets a standard, (let's say a normal Ubuntu user) to execute code? Where would an attacker go from there? What would that piece of code do?
Let's say that the user is not stupid enough to be lured into entering the root/sudo password into a form/program she doesn't know. Only software from trusted sources is installed. The way I see it there is not really much one could do, is there?
Addition: I partially ask this because I am thinking of granting some people shell (non-root) access to my server. They should be able to have normal access to programs. I want them to be able to compile programs with gcc. So there will definitely be arbitrary code run in user-space...
View 2 Replies
ADVERTISEMENT
Feb 23, 2011
build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign etc. signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).Does anyone have a good idea how to solve this problem?The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.Any tipps, links, literatureOne approach I came up with (just a rough idea at the moment):Linux starts new processes with a fork-and-exec-combination. I therefore wonder if it is possible to change exec() in such a way that it will only execute signed programs
View 5 Replies
View Related
Feb 4, 2010
Up to now I've been playing with Ubuntu whilst storing important data elsewhere for about 2 years. Now I'm ready to move to Ubuntu completely but want to address my security.I'm currently using a desktop and server behind a hardware firewall / Internet router. The router has DynDNS and forwards port 80 to the webserver and a port I picked at random to the desktop 22 for SSH with private keys. SSH passwords are disabled.
The first question is, is there a danger of running different security levels on the two machines? I don't care about the server, there is no data on it so I currently forward port 80 and am considering forwarding ports 631 (CUPS) and a port for LDAP. Will this effect my desktop (which has info I don't want to loose).The next question is whether port forwarding / hardware firewall is actually a safeguard against attack.
View 3 Replies
View Related
Feb 17, 2010
How do I let user Y write in folder A only when executing script X?
View 3 Replies
View Related
Nov 2, 2010
I have an application, probably cpu-intensive because sometimes it leaves the cpu with 0% idle (in top). Sometimes it hangs ("Done" does not print) when executing this part, but most of the time it executes just fine. Is there any wrong with this code?
View 2 Replies
View Related
Feb 18, 2011
I'm about to recompile PHP from source and was planning to download the source code to my Ubuntu machine. Is there a standard place where all the source code goes? I know that PHP has many dependencies and would like to hopefully put it in the right place so as to satisfy as many as possible.
View 6 Replies
View Related
Apr 7, 2011
I'm still a but confused about the standard way of removing it for left-associative operators: [URL] Especially about how to construct an AST from it by executing a peice of code for every nonterminal matched. And I'm still not totally convinced that it will be left-associative, I just barely understand it. Also, how would you remove left-recursion for something like this:
Code:
expr ::= expr "(" param_list ")"
| other stuff...?
View 8 Replies
View Related
Oct 10, 2009
I need to do some text file manipulation which I think should be done with standard commands in BASH. I'm looking at comma seperated text files (stock market data). It comes in the form of date, stock code, open, high, low, close, volume. What I need to do first is move all data with same stock code sequentially into individual files.
While doing this since the stock code will now be the file name I need to remove the stock code. Next I need to filter out overlapping data from different files with the same date. ie. where two files contain the same date on the one line only one line will be added to the combined file. I think there must be a tutorial out there for basic text manipulation like this, I just haven't found it yet.
View 11 Replies
View Related
Mar 11, 2010
Been running 64 bit fedora for a few weeks now and all is dandy. I have been having problems using Wine & Winetricks to install extra components. Wine seems to crash when ever i try to run something as a standard user. Run as root and the problem doesnt happen. Do i need to add some permissions to run under a standard user? With Winetricks, when i go to install any componet, after extracting and installing all files i get:
'Executing early_wine regedit c:winetrickstmpoverride-dll.reg
regedit: File not found "c:winetrickstmpoverride-dll.reg" (2)
Note: command 'early_wine regedit c:winetrickstmpoverride-dll.reg' returned status 1. Aborting.'
Now i have searched everywhere for these .reg files that are not found, havent found anywhere that can tell me where to retrieve these files.
View 2 Replies
View Related
Apr 28, 2011
I'm using a hp dualprocessor athlon 11 g42-415dx notebook pc and my wireless wont work i put the passcode in wicd program and it says bad password. So i tried the pin code on the wireless router and that didnt work so am i doing something wrong or is there something wrong with the hardware? i got the wired connection to work but cant get wireless its a little more complex.
View 1 Replies
View Related
Feb 9, 2010
how to write secure code for bash scripts in general? Strangely I didn't found anything in google and in the forum so far. If someone here is willing to review a bash script for me (about 600 lines).
View 6 Replies
View Related
Jul 18, 2010
for reset Facebook password,facebook send a code to e-mail,this code can be sniffed by sniff software?
