this post was submitted on 21 Nov 2023
37 points (89.4% liked)

Linux

48624 readers
1609 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Title. Long,short story: creating or editing files with nano as my non-root user gives (the file) elevated privileges, like I have ran it w/ sudo or as root. And the (only) "security hole" that I can think of is a nextdns docker container running as root. That aside, its very "overkill" security-wise (cap_drop=ALL, non-root image, security_opt=no_new_privileges, etc.).

It's like someone tried to hack me but gave up halfway. Am I right or wrong to assume this? Just curious.

Thanks in advance.

you are viewing a single comment's thread
view the rest of the comments
[–] GustavoM 3 points 1 year ago (1 children)

Try an ls -l $(which nano) and look at the permissions section of the output.

Just did it -- output is -rwxr-xr-x 1 root root 274816 Feb 19 2022 /usr/bin/nano. Now I'm really confused. Still, I appreciate your input.

[–] TootSweet 8 points 1 year ago* (last edited 1 year ago) (1 children)

Yeah, tha'ts weird.

Maybe try alias nano and LC_ALL=C type nano. Those test whether you have an alias or function named "nano" in bash that might be being run instead of /usr/bin/nano.

Oh, also, whoami and id. Maybe there's something weird with how you're logged in and despite not having the username "root" you're still uid 1 or something strange like that?

Oh! Also maybe while you've got nano running, do a ps aux | grep nano and see which user is reported to own that process.

[–] GustavoM 1 points 1 year ago* (last edited 1 year ago) (2 children)

Alright, first one returned me "bash: alias: nano: not found". Second one, "nano is hashed (/usr/bin/nano)". Third one, my sudoer username. And the fourth one shows my sudoer username at the top of the list, with both uid and gid at 1000.

And I honestly can't really think of much to add, other than the username in the docker image being completely nonexistant (It's just a bunch of numbers, and it doesn't even have a name). I don't know, maybe someone managed to breach the container and gave this "nonexistant user" root privileges but haven't managed to do much or something like that. I'm not that much of a tech savvy, but I guess it doesn't hurt to try to guess something. Maybe there is something inside the container? Idk, I'm gonna (try to) check it out (It's a "distroless" image -- it doesn't even have a shell in it.).

[–] TootSweet 3 points 1 year ago* (last edited 1 year ago) (1 children)

You're not running nano in a docker container, are you? You're running nano on a host Linux system, yeah?

Oh, and did you see the ps aux | grep nano one? (Sorry about that. I probably edited that into my post while you were working on a response.)

[–] GustavoM 1 points 1 year ago (1 children)

No and yes. And it returns me only a single line with $mysudoerusername 28596 0.0 0.1 5896 2016 pts/0 5+ 15:52 0:00 grep nano.

[–] TootSweet 4 points 1 year ago (1 children)

It returns that while you have nano running? If so, maybe try ps aux (without the grep part) and just look through until you find "nano" listed. Just to make sure whether it's running as root or your non-root user.

(And just to be clear, "my sudoer username" means the non-root user that you're running nano as, right?)

Just a gut feeling, but it feels to me so far like this probably isn't a hack or security thing. But of course, once the (no pun intended) root issue is found, that'll provide more info.

[–] GustavoM 1 points 1 year ago

No. ps aux remains the same. And yes, "My sudoer username" is my non-root user with sudo privileges. Therefore, the "sudoer".

And I'm not really "pulling my hair out" because of this, honestly -- just curious if this can be mentioned as a hack, a hack attempt, or whatevertheheck. Because this is the first time in my entire life that this happened with me, so yep.

[–] Nibodhika 2 points 1 year ago (1 children)

Wait, why did you mentioned docker?

[–] GustavoM 1 points 1 year ago* (last edited 1 year ago)

Just adding more (relevant) info, since its my "security hole" as of now. As mentioned in the OP.