Linux / UNIX : How to find files which has SUID/SGID set ...
Exploitation and distribution of setuid and setgid ...
Finding setuid binaries on Linux and BSD - Linux Audit
BE CAREFUL! THIS SCRIPT IS INVOKED FROM A SETUID ROOT BINARY
permissions - Using find -perm to find setuid files - Unix ...
Proxmox containers not running after apt upgrade
I recently performed an apt upgrade and my lxc containers stopped working. When starting a container, no error message appears and the web UI responds with "Task OK" but the container doesn't actually start I tried pct start 100 also, and no error message was displayed, but trying to pct enter 100 returns Error: container '100' not running! Not entirely sure which package caused it, bu this this is the apt/history.log
I tried lxc-start with logs instead, and got these messages:
# lxc-start -n 100 -F -l DEBUG -o /tmp/lxc-100.log lxc-start: 100: lsm/apparmor.c: run_apparmor_parser: 892 Failed to run apparmor_parser on "/valib/lxc/100/apparmolxc-100_<-var-lib-lxc>": apparmor_parser: Unable to replace "lxc-100_". Profile doesn't conform to protocol lxc-start: 100: lsm/apparmor.c: apparmor_prepare: 1064 Failed to load generated AppArmor profile lxc-start: 100: start.c: lxc_init: 845 Failed to initialize LSM lxc-start: 100: start.c: __lxc_start: 1903 Failed to initialize container "100" lxc-start: 100: tools/lxc_start.c: main: 308 The container failed to start lxc-start: 100: tools/lxc_start.c: main: 314 Additional information can be obtained by setting the --logfile and --logpriority options # tail /tmp/lxc-100.log lxc-start 100 20200712012140.203 ERROR start - start.c:lxc_init:845 - Failed to initialize LSM lxc-start 100 20200712012140.203 ERROR start - start.c:__lxc_start:1903 - Failed to initialize container "100" lxc-start 100 20200712012140.203 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usbin/newuidmap" does have the setuid bit set lxc-start 100 20200712012140.203 DEBUG conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usbin/newgidmap" does have the setuid bit set lxc-start 100 20200712012140.203 DEBUG conf - conf.c:lxc_map_ids:2710 - Functional newuidmap and newgidmap binary found lxc-start 100 20200712012140.208 NOTICE utils - utils.c:lxc_setgroups:1366 - Dropped additional groups lxc-start 100 20200712012140.208 INFO conf - conf.c:run_script_argv:340 - Executing script "/usshare/lxc/hooks/lxc-pve-poststop-hook" for container "100", config section "lxc" lxc-start 100 20200712012140.893 INFO conf - conf.c:run_script_argv:340 - Executing script "/usshare/lxcfs/lxc.reboot.hook" for container "100", config section "lxc" lxc-start 100 20200712012141.395 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start lxc-start 100 20200712012141.395 ERROR lxc_start - tools/lxc_start.c:main:314 - Additional information can be obtained by setting the --logfile and --logpriority options
Trying to access the apparmor directory shows that it doesn't exist, could the upgrade have deleted the directory?
# ls /valib/lxc/100/apparmor ls: cannot access '/valib/lxc/100/apparmor': No such file or directory # ls -l /valib/lxc/100/ total 8 -rw-r--r-- 1 root root 977 Jul 12 09:21 config drwxr-xr-x 2 root root 4096 Jun 15 2019 rootfs
My filesystem is ext4, many issues I found regarding upgrade failures involves zfs but I don't use zfs I'm not familiar enough with apparmor to go any deeper and also not entirely sure how to use tools/lxc_start.c directly with the --logfile/--logpriority options either, not sure what other logs/config files would be helpful in finding the issue, but here are a few more:
# pct config 100 arch: amd64 cores: 2 hostname: apache memory: 512 nameserver: 1.1.1.1 net0: name=eth0,bridge=vmbr0,gw=192.168.0.1,hwaddr=82:B1:0D:3C:47:68,ip=192.168.0.42/16,ip6=dhcp,type=veth onboot: 1 ostype: ubuntu parent: upgrade rootfs: local-lvm:vm-100-disk-0,size=20G startup: order=1,up=30 swap: 1024 unprivileged: 1 # systemctl status [email protected] ● [email protected] - PVE LXC Container: 100 Loaded: loaded (/lib/systemd/system/[email protected]; static; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2020-07-12 09:27:47 +08; 16min ago Docs: man:lxc-start man:lxc man:pct Process: 30827 ExecStart=/usbin/lxc-start -F -n 100 (code=exited, status=1/FAILURE) Main PID: 30827 (code=exited, status=1/FAILURE) Jul 12 09:27:44 alpha systemd[1]: Started PVE LXC Container: 100. Jul 12 09:27:47 alpha systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE Jul 12 09:27:47 alpha systemd[1]: [email protected]: Failed with result 'exit-code'. # journalctl -xe -- The job identifier is 100128. Jul 12 09:50:16 alpha systemd[1]: Started PVE LXC Container: 100. -- Subject: A start job for unit [email protected] has finished successfully -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- A start job for unit [email protected] has finished successfully. -- -- The job identifier is 100210. Jul 12 09:50:16 alpha kernel: EXT4-fs (dm-13): mounted filesystem with ordered data mode. Opts: (null) Jul 12 09:50:17 alpha audit[1534]: AVC apparmor="STATUS" info="failed to unpack end of profile" error=-71 profile="unconfined" name="lxc-100_" pid=1534 comm="apparmor_parser" name="lxc-100_" offset=151 Jul 12 09:50:17 alpha kernel: audit: type=1400 audit(1594518617.147:54): apparmor="STATUS" info="failed to unpack end of profile" error=-71 profile="unconfined" name="lxc-100_" pid=1534 comm="apparmor_parser" name="lxc-100_" offset=151 Jul 12 09:50:18 alpha systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE -- Subject: Unit process exited -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- An ExecStart= process belonging to unit [email protected] has exited. -- -- The process' exit code is 'exited' and its exit status is 1. Jul 12 09:50:18 alpha systemd[1]: [email protected]: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- The unit [email protected] has entered the 'failed' state with result 'exit-code'.