View 2 Replies
View Related
Mar 1, 2011
if I executed a Windows Virus in the program "Wine" in Ubuntu.
View 9 Replies
View Related
Jul 13, 2010
I have a script that runs lots and lots of root commands, copying files in /usr/...stuff like that, then i want to switch users back to the original user and run some gconf tweaks, I need to update a series of gconf values for a user after copying all the root files, but I noticed once your in root, any gconf values you change, change roots information, not the user who started the script useing sudo.
So i was wondering how you would run a script as root, then after your done with all the root commands, "un-root" to the current user who started the script and run the gconf edits:
I put together this so far. It a script that you run, it detects if it was started as root and if not it asks for root password and re-spawns its self exiting out the first instance, then the script runs, switches to the original user after all files are copyed over and starts to run the Military Time custom format update.
Code:
OUSER="`whoami`"
if [ "$(id -u)" != "0" ]; then
sudo -K
sudo bash $0
[Code]....
View 8 Replies
View Related
Jan 28, 2010
I found a behavior of iptables on FC12 to be different and suspect it's broken somehow. Here is what I did
# iptables -F
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
I don't have a shell on FC12 with me to show the output of iptables -L -n but it looks good after above 2 commands. However, after issuing the following third command iptables -L -n gives "wrong" result
# iptables -R INPUT 1 -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
Namely iptables -L -n gives extra "/0" after 127.0.0.1 in the output I have checked on Ubuntu 9.10 and centos 5.4 and they don't give extra "/0"; iptables is not supposed to do that. Of course, I didn't invent these examples but they are abstracted from actual real life scenerio of trying to build rules on our servers.
View 3 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Apr 9, 2010
I have a folder in a Samba shared drive which I've done the following with (in Unix):
1. Changed owner to Administrator.
2. Changed group owner to Domain Users.
3. Granted 700 (drwx------) permissions
4. Connected to Windows server via remote desktop
5. Mapped the Samba network drive as administrator
6. Right clicked on the folder > properties > security tab > advanced, and added one person (let's call him Joe) who has rwx access on that folder and everything in it. (along with administrator)
7. Went back to check Unix permissions on the folder and found that they had changed from drwx to drwxrwx+. Same goes for everything inside it.
8. Checked the ACL.
View 1 Replies
View Related
Nov 9, 2009
I'm using iptables with modules ip_contrack_ftp to be able to use passive ftp. It works well as long as port 21 is being used as listening port. Is there any way to make it work when I configure my ftp server (vsftpd) to listen on an alternative port, lets say 21001 or something? The helper module only seems to be working properly with the standard port, so I was wondering whether there was a way to "tell it" that another port is being used? I mean, of course I make a rule in fw to allow traffic to the alternative port.
But once it's time to start passive connection, then the iptable module cannot handle it properly. I could solve the problem by making a range of passive ports in the ftp-server configuration and allow the incoming traffic to them, but then using helper modules doesn't make any sense. I just want to allow the traffic to the listening port and then want the ip_contrack_ftp module to take care of the rest. This is what I do today - but only port 21 seems to be working. Is there a way to do this with a non-standard ftp port?
View 5 Replies
View Related
Dec 10, 2010
I have been searching for 90 minutes for something that I "think" should be fairly easy. I'm pretty new to Bash Scripting so I could be completely wrong. Then again it may be a weird request to even need something like this. But here it is.I have a script written to convert data from one of our software version to another. The only thing I need to add to it is a "check to make sure the user running the script is in the /tmp directory".
View 7 Replies
View Related
Apr 20, 2011
First off, since this seems like a networking issue I put it here, but if it should be somewhere else, the powers that be should definitely move it over.
I'm using Ubuntu 10.10 on Dell Presario M2000 I have made sure that all updates have been done.
As the subject states, the admin account (mine which I'm posting to the forum with right now) can access the internet and see webpages. The user account on this laptop (my underaged sister who my parents don't want full access to the computer) will not access any webpages, it just continually looks like its loading.
I have made sure the wireless card drivers are installed and activated.
Also, I ran iwconfig and ifconfig and here are their results
p { margin-bottom: 0.08in; } Results of iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11bg ESSID:"myqwest4137"
[Code]....
These were both run from the user account. At this point it looks like its connecting to the internet through the wireless card as I was also able to run the update manager through the user account and have it download the updates (after putting in my admin password of course).
View 2 Replies
View Related
Mar 8, 2010
I'm sorry if this has been posted already but I REALLY did look and couldn't find the same issue(s) addressed anywhere. Similar, but not similar enough, in my opinion, to barge in and switch the subject.
