5 Common Linux Misconfigurations
The common issues I talk about here are things I have seen from my
experience as a sysadmin and security consultant doing reviews, pentests and
managing servers. These things have been used to to gain access to servers,
gain root access, getting user or root access on other servers though pivoting
or by the wealth of information these configurations reveal.
5 Common Linux Misconfiguration are as follows:
- User home directory permissions
- getgid and setuid binaries
- World-readable and writable files/folders
- Weak services in use
- Default NFS mount options or insecure export options
1. User home permissions
On most Linux distributions the default permissions for home folders is 755
which means that any user who had access to the server can see what is in other
user’s home folders. Some users such as administrators or developers may have
scripts or backups of files in their home folders which contain sensitive
information such as user passwords and keys to services to the same or other
servers on the network.
2. Setgid and setuid binaries
The set uid bit on a file is dangerous because it allows that file to run as a potentially privileged user such as root. If a file is owned by root and had the set uid bit set the file will run with the privileges of root. This means that if an attacker can find a vulnerability or unexpected uses of that file he can then perform commands on the system as the root user which means a full compromise of the server.
The command to find these files:
find / -xdev -type f \( -perm -4000 -o -perm -2000 \) -ls
3. World readable and writable files/folders
World-readable and writable files and folders introduce similar issues as
loose user home permissions but throughout the system. The main cause of world
readable files is the default umask used for file creation of either 0022 or
0002. As a result of this configuration weakness, files that may contain
sensitive information will be readable by anyone that has access to the system.
Files may also be modified by anyone on the system if they are world-writable.
This can lead to an attacker modifying files or scripts to hide forensic
evidence or to execute commands by modifying a script used by
The command to find world writable files and folders:
Find World Writable Folders
find / -xdev -type d -perm -0002 -ls
Find World Writable Files
find / -xdev -type f -perm -0002 -ls
4. Weak services or configurations
Services are configured with the minimum configuration changes needed to get
them up and running. It is not uncommon to find services Also, Weak and
possibly default credentials and configurations when using less secure
communication channels are also typical, increasing the risk and attack surface
of the server. When using services the options and configuration should be
reviewed to ensure that what is being deployed is secure or properly
configured. It’s also not uncommon to find these services bound to multiple
interfaces on the server instead of just listening locally or just on the
5. Default mount options or insecure export options
The defaults keyword for all mounts have the following options “rw, suid,
dev, exec, auto, nouser, and async”. These options are weak since they allow
for the honoring of the suid and guid bits that are set on externally mounted
file systems via protocols such as NFS. When exporting NFS shares it is
recommended that the no_root_squash option not be set. The root-squash option
is the default behavior but it is commonly seen to be changed. If
root-squashing in not done it allows users to create files on the exported NFS
share as the root user. These weaknesses if left as defaults, can allow for
root access on servers where such access is not provided for users.
The settings identified here are areas that are commonly overlooked when configuring a Linux server. These weaknesses can be used by attackers or malicious users to gain a wealth of information or elevated privileges on a server. Hardening your system makes it more difficult for a user to compromise it, and also more difficult to use the system as means to access other systems within the environment.
I wrote this post for my my company and decided to post it here as well, you can find it here as well.