Detached LUKS header full disk encryption with encrypted keyfile inside a passphrase-protected bootable keydisk using direct UEFI secure boot, encrypted swap, unbound with DNSCrypt and DNSSEC, and system hardening
EDIT: added parts to Arch Wiki
I. Installation
General tips and notes:
If you're paranoid about leaving the internet connected when you don't need it, use 'rfkill block ' on wifi or ip link set down on any interface to disconnect it, press the airplane or wifi button, or disconnect manually. 'ip link' gives you a list of available devices.
The encrypted volume, when prepared properly, will appear to be a continuous stream of random characters from the outside. When choosing between this or that, remember it only has to be done once as long as the drive remains an encrypted drive (no plain text directly stored on it).
Use /dev/urandom unless you have a smaller machine like raspberry pi or know what you're doing.
For the usb drive, since we're encrypting the drive and the keyfile inside, I prefer to cascade the ciphers so I don't use the same one twice. Whether a meet-in-the-middle attack would actually be feasible, I don't know. You can do twofish-serpent or serpent-twofish.
Consider putting "customencrypthook" on a USB or SD card and mount that during the install to get the files without having to type it out yourself.
This guide assumes you have an UEFI laptop but if you don't and use a BIOS setup you should still be able to get some use out of this, although you won't be able to secure boot. In that scenario I'm sure you you could find some hackish manual workaround using gpg signatures, checksums, and a safe live usb or installation media to check with.
I. Part I: Preparing the devices Before you begin, go to your EFI settings (commonly referred to as BIOS settings although technically it's EFI now) at boot time using the designated function key. On my laptop that's F10 but you should google yours. Now go to Boot options and disable Secure Boot, then clear keys, this will leave the TPM in a receptive state for when we enroll our custom keys later. Note the clear keys option should be on the same page as the secure boot option, and it is not the separate TPM keys option which is something different. When you save changes and exit you may have to hit a key combination and press enter to verify. Make sure to run 'lsblk' to find out what your block device mappings are, don't copy this blindly. We're overwriting all the data, so if there's files you need copy them or image them with Clonezilla to a different drive and leave that one unplugged.
dd if=/dev/urandom of=/dev/sda bs=4096
#hard drive (just wait, a 500gb HDD took around 2.5 hours)
dd if=/dev/urandom of=/dev/sdb bs=4096
#USB
I. Part II: Preparing the USB key
gdisk /dev/sdb
n 1 2048 +512M EF00
n is new partition, L shows all hex codes for filesystems (EF00, 8300), t allows you to change a filesystem after creating a partition
n 2 (Hit enter to accept the automatic start value here) +250M 8300
Note: the -i is for iteration time in milliseconds for the key derivation function pbkdf, it should be at least 5000 (5 seconds), but preferably put it as high as you can stand. For me, that's about 30 seconds.
cryptsetup open /dev/sdb2 cryptboot
mkfs.ext2 /dev/mappecryptboot
Note: I picked ext2 for simplicity and to avoid journaling since it's just a usb drive
Note: You should make the file larger than 8192 bytes (the maximum keyfile size for cryptsetup) since the encrypted loop device will be a little smaller than the file's size. 20M might be a little too big for you, but 1) With a big file, we'll use --keyfile-offset=X and --keyfile-size=8192 to navigate to the correct position and 2) having too small of a file will get you a nasty 'Requested offset is beyond real size of device /dev/loop0' error. Shoutout to the Gentoo Wiki for showing me how to do this easily and this thread from the Arch Linux forums for the inspiration. And the Gentoo Wiki again for explaining the size issue. Now you should have 'lukskey' opened in a loop device (underneath /dev/loop1), mapped as /dev/mappelukskey I. Part III: The main drive
Pick an offset, and a number of milliseconds you can wait for
cryptsetup open --header header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 /dev/sda enc
cd /
cryptsetup close lukskey
umount /mnt
(if it complains about being busy make sure lukskey container is closed then "ps -efw" to find hanged processes and their PIDs to kill with "kill -9 "
pvcreate /dev/mappeenc
vgcreate store /dev/mappeenc
lvcreate -L 20G store -n root
lvcreate -L 4G store -n swap
lvcreate -l 100%FREE store -n home
You can name "store" anything you want, the number of GB is up to you (note my root partition is currently using 3.9GB if you're looking for a rough minimum), swap space doesn't have to be twice your RAM unless you have a machine with very low RAM. Some people do the size of their RAM, some do half of their RAM, some do less. If you plan on suspending and hibernating, which I don't recommend (it's more proper to shutdown so the encryption keys are wiped from memory) then you would do at least the size of your RAM.
