Root Accounts - The Root of All Evil?

Thursday, September 30, 2010

Contributed By:
Jamie Adams

In the Linux operating system, the root account has unlimited power. If not used carefully, unexpected, evil things can happen to your system.

I could tell you horror stories involving mistyped commands while logged in as root. Now, imagine this power in the hands of attacker—executing any command they desire with methodical precision.

Only Use the Root Account When Absolutely Necessary

Too often system administrators immediately jump to the root level to perform routine tasks — this is when mistakes occur. The administrator is in a hurry and one wrong space, sitting in the wrong directory, or typed an incorrect parameter - all can result in evil things the moment the [ENTER] key is pressed.

I used to tell junior administrators:

“Stop and remove your hands from the keyboard. Now, slow down and think about what you are doing. When in doubt, do not hit that [ENTER] key. Your lightening speed on the keyboard does not impress me and as far as completing your assigned tasks, I want quality not quantity.”

This advice extends to experienced administrators, too. They’ve done these tasks so often, sometimes they can have a lackadaisical or even cavalier attitude.

Since senior administrators have more commands in their repertoire, this situation is more toxic than a junior administrator who may only know a fraction of commands.

Protect the Root Account from Compromise

Whenever possible, software developers should avoid writing applications with root level access. Typically system administrators are not developers and developers are not system administrators.

System administrators are often responsible for hosting many applications on the same server.

It is critical that you work together through out the product’s life cycle and ensure the development environment is as close to the production as possible. If you don’t, there could be deployment problems.

When the management team is standing over you about to go into panic mode, crunch time can result in relaxing access controls in order to get an application to run. Bad move!

Tell management to relax and fetch you a cup of coffee while you sort it out… they love that.

Always run applications, such as Apache web server, as non-root accounts. This way if the application is compromised, root level access is not immediately given to the attacker. Consider using technologies such as sudo, SELinux, and AppArmor.

Also, establish common groups through traditional discretionary access controls and POSIX.1e access control lists (ACL).

Know Who is Using the Root Account

First and foremost, you should never log directly into the root account. Log into your designated user account and use the switch user command to become root. If personnel login in directly as root, you have no audit trail to help identify who became root and performed administrative tasks.

Grant system administrator accounts membership in the wheel group and use pam_wheel(8) to allow only group members to switch to the root account.

The only time you should login directly as root is when you are physically on the console and entering single-user mode to perform critical maintenance.

To prevent this, modify the securetty(5) configuration file to include only authorized devices root can directly login.

Set PermitRootLogin to ‘no’ in the Secure Shell daemon configuration file. If you are running an FTP site, be sure to edit your ftpusers(5) file.

Many people are confused by the term console as it pertains to the securetty(5) file. On many virtual machines, console is not the physical device you directly login. Additionally, in some hardware configurations the console isn't always the console.

To identify your desired device name to store in the securetty(5) file, login in as root before editing the file and use the who(1) command to identify your current login device. Now, add that device to the securetty(5) file.

Lastly, edit the syslog.conf(5) or syslog-ng.conf(5) to log all authpriv messages to /var/log/secure and if possible, configure auditd(8). Don’t forget to routinely examine /var/log/secure to see who has gained access to root.

Summary

There are many other techniques and things to consider when protecting your root account. These are just a taste to get you thinking about how important this account is to the system.

It is imperative that you control administrative privileges such as root. For more ideas and information, see Critical Control 8: Controlled Use of Administrative Privileges of the Consensus Audit Guidelines. Security Blanket automates many of these tasks but there is no substitute for a well-trained, disciplined team of system administrators.

Cross-posted from Security Blanket Technical Blog

Share This! |

Views:	3367
Categories:	Operating Systems
Industries:	Information Security
Tags:	Linux Root Accounts

Post Rating I Like this!

Comments:

Michael Menefee rm -rf /* [ENTER]

oops...:)

Good article Jamie!

1285907026

Jamie Adams Thanks Michael! That command, my friend, is considered the "Original Sin" ..the "Radix Mali"

1285930126

Susan V. James Once, many years ago when I was just starting out as a Unix SA, I accidentally removed /usr/bin on a production central funding server - thankfully, the mount command was in /etc. I was able to NFS mount a copy of /usr/bin from another server. Everyone makes mistakes - and the more authority and more experienced you are, your mistakes will be proportionately larger due to all the things you believe you know how to do, and your higher level of self-confidence.

