The common issues I talk about here are things I have seen from my experience as a sysadmin and security consultant doing reviews, pentests and managing servers. These things have been used to to gain access to servers, gain root access, getting user or root access on other servers though pivoting or by the wealth of information these configurations reveal.

5 Common Linux Misconfiguration are as follows:

  1. User home directory permissions
  2. getgid and setuid binaries
  3. World-readable and writable files/folders
  4. Weak services in use
  5. Default NFS mount options or insecure export options

1. User home permissions

On most Linux distributions the default permissions for home folders is 755 which means that any user who had access to the server can see what is in other user’s home folders. Some users such as administrators or developers may have scripts or backups of files in their home folders which contain sensitive information such as user passwords and keys to services to the same or other servers on the network.

2. Setgid and setuid binaries

The set uid bit on a file is dangerous because it allows that file to run as a potentially privileged user such as root. If a file is owned by root and had the set uid bit set the file will run with the privileges of root. This means that if an attacker can find a vulnerability or unexpected uses of that file he can then perform commands on the system as the root user which means a full compromise of the server.

The command to find these files:

    find / -xdev -type f \( -perm -4000 -o -perm -2000 \) -ls

3. World readable and writable files/folders

World-readable and writable files and folders introduce similar issues as loose user home permissions but throughout the system. The main cause of world readable files is the default umask used for file creation of either 0022 or 0002. As a result of this configuration weakness, files that may contain sensitive information will be readable by anyone that has access to the system. Files may also be modified by anyone on the system if they are world-writable. This can lead to an attacker modifying files or scripts to hide forensic evidence or to execute commands by modifying a script used by Administrators.

The command to find world writable files and folders:
Find World Writable Folders

    find / -xdev -type d -perm -0002 -ls

Find World Writable Files

    find / -xdev -type f -perm -0002 -ls

4. Weak services or configurations

Services are configured with the minimum configuration changes needed to get them up and running. It is not uncommon to find services Also, Weak and possibly default credentials and configurations when using less secure communication channels are also typical, increasing the risk and attack surface of the server. When using services the options and configuration should be reviewed to ensure that what is being deployed is secure or properly configured. It’s also not uncommon to find these services bound to multiple interfaces on the server instead of just listening locally or just on the specified interface.

5. Default mount options or insecure export options

The defaults keyword for all mounts have the following options “rw, suid, dev, exec, auto, nouser, and async”. These options are weak since they allow for the honoring of the suid and guid bits that are set on externally mounted file systems via protocols such as NFS. When exporting NFS shares it is recommended that the no_root_squash option not be set. The root-squash option is the default behavior but it is commonly seen to be changed. If root-squashing in not done it allows users to create files on the exported NFS share as the root user. These weaknesses if left as defaults, can allow for root access on servers where such access is not provided for users.

The settings identified here are areas that are commonly overlooked when configuring a Linux server. These weaknesses can be used by attackers or malicious users to gain a wealth of information or elevated privileges on a server. Hardening your system makes it more difficult for a user to compromise it, and also more difficult to use the system as means to access other systems within the environment.

I wrote this post for my my company and decided to post it here as well, you can find it here as well.