mkfs.ext4 /dev/store/root
mkfs.ext4 /dev/store/home
mount /dev/store/root /mnt
mkdir /mnt/home
mount /dev/store/home /mnt/home
mkswap /dev/store/swap
swapon /dev/store/swap
mkdir /mnt/boot
mount /dev/mappecryptboot /mnt/boot
mkfs.fat -F32 /dev/sdb1
mkdir /mnt/boot/efi
mount /dev/sdb1 /mnt/boot/efi
I. Part IV: The actual installation procedure and custom encrypt hook After reading the "pacstrap" command and other tips below, follow the Installation Guide up to the "mkinitcpio" step but don't do it yet. You will skip "Partition the disks", "Format the partitions", and "Mount the file systems" as we've already done that. If you use a regular US keymap layout skip "Set the keyboard layout" as well. I skipped "Hostname" and "Network configuration" because I don't need a hostname and I prefer to start [email protected].service manually. tl;dr quick network connection:
Refreshing the package keys and a basic pacstrap command for our guide (if you need any other packages add them to the end or do a "pacman -S package" anytime after the chroot step):
pacman-key --refresh-keys
pacstrap /mnt base base-devel linux-hardened efibootmgr sudo
Now you should be at the "mkinitcpio" step and chrooted into your system. In order to get our encrypted setup to work, we will need to build our own hook, which is thankfully easy to do and I have the code you need. You will have to run "ls -lth /dev/disk/by-id" to figure out your own ID values for usb and main hard drive (they're linked -> to sda or sdb) then to get them into the file: "ls -lth /dev/disk/by-id | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/initcpio/hooks/customencrypthook". You should be using those ids instead of just sda or sdb because sdX can change and this ensures it's the correct device. You can name "customencrypthook" anything you want, and note that /etc/initcpio is the folder for hooks you create. Keep a backup of both files ("cp" them over to the /home directory or your user's home directory after you make one). /usbin/ash is not a typo. /etc/initcpio/initcpio/hooks/customencrypthook
#!/usbin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
modprobe loop
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
while [ ! -L '/dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-part2' ]; do
#the Xs represent your USB drive id found by "ls -lth /dev/disk/by-id"
echo 'Waiting for USB'
sleep 1
done
cryptsetup open /dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXX-part2 cryptboot
mkdir -p /mnt
mount /dev/mappecryptboot /mnt
cd /mnt
cryptsetup open key.img lukskey
cryptsetup --header header.img --key-file=/dev/mappelukskey --keyfile-offset=N --keyfile-size=8192 open /dev/disk/by-id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY enc
#the Ys represent your main hard drive found by "ls -lth /dev/disk/by-id", N is your offset
cd /
cryptsetup close lukskey
umount /mnt
}
#Note: I could also close cryptboot, but I want it to be easier to mount for updating and signing the kernel (which happens automatically during kernel updates), and regenerating the initramfs with mkinitcpio. You can close it using "cryptsetup close cryptboot", but then you would have to reenter the password before you mount it after booting into the system.
#Note: the files=() and binaries=() arrays are empty, and you shouldn't have to replace HOOKS=(...) array entirely just edit in "customencrypthook lvm2" after block and before filesystems, and make sure "systemd", "sd-lvm2", and "encrypt" are removed.
I. Part V: Setting up sudo and a user First, we need to change the root password and then add a user.
passwd
useradd -m -G wheel -s /bin/bash USERNAMEHERE
passwd USERNAMEHERE
EDITOR=nano
visudo
and make these edits: at the top:
## See the sudoers man page for the details on how to write a sudoers file. ## Defaults env_reset Defaults editor=/usbin/nano, !env_editor Defaults timestamp_timeout=0
Note: env_reset resets environment variables to prevent somebody from selecting a different program as their "editor" using the EDITOR environment variable, your default in the second line can be vi or another editor instead of nano, and timestamp_timeout=0 disables the sudo cache because I want to type the password every time. I recommend following these because even in a single-user scenario, potential malware could take advantage if you have those vulnerabilities open. The first two lines are from Sudo - Arch Wiki.
and near the bottom:
## User privilege specification root ALL=(ALL) ALL USERNAMEHERE ALL=(ALL) ALL
The owner and group for the sudoers file must both be root. The file permissions must be set to 0440. ls -lth /etc/sudoers and make sure it looks like this:
-r--r----- 1 root root
If it doesn't then:
chown -c root:root /etc/sudoers
chmod -c 0440 /etc/sudoers
Now "su -l USERNAMEHERE" and run "sudo -i" and see if you can login as sudo, it should change your terminal to "[email protected]" instead of your username. Once you see it works, disable the direct root login and then exit.
passwd -l root
exit
From now on, you will use "sudo -e file" to safely edit files that require you to be root to edit them as it uses temporary files and is considered to be the proper form. Also, while you should always use sudo to become root, if you ever use "su" for any user, use "su -l". This changes home directory and environment variables for safety as discussed here
I. Part VI: Direct UEFI using secure boot
We need to get cryptboot and sbupdate git from the AUR, then untar, read the pkgbuild, and "makepkg -si" inside the folder, for each. Yes, the program "cryptboot" has the same name as what we named our encrypted usb drive, but know that there's no relation here besides the implied meaning of "encrypted boot" and you can use any name for your encrypted usb drive. These are the AUR links: cryptboot and sbupdate for reference. However, we'll be downloading a snapshot .tar.gz directly. As of December 2017, the snapshot links are: https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz https://aur.archlinux.org/cgit/aur.git/snapshot/sbupdate-git.tar.gz
Important note: Don't do this as root and don't use sudo, add a user first and do it as the user.
su -l USERNAMEHERE
If you're not already in the user's home directory:
At this point I used my phone to copy and paste the .tar.gz "Download Snapshot" link from https://aur.archlinux.org/packages/cryptboot/ into VirusTotal.com and then used "sha256sum cryptboot.tar.gz" on the computer to get a checksum and compared it with the value on my phone.
tar xvf cryptboot.tar.gz
cd cryptboot
less PKGBUILD
Read the package build and make sure nothing malicious has been snuck in there, to the best of your ability.
makepkg -si
According to the Arch Linux wiki, this will download the code, resolve the dependencies with pacman, compile it, package it, and ask you for your sudo password to install the package. Now we make our keys: First prepare crypttab temporarily to be compatible with cryptboot. Use "sudo -i" to become root.
You will have to find Z by running "ls -lth /dev/disk/by-uuid" and see which one links to sdb2 or whichever is the encrypted boot partition of your usb drive. Then "ls -lth /dev/disk/by-uuid | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/crypttab".
Hopefully if you cleared your secure boot keys beforehand and properly configured the cryptboot.conf and your /boot partition is mounted, it should be successful. Delete the temporary entry we created from your crypttab. Remember that generating keys only has to be done once. I guess you could do it again if you're worried that your keys have been compromised (don't forget to rename DB.* files back to db.*, see efikeys below), but it only needs to be done once and sbupdate will use the same keys to sign your new images every time you update your kernel. Now we must prepare the system for sbupdate. Use "sudo -i" to become root.
cd /boot/efikeys
"ls" to get a list of files and change all the "db.*" files to "DB" like this: mv db.file DB.file Switch back to regular user "su -l USERNAMEHERE". Repeat the curl, tar, less, makepkg procedure done above for cryptboot except this time do it for sbupdate.