I almost never run any commands as root now.

A pet peeve of mine are developers and application support staff who are unable to articulate their exact need for root, so just ask for sudo access to a root shell - I also don't have very friendly feelings about bullying developer management that insists that free reign of the root account just be given over, otherwise the SA is impeding their progress installing "most important application."

1285944498

Susan V. James FYI - did you know that the rm command can rm itself?

1285944584

Jamie Adams @Susan haha! Thank you for your comment. That is a good point. When you don't grant root access but you give them only the specific commands they need via sudo, some people take that as a slap in the face. Like they aren't good enough to have it. It is nothing personal! What happened to least privilege concept? When I worked in the TS/SCI world, we functioned on need-to-know... the operating system world should be need-to-use! In the database realm and MLS/MAC systems, the concept of roles seems to hurt some egos,too. I think it makes people stop and think about what they are doing which is so critical. Again, thanks for your comment.

1285960109

Jamie Adams As a side note, when building policies for the Security Enhanced Linux (SELinux) and the AppArmor world, you must identify exactly what types of access is required when building the policy for an application. It forces people, to know exactly what the application is doing (e.g, network ports, file access). It makes them clearly document and understand the architecture and each sub-function. It is the equivalent to the old scenario where a developer or sysadmin doesn't know how something works so, they just throw their hands up and set the DACs wide open (777). Very scary. (Okay. Jamie is now off his soap box). :-)

1285960343

Susan V. James Heh - don't stop there Jamie... what about commercially developed software (sold by HAL no less - if you read Arthur C. Clark you'll understand to whom I am referring) that installs software with a default umask of 0! And then to add insult to injury, the support team installing the software says we "musn't change those permissions because that's the way the vendor designed the software! It won't work any other way!" Oh... really??

1285965555

Keith Howell @Susan - According to Arthur C. Clark, HAL and 'Big Blue' are not related. See http://en.wikipedia.org/wiki/HAL_9000 for more information.

However, I have also seen start-up scripts that have to be run as root because they chmod various files so that the software will work. The software authors just didn't know how to set group memberships to achieve the same thing in a more secure manner.

1285969680

Jamie Adams Thanks for comments... and WOW! We find this stuff humorous because these are fundamental principals of security being ignored. Amazing. What can we do about this stuff! To reduce operating costs, it seems people (vendors) strive for ease of installation, portability, and support at the cost of security. As you've probably already figured out, I am a brick-and-mortar kind of engineer. All the technology and processes in the world isn't going to help if people are lazy or the fundamentals are ignored.

1285971222

Susan V. James @Keith - You understood the reference right away however, true or false associations aside. Most people are content to connect the dots into a familiar shape, less concerned if it was the shape that was actually intended. Good catch.

But wait a minute - isn't this why we wind up with poorly configured security too?

I've also seen the manipulation of world file permissions over-used as the method of granting access. I believe that this is a favorite solution when the people who are developing the software may not actually have the administrative access to create groups, and do not want to *waste time* working through the to set up more secure access by way of group privilege. They will default to whatever they can control themselves, because it is the fastest thing to do to achieve the goal of getting the software to work.

When people talk about "security in the SDLC", I suspect that most of the time they're talking about secure coding. Too often, scant attention is paid to how well the software actually makes use of the OS's available security control mechanisms when it gets installed.

1285971946

Susan V. James Sorry - typo - meant "do not want to waste time working through the sysadmin to set up secure access by way of group management." I wish we could edit our comments.... /sigh

1285972064

Michael Menefee @Susan,

We dont let people edit their comments after the fact, in order to preserve the true, original conversation.

I've run sites before where someone starts a flame war, then edits their original comment to make everyone else look like the schmucks.

Plus, we dont have time to moderate :)

Sure, we could rug up some slick, time-based thing but that would be time-consuming.

1285972485

Susan V. James ...slackers... /grin

But I understand your position entirely. Thanks for clarifying.

1285972674

Michael Menefee Thanks for understanding.

I will tell you that we are building a reputation-based system here on the Island, so trustworthy Island members will be able to earn the right to unlock certain features.

I just added Editing Comments to that list of unlockables :)

1285972928

Susan V. James Wow - this is going to be better than Halo! Un-lockable Super Powers! I love it!!

1285973257

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013