Ok, I have Apache httpd set up so I can use a public_html folder inside of my /home/username directory. Now, I'm about to take a web dev course that teaches JSP/Servlets for building web applications and I'd like to set my environment up so that I can execute .jsps from my web root (/home/username/public_html) just like I would a CGI or PHP script. I have a web host that will give me JSP support for a few extra bucks a month, but I'd rather do it locally... and free.
I have Tomcat installed and running wonderfully. The test page and all the examples work fine and execute immediately. But when I try to execute a .jsp file inside of my web root (/home/username/public_html) I just get the raw Java tags and plain-old HTML rendered in my browser. I pretty much knew that wouldn't work; that'd be way too easy. I just wanted to see what would happen.
I looked through all the tomcat ".conf" files I could find to see if it was similar to setting up httpd inside of my home directory, but I didn't have any luck. It's not a file permissions problem... I've been messing with web "scripts" long enough to check that the files are executable. All of the files needed (borrowed from the examples that come with Tomcat) were in their correct paths inside of my web root, as well. Added :8080 to the end of localhost (like you do to see the Tomcat test page(s) instead of the httpd test page) but that didn't help.
I scoured the web for directions but could only find one solution that was Ubuntu-specific (just install tomcat6-user-something-or-another.deb, which doesn't exist in the Fedora repos), then I looked around here, trying every search term that seemed reasonable to me, and I can't find anything.
I realize I can just write the code and put it in a directory that does allow these things to be executed (var/lib/tomcat6/blah-blah-blah/going-by-memory) and run them from there, but I'd like to be able to just keep all of my web files in the same place; a place where I have full permission to do whatever I want... my home directory public_html.
Is this possible (has to be, right?)? Is this a dumb idea to begin with (I'm prone)? What is the best way to develop JSP/Servlets without having to deal with permissions every time I want to put a new script in a directory outside of my home directory that's already set up to allow the execution of said script?
View 3 Replies
View Related
Jan 16, 2010
I have an old laptop (running Xubuntu 8.04 and apache) which i use as a webserver, and have opened port 88 on my router. Is this a danger to other computers on my network?
View 5 Replies
View Related
Feb 21, 2011
I am looking at creating two user accounts for "contract system admins"..These guys will be performing sys admin duties for a sever -- however, I am still concerned about security of data. For example, the server contains password information for our database, etc.Besides making them sign an NDA, etc. what other security mechanisms could I put in place to ensure that they don't just go buck wild. For example, when someone makes a sudo command, is this logged?
what are some recommendations for general security practices?
View 1 Replies
View Related
Sep 8, 2010
Is there any way in linux that user & group security can be set ?
excluding the owner & group permissions.
View 1 Replies
View Related
Feb 21, 2011
I have a mercurial repository on a secure server, to which I want to grant secure access to an external user.
I added for him a user account and publickey ssh authentication so that now he could push/pull changesets via ssh.
My question is: how can I make this new user account completely disabled from doing anything or accessing any data on the server other than accessing the repository? E.g. he shouldn't even have the possibility to enter an interactive shell session.
View 1 Replies
View Related
Feb 2, 2011
created a user but i forgot to change the home directory permission.so after user created when i go to the user and group mangement i cant see that permission filed related to the home permission directory.my purpose is to stop accessing other user to my home directory,how it can be possible??
View 4 Replies
View Related
Jan 6, 2009
At the RHEL prompt, I entered the standard user's username/password combo. Linux displays a message box stating:"Your account has expired; please contact your system administrator."Next, I entered "root" in the username field and entered the root password (which expired also--keep in mind that passwords are set to expire after x days). Linux displays a message box stating:"You are required to change your password immediately (password aged)."When prompted to "Enter current UNIX password", I entered the new password (was that the right thing to do?); Linux displays a message box stating:"The change of the authentication token failed. Please try again later or contact the system administrator."I rebooted the system and got into command line mode; somehow I logged in as "root" (don't know exactly how, but needed to change the password there). At the "#" prompt, I type "passwd root"; Linux displays the message "Changing password for user root", followed by the message "passwd: Authentication information cannot be recovered.
View 4 Replies
View Related
Apr 15, 2009
I've been looking for this feature for months and couldn't find a solution for this. Does anyone know how to create users and limit the user to a specified directory?
View 6 Replies
View Related
Jun 29, 2010
It there a way in linux to force atomicity of user code sections on a multi-core x86 chip?
I know in classes I have taken we disable/enable interrupts, but I don't think that works on a CMP.
Basically, I want to stop the kernel from being able to switch off my process for some period of time.
View 5 Replies
View Related
May 5, 2010
Google just announced the release of Jarlsberg, a microblogging app specifically designed to be full of bugs and security flaws.The app is being released through Google Labs and Google Code University as a security tutorial for coders. Google is encouraging programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code.
View 1 Replies
View Related