The CMDLINE_DEFAULT is really important here, without it your efi will not boot. If you're curious what these files are and where they come from, vmlinuz is the compressed kernel image which is part of the package for linux-hardened. It's installed to the mounted /boot directory. In the same directory, initramfs-*.img files are created by mkinitcpio when we run the command. now "sudo -i" into root and run:
mkinitcpio -p linux && mkinitcpio -p linux-hardened && sbupdate
It should generate the initramfs image, and generate a signed UEFI image of your kernel and initramfs that we will be able to boot from. There should be a few "missing firmware" errors which should be harmless
Note: I keep the linux kernel as a backup in case anything goes wrong with linux-hardened after an update and I need to boot Now we need a boot option for the signed efi file. First run "lsblk" and look for the usb device and the 512M EFI partition. Mine is sdb1. The Gentoo Wiki gives us a good example:
-c create, -d disk, -p partition, -L label, and -l loader Make sure the boot order puts "Arch Linux Hardened Signed" first. If not change it with "efibootmgr -o XXXX,YYYY,ZZZZ" Finally, exit the chroot (keep running exit until it says [email protected] without brackets [] and the "lsblk" shows boot as "/mnt/boot" and not "/boot") and umount devices, then reboot
exit
cd /
umount -R /mnt
reboot
Now you will have to press the button for your EFI settings (BIOS settings) and enable secure boot, disable legacy boot and cd boot, and set up an administrator or power on password to prevent access. You'll need the usb key to boot and you'll have to enter two passwords, one for the usb key and another for the keyfile. Then the keyfile unlocks the main hard drive. You should probably run 'pacman -Syu' to update the system. I. Part VII: Graphics and audio First check your graphics driver here. I'm using radeon. Newer AMD cards use amdgpu (xf86-video-amdgpu). Nvidia and Intel should check the wiki for info.
Check your ~/.local/share/xorg/Xorg.0.log and make sure it got loaded properly. For example, radeon will have lines that say "RADEON(0):". If it didn't load your driver it may say "MODESETTING(0):" which is the fallback driver as explained here Xorg - ArchWiki. Also check your driver's wiki page to find out about enabling "TearFree" which prevents the horizontal lines when playing video (you'll have to create a minimal Xorg Configuration first with a "Device" section containing "Driver" and "Identifier"). Ctrl + F this page for "Prevent Xorg" and do that now, plus "Run Xorg Rootless". Now for the audio:
Controversial, but pulseaudio indeed "just works" and you need it to hear sound on Firefox.
II. Firewall
https://aur.archlinux.org/cgit/aur.git/snapshot/arno-iptables-firewall.tar.gz You know the AUR drill we used for cryptboot and sbupdate by now, just curl -o the snapshot, verify the checksum matches the one online with VirusTotal, tar xvf, less pkgbuild, then makepkg -si. Remember to do it all as a regular user, not root so don't use sudo. Then:
cd ~/arno-*/src/aif* sudo ./install.sh
sudo -e /etc/arno-iptables-firewall/firewall.conf
EXT_IF="" EXT_IF_DHCP_IP=1
If you use a static ip you would leave the dhcp setting at 0.
The entry for fstab replaces the old swap entry, you could just edit the old one to look like this. Umask
sudo -e /etc/profile
# Set our umask umask 077
The way it was explained to me is that before the umask is applied, linux permissions for files you create start off as 0777. Umask 077 is the same as 0077. Thus, subtract 0777 - 0077 = 0700 The order is 0 (setuid, setgid, sticky bit), 7 (user), 0 (group), 0 (others) This means that only the user who created or root will be able to read, write, and execute the file or directory (only directories create as exec). A umask of "177" would prevent the executable bit from being set so the default file permissions for directories you create would be "-rw-------". The first 0 is for setuid, setgid, and sticky bit. Setuid and setgid allow a user to become other users or groups like root or wheel. Sticky bit allows your user to write or change a file, but prevent the change or deletion of your files by other users. This is useful for group or world-writable settings where people have the same permissions in a folder but you want to prevent destructive behavior. Know that root can violate any permissions it wants unless you write a specific rule in SELinux which is a out of scope for this guide, unforunately. There are good books on it written by a guy named "Vermeulen". Permissions You may want to consider running: chmod -R g-rwx,o-rwx /boot What this does is - (subtracts) all permissions (rwx) from group (g) and others (o). Leaving only root and the owner of the file with permissions. chmod 000 /boot/key.img chmod 000 /boot/header.img #Note that obviously root will still be able to override this, but it means that no user can access it so the files can only be read or written to by root. Pluggable Authentication Modules PAM rules
Note you have to comment the first line so failed attempts are not counted twice, then the second line sets 2 denials (wrong passwords) and a 10 minute lockout. onerr=succeed counts the number of attempts. The file=* is a failure log.
I've intentionally left out logging martian packets (people sending you packets with a spoofed or misconfigured addresses), but if you want you can log those to track down malicious activity.
Disabling Root login We already ran "passwd -l root" after we set up sudo.
sudo -e /etc/securetty
Comment out all the lines in this file, you'll still be able to use sudo. Hardening fstab For cryptboot and the usb EFI partition add this to the fourth field comma-separated values:
Today is January 02, 2018. As of today, the "archlinux-keyring" was last updated on "2017-12-15 12:23 UTC". In a scenario where a key is no longer valid or goes rogue, it would be helpful to have the latest keys. Safe mounting of external disks (sdc1 is an example)
sudo mount -o nodev,nosuid,noexec /dev/sdc1 /mnt
This prevents executables, programs running with different user privileges than the user has, and nodev prevents character or block devices from being interpreted on the drive to prevent malicious exploits. Browser cache permissions edit: Updated to chromium ~/.config/chromium and ~/.cache/chromium files are "-rw-------" (chmod 600) and folders are "drwx------" (chmod 700). The point is to check permissions frequently and prevent executable files in the cache. TTY Timeout
sudo -e /etc/profile.d/shell-timeout.sh
TMOUT="$(( 60*10 ))"; [ -z "$DISPLAY" ] && export TMOUT; case $( /usbin/tty ) in /dev/tty[0-9]*) export TMOUT;; esac
You can also block tty access all together but I prefer having it so I can switch over if I want or need to get away from Xorg. Prevent Xorg from being run on a different terminal besides the one you logged in
sudo -e ~/.xserverrc
#!/bin/sh exec /usbin/Xorg -nolisten tcp -nolisten local "[email protected]" vt$XDG_VTNR
-nolisten local disables abstract sockets of X11. Which are supposed to be a risk if a keylogger or screenshotter attached itself to them. This blog gives some history on the subject. Startx will execute this when you start up your desktop. You can autostart X at login but I prefer to do it manually. I use xfce so it's "exec startxfce4" after I login. Run Xorg rootless
sudo -e /etc/X11/Xwrapper.config
set needs_root_rights = no
IV. Unbound + Dnscrypt + DNSSEC
edit: The new dnscrypt-proxy automatically updates the sources (servers list) so I've simplified this section.
sudo pacman -S unbound expat dnscrypt-proxy ldns
sudo -e /etc/dhcpcd.conf
Add anywhere:
static domain_name_servers=127.0.0.1
sudo systemctl edit dnscrypt-proxy.service
edit: After the update on 5/18/2018 dnscrypt-proxy needs CAP_NET_BIND_SERVICE capability.
Cache is disabled because we are using DNSCrypt as a forwarder for the unbound cache. I still use Unbound because it has a better way of actually testing and validating that DNSSEC is working.
The port number is larger than 1024 so dnscrypt-proxy is not required to be run by root. So pick a number from 1025-65535, or run this command "shuf -n 1 -i 1025-65535". For DNSCrypt with Unbound, only unbound and dnscrypt-proxy.socket need to be started and enabled.
Root Hints script (Optional, probably unnecessary) This optional script creates a service that updates root hints automatically. is your internet device from "ip link", usually eno1 or wlo1. If you don't use dhcpcd then change it to the service that gets your internet working. Once the timer goes off each month, the script will retry every 20 minutes until the internet is on then update the root hints. If a timer is missed it will keep trying. The 2 minute predelay is to give dnscrypt time to resolve fingerprints and the certificate.
sudo -e /etc/systemd/system/roothints.service
[Unit] Description=Update root hints for unbound [email protected].service [Service] TimeoutStartSec=0 Restart=on-failure RestartSec=1200 ExecStartPre=/bin/sleep 120 ExecStart=/usbin/bash -c 'isitalive=$(/usbin/systemctl is-active [email protected].service); if [ "$isitalive" == "active" ]; then /usbin/curl -v -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache; fi; if [ "$isitalive" == "inactive" ]; then exit 1; fi'
You can use a custom date like this: "OnCalendar=*-*-12 12:00:00". That would run the job on the 12th of every month at 12pm local time.
sudo systemctl enable roothints.timer
sudo systemctl start roothints.timer
sudo systemctl status roothints.timer
Testing our script From the wiki on Timers you can check the calendar time until the next run:
systemd-analyze calendar "*-*-12 12:00:00"
systemd-analyze calendar monthly
If you have other timers also, you may want to consider setting them to separate, specific times or using "RandomizedDelaySec" in the .timer file under [Timer]
systemctl daemon-reload
To reload units after making changes on disk.
sudo systemctl start roothints
Wait a little and then check the systemctl status.
Troubleshooting If you can't resolve hosts try:
Setting "verbosity=5" under "server:" in /etc/unbound/unbound.conf and check "journalctl -u unbound.service". You should see some pretty detailed output that shows if it's working.
If you just want to get your internet working again, # comment out the forwardings section ("forward-zone:", "name:", "forward-addr:") and "trust-anchor-file" in unbound.conf, systemctl stop dnscrypt-proxy.socket and dnscrypt-proxy.service, then stop and start unbound to fix the internet.
If you're using unbound, make sure /etc/dnscrypt-proxy/dnscrypt-proxy.toml 'cache' is disabled.
Sometimes, fixing the internet is as simple as using "ip link set down", "ip link set up", then stop and start [email protected].service. Or restarting unbound.service. Also check "systemctl status dnscrypt*" to make sure the socket is running and that the proxy service received its certificate and fingerprints from the server.
You should be able to adjust the window or maximize it, and the internet should work automatically since unbound is handling our dns.
VI. Afternotes:
Be careful with your LUKS header and any backups of it, the proper disposal is to "shred", "wipe", or dd it with random data multiple times before deleting it Securely Wipe Disk - Arch Wiki. If an attacker gets a hold of your old LUKS header (after you changed the passphrase) and they figured out the old passphrase or keyfile, they can use the old header to get access to your system. Check out the cryptsetup FAQ for more details. A way to mitigate this is to use "cryptsetup-reencrypt" which will generate a new master key (volume key) and make the old header ineffective even when they have the compromised passphrase or keyfile, but read the man page first.
You can use dd to backup the whole usb drive as an image, or the partitions (assuming it's sdb): dd if=/dev/sdb1 of=backup.img bs=4M dd if=/dev/sdb2 of=backup2.img bs=4M
Afterwards, "cryptsetup close lukskey" and "shred" or "dd" the old keyfile with random data before deleting it, then make sure that the new keyfile is renamed to the same name of the old one "key.img" or other name.
For some reason sysctl doesn't seem to be loading my /etc/sysctl.d/51-net.conf file on boot so I have to run "sysctl --reload" to get it working.
Read General Recommendations on the Arch Wiki, mainly "System Administration" and "Package Management"
Check permissions, ownership, and sticky bits everywhere you can. find / -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) | xargs ls #look for setuid or setgid bits chmod u-s /path/to/file #unset a setsuid bit for a file (user id) chmod g-s /path/to/file #unset a setguid bit for a file (group id) find / -nouser -o -nogroup | xargs ls #unowned abandoned orphaned files find / -path /proc -prune -o -perm -2 ! -type l | xargs ls #world-writable files
Anti virus or anti malware such as clamav and rkhunter
Intrusion detection, scanning, and security auditing tools such as lynis, nmap, aide, snort, yasat. You can find more recommendations here
Implementing access control security policies such as SELinux, Tomoyo, AppArmor, Smack, and I'm sure there's more.
Hey Y’all, We’re all busy getting ready for the testnet release this week, which means we’re busy combing through lokid, Loki Messenger and the Loki Storage Server looking for bugs and testing our edge cases. This week we also did a new release for the Loki Electron GUI wallet which adds a number of quality-of-life upgrades for users, including being able to see all of the nodes you’ve contributed to, having the ability to unstake from nodes with a single click, and transaction proofs and checking. Loki Core
--------------------------- Loki Launcher The Loki Launcher is a node js package that will allow for the independent management of all the components required to run a full Service Node. This includes managing Lokinet, lokid and the Loki Storage Server. When Loki Service Nodes begin to route data and store messages for Lokinet and Loki Messenger, the Loki Launcher will need to be run on every single Service Node. Right now the Launcher is in a testing phase, so you should only use it on testnet and stagenet – though feedback/issues and pull requests would be greatly appreciated! What’s going on this week with Loki Launcher: We released the first version of the Launcher! and with everyone’s feedback have continued to roll out updates and bug fixes. We’ve learned a lot from this release, and we hope this will help everyone make the upgrade to version 4.0.0 of Loki seamlessly. Changelog:
Fix missing parameters in check-systemd and start
Fix parameter deduplication in daemon.js
Include running configuration in config-view
Add better error handler to serveTCP
Handle port in use more gracefully in prequal
Work around setuid NodeJS issue for home directories. It would always return root’s home directory
Make “don’t run as root” recommendation not appear when we tell you to use root
Fix MacOS home directory detection
Support spaces instead of equal signs for lokid command line options
getLauncherStatus refactor to unify “waiting for start up” and “status” output
Include a “ctrl-c to exit” message in client mode
Precreate blockchain default config if INI is found but blockchain is not specified
Make sure blockchain data directory exists in fix-perms
Adjust download-binaries retries and timeout to play with Github’s API nicer
Support --config-file to allow absolute paths as well (as relative)
On --config-file failures output both paths searched
Node 8.x support for getLauncherStatus reports (Only Node 10.x+ support console.table)
Make getLauncherStatus reports a bit more configurable, so status/start up messaging make sense
Allow quotes in launcher.ini configuration files
Take existing downloaded blockchain size when running prequal disk space checks.
Disable restricted RPC
Change storage server parameter from db-location to data_dir to better match
Github Pulse: Excluding merges, 2 authors have pushed 38 commits to master and 38 commits to all branches. On master, 15 files have changed and there have been 588 additions and 205 deletions. --------------------------- Lokinet If you’re on our Discord you might catch Jeff or Ryan, the developers of LLARP, live streaming as they code: https://www.twitch.tv/uguu25519, https://www.twitch.tv/neuroscr. What’s going on this week with Lokinet: Work continues on improving our metrics for internal testing and adjustments due to libuv refactor. We continue to improve the quality of the code and seek to remove any possibilities of bugs creeping in. path build status messages have been added as a pull-request, and we have high hopes this will lead to finding more stability bugs which we can squash. Changelog:
Hey guys, Pwntools developer here! If you haven't used it before, Pwntools is a Python library/framework developing exploits for Capture The Flag (CTF) competitions, like DEFCON CTF, picoCTF, and wargames like pwnable.kr. Pwntools makes the exploit developer's life easier by providing a suite of easy and quick tools that do exactly what an exploit developer would want them to -- without the hassle of writing template code or dealing with various minor gotchas. If you're a new user to pwntools, you can check out the Getting Started page on the documentation, available at docs.pwntools.com. The v3.0 release is a big one for us, and our first in over eighteen months! Both existing and new users can install Pwntools with a simple pip install --upgrade pwntools. For those who just want to see what's new, you can check out the CHANGELOG.md here. In particular, all of the changes which were made on the Binjitsu fork of Pwntools have been merged back into upstream Pwntools. Everything below here is the changelog, for ease of reference.
3.0.0 (August 20 2016)
This was a large release (1305 commits since 2.2.0) with a lot of bugfixes and changes. The Binjitsu project, a fork of Pwntools, was merged back into Pwntools. As such, its features are now available here. As always, the best source of information on specific features is the comprehensive docs at https://pwntools.readthedocs.org. This list of changes is non-complete, but covers all of the significant changes which were appropriately documented.
Android
Android support via a new adb module, context.device, context.adb_host, and context.adb_port.
Assembly and Shellcode
Assembly module enhancements for making ELF modules from assembly or pre-assembled shellcode. See asm.make_elf and asm.make_elf_from_assembly.
asm and shellcraft command-line tools support flags for the new shellcode encoders
asm and shellcraft command-line tools support --debug flag for automatically launching GDB on the result
Added MIPS, PowerPC, and AArch64 support to the shellcraft module
Added Cyber Grand Challenge (CGC) support to the shellcraft module
Added syscall wrappers for every Linux syscall for all supported architectures to the shellcraft module
e.g. shellcraft..gettimeofday
(e.g. shellcraft.i386.linux.foobar)
Added in-memory ELF loaders for most supported architectures
Only supports statically-linked binaries
shellcraft..linux.loader
Context Module
Added context.aslr which controls ASLR on launched processes. This works with both process() and ssh.process(), and can be specified per-process with the aslr= keyword argument.
Added context.binary which automatically sets all context variables from an ELF file.
Added context.device, context.adb, context.adb_port, and context.adb_host for connecting to Android devices.
Added context.kernel setting for SigReturn-Oriented-Programming (SROP).
Added context.log_file setting for sending logs to a file. This can be set with the LOG_FILE magic command-line option.
Added context.noptrace setting for disabling actions which require ptrace support. This is useful for turning all gdb.debug and gdb.attach options into no-ops, and can be set via the NOPTRACE magic command-line option.
Added context.proxy which hooks all connections and sends them to a SOCKS4/SOCKS5. This can be set via the PROXY magic command-line option.
Added context.randomize to control randommization of settings like XOR keys and register ordering (default off).
Added context.termianl for setting how to launch commands in a new terminal.
DynELF and MemLeak Module
Added a DynELF().libc property which attempt to find the remote libc and download the ELF from LibcDB.
Added a DynELF().stack property which leaks the __environ pointer from libc, making it easy to leak stack addresses.
Added MemLeak.String and MemLeak.NoNewlines and other related helpers for handling special leakers which cannot e.g. handle newlines in the leaked addresses and which leak a C string (e.g. auto-append a '\x00').
Enhancements for leaking speed via MemLeak.compare to avoid leaking an entire field if we can tell from a partial leak that it does not match what we are searching for.
Encoders Module
Added a pwnlib.encoders module for assembled-shellcode encoders/decoders
Includes position-indepentent basic XOR encoders
Includes position-independent delta encoders
Includes non-position-independent alphanumeric encoders for Intel
Includes position-independent alphanumeric encoders for ARM/Thumb
ELF Module
Added a Core object which can parse core-files, in order to extract / search for memory contents, and extract register states (e.g. Core('./corefile').eax).
Format Strings
Added a basic fmtstr module for assisting with Format String exploitation
GDB Module
Added support for debugging Android devices when context.os=='android'
Added helpers for debugging shellcode snippets with gdb.debug_assembly() and gdb.debug_shellcode()
ROP Module
Added support for SigReturn via pwnlib.rop.srop
Occurs automatically when syscalls are invoked and a function cannot be found
SigReturn frames can be constructed manually with SigreturnFrame() objects
Added functional doctests for ROP and SROP
Tubes Process Module
process() has many new options, check out the documentation
aslr controls ASLR
setuid can disable the effect of setuid, allowing core dumps (useful for extracting crash state via the new Core() object)
TTY echo and control characters can be enabled via raw argument
stdout and stderr are now PTYs by default
stdin can be set to a PTY also via setting stdin=process.PTY
Tubes SSH Module
Massive enhancements all over
ssh objects now have a ssh.process() method which avoids the need to handle shell expansion via the old ssh.run() method
Files are downloaded via SFTP if available
New download and upload methods auto-detect whether the target is a file or directory and acts accordingly
Added listen() method alias for listen_remote()
Added remote() method alias for connect_remote()
Utilities
Added fit() method to combine the functionality of flat() with the functionality of cyclic()
Added negative() method to negate the value of an integer via two's complement, with respect to the current integer size (context.bytes).
Added xor_key() method to generate an XOR key which avoids undesirable bytes over a given input.
Added a multi-threaded bruteforce() implementation, mbruteforce().
Added dealarm_shell() helper to remove the effects of alarm() after you've popped a shell.
Well it was technically it was Friday, but w/e ¯\_(ツ)_/¯ I was performing a dry-run of upgrading Ubuntu 14.10 to 16.04.1 for a server that my team at work uses. I had run rsync a week ago to copy the drive from our VM to the old physical server where it was once hosted. The goal was to determine how long the upgrade would take, what services would need to be fixed ASAP, and whether or not some bugs I had experienced at home using the Desktop version (hung trying to shut down, "power lid" issues despite using a tower) would be present in the Server version. Back up to Thursday: my co-worker and I were running around trying to get things prepped for a campus-wide upgrade. We're having to manually push out firmware updates for over 3,000 wireless access points, including the upload of the binary files. 79MB per device adds up quickly and legacy transfer protocols that we "have" to default to (search for TFTP) takes 70 seconds to transfer the files. We tried to use HTTP via Python on a Pi 3 as a proof-of-concept which cut transfers down to 7 seconds, however concurrent connections caused problems. We instead tried http-server.* Now here's where it's getting good: npm/node commonly has an issue regarding permissions for running commands and installing packages. We had to refer to this official guide to repair permissions. Take a look at Option 1:
Find the path to npm's directory: npm config get prefix For many systems, this will be /uslocal. WARNING: If the displayed path is just /usr, switch to Option 2 or you will mess up your permissions.
Did you read that last line? Take note! So still testing this on the Pi, we ran the prefix check to verify that /uslocal was indeed the directory and then ran subsequent commands. Running the http-server project resolved the problem with devices downloading from it concurrently, however the Pi just wasn't beefy enough to handle more than five clients. At this point the day was over and I would pick up where we left off in the morning. Friday. My coworker and I have a rotating schedule and this is his 4-day weekend, so I was continuing our project while also performing the dry-run upgrade. It took four hours to upgrade from 14.10 to 16.04.1, during which I was tweaking scripts and troubleshooting network problems as our network technicians called in for remote support. At 11:30 I decided that I wanted to install http-server on our desktops and the server in order to distribute the load and speed up transfers. After cleaning up issues with apt packages, I installed npm and, once again, ran into permissions issues. So I loaded up the guide and pasted over commands. But I skipped the prefix check. Imagine my confusion when running sudo rm -rf /uslocal/lib/node_modules gave me this little message:
sudo: effective uid is not 0, is sudo installed setuid root?
I had effectively broken sudo. Slow clap Well boys and girls, this is why you don't zoom through instructions without reading everything first every time you use them. This is also why you should memorize which system folders to never run chmod on (recursively). I got lucky that I had only borked our "backup" copy and not our production/deployed server! (I was able to fix this by shutting down the server, attaching the HDD to my Mac and running rsync on the /usr folder while preserving permissions.)
TL;DR
I sped through instructions the second time around but on a different computer and broke sudo because I was messing with permissions rather than being careful and tedious to not screw anything up. I still blame Node.js because I hate Javascript. Don't do drugs.
*For those interested, I eventually just ran http-server on two desktops and used one of our scripts to have all devices asynchronously download the binary files. No more than 80 devices were allowed to download at a time. The transfer took thirty minutes for all 3,228 devices to complete and each computer streamed at980Mbpsfor the duration of the transfers. One of our network engineers came in and asked what it was that we were doing because 1/5th of the building bandwidth was being used from the two of us alone. :D
Problems configuring & running uWSGI for Django deployment
Im following a tutorial to put a django app into production. Im in a venv and have Postgres installed and setup and uWSGI installed via PIP. Im at this point in the tutorial and have just run the instructed command but for my own project PATH http://imgur.com/a/Bsso5 this returns the following error though:
*** Starting uWSGI 2.0.13.1 (64bit) on [Sat Sep 17 15:47:21 2016] *** compiled with version: 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81) on 17 September 2016 14:57:57 os: Darwin-14.5.0 Darwin Kernel Version 14.5.0: Mon Aug 29 21:14:16 PDT 2016; root:xnu- 2782.50.6~1/RELEASE_X86_64 nodename: Davids-MacBook-Air.local machine: x86_64 clock source: unix detected number of CPU cores: 4 current working directory: /Users/david/Documents/projects/django/codego/codego detected binary path: /Users/david/Documents/projects/django/codego/venv/bin/ uwsgi !!! no internal routing support, rebuild with pcre support !!! uWSGI running as root, you can use --uid/--gid/--chroot options setuid() to 1000 *** WARNING: you are running uWSGI without its master process manager *** your processes number limit is 709 your memory page size is 4096 bytes detected max file descriptor number: 256 lock engine: OSX spinlocks thunder lock: enabled bind(): Permission denied [core/socket.c line 769]
I think its the last line above thats causing the problems so Ive been doing some Googling and really not found much that relates to my problem. I did find this on SO http://stackoverflow.com/questions/29510480/could-not-start-uwsgi-process I dont know how to re-bind or remove the socket file or where this socket file would be. Any know about this? thanks
Find setuid 0 binary options December 09, 2017 Get link; Facebook; Twitter; Pinterest; Email; Other Apps ; Você tem acesso físico a um computador linux que você quer comprometer, e você pode inicializar a partir do CD. Existem várias maneiras de obter acesso root ao computador através de um CD ao vivo do linux. Uma maneira é inicializar o livecd, chroot para a partição linux, em ... find / -perm -4000 (which all websites tell) or the command. find / -perm +4000 both give me the same result. As far I understand it should always be +4000 (because if it is user suid binary then the first byte should be 4, if group suid binary then the first byte should be 2 and if a sticky bit turned on directory then the first byte should be ... THIS SCRIPT IS INVOKED FROM A SETUID ROOT BINARY # function printhelp echo “Usage: sys_uname [-h] [OPTION] [ — mod_path … ]” echo “Prints kernel version string for modules” echo echo ” -h Print this help” echo ” -f Choose closest kernel” echo ” -l List available kernels” echo ” -e Try to find an exact match” echo ” -p Print version string for the running kernel ... Tuesday, October 18, 2016. Find Setuid 0 Binary Options This binary is used to detect changes in the network interfaces. 10Slackware 9Fedora 14Ubuntu 13Debian 8CentOS 0 15 Fig. 4. Amount of guid binaries on each system Even though Slackware has the most suid binaries, the percentage of these files which were owned by the root user showed that surprising 60% of the files ( 23 out of 38 ) pose a potential threat, which means that both Slackware and ... Finding files with setuid bit. To discover all files with the setuid bit, we can use the find command. Depending on the distribution, you can use some specific parameters and special options. For example on Linux you can use -perm with slash notation (e.g. /4000). This means that if any of the file permission bits match, the result will be ... The solution for you here will be either to use one of the exec*() family directly, or to include a call to setuid(0), or to configure a tool such as sudo to allow you to call your target program directly and (presumably) without a password. Of these options I'd personally go with the sudo solution. The authors of that spent a long time ... Find/list all accessible *.plan files and display contents; Find/list all accessible *.rhosts files and display contents; Show NFS server details; Locate *.conf and *.log files containing keyword supplied at script runtime; List all *.conf files located in /etc; Locate mail; Platform/software specific tests: Checks to determine if we're in a ... Thursday, 6 July 2017. Find Setuid 0 Binary Options There are two special permissions that can be set on executable files: Set User ID (setuid) and Set Group ID (sgid). These permissions allow the file being executed to be executed with the privileges of the owner or the group. For example, if a file was owned by the root user and has the setuid bit set, no matter who executed the file it would always run with root user privileges.
Indian Binary Options Brokers - Find the best Fundamentals ...
Website https://ExpertBinaryTrader2020.Blogspot.com Scam Free Managed Binary Options Trading Accounts, How to Trade Binary Options Successfully without Loss,... I have been receiving a lot of messages from people saying that I am into trading and that I am trying to get other into this trading business. I do not trad... Check Out Here: https://bit.ly/3inkKyn - Indian Binary Options Brokers - Find the best Fundamentals Explained You are much better off looking through our lis... 99% Win Strategy - $20 to $1,390 - Binary Options Newest Method 2020-----I want to kindly ask you to subscribe my channel, of course if you like my tutorials. And do not forget to click the ring ... How I Make $500 daily http://goo.gl/E5FAmf where can i find the best binary options strategy Trading Payout (EUR USD) Review Platform Accept US Traders An ex... Best way make money on binary option profit up to 1000% in 14 minutes http://www.sahamoption.com Binary Options Guaranteed Latest Digits Differ No Loss Volatility strategies $20usd in 20 MIN - Duration: 19:18. Proudly Tech Money General Tips And Tricks 14,580 views 19:18 How do you trade the NAsDAQ as a binary option? It is very easy with Proteus Elite binary options trading signals and broker that trades the NASDAQ-100 contract. As you can see our software is not ... Binary Options $500 - $5000 Challenge - Duration: 3:00. Nes Vquez 3,484 views. 3:00. Top 10 Best Online Businesses For Beginners - Duration: 18:03. Greg Gottfried Recommended for you. 18:03 ... Binäre Optionen - IQ option Binäre Optionen Strategie - Duration: 5:46. Binary Options Strategy 14,179 views. 5:46. Building a 3.5kWh DIY Solar Generator for $650 - Start to Finish ...
