Privilege Escalation via Weak File Permissions & Group Membership Abuse (Conceptual Overview)
File permissions and group memberships are the foundation of Linux discretionary access control. When permissions are too permissive or users are added to dangerous groups, privilege escalation is often trivial. This is not exploitationβit is simply using the system as configured.
π What Are Weak File Permissions?
Files where others have write access (permission bit 2).
-rw-rw-rw- (666)
-rwxrwxrwx (777)Any user can modify these files. If they are system binaries, scripts, or configuration files β privilege escalation.
Directories where others can create, delete, or rename files.
drwxrwxrwx (777)Allows file replacement, symlink attacks, and privilege escalation via PATH hijacking.
π₯ What Are Dangerous Group Memberships?
| Group | Purpose | Risk | Defensive Action |
|---|---|---|---|
| docker | Run Docker containers | Root equivalent | Remove all non-admin users |
| disk | Access raw disk devices | Read/write any file | Never add users to disk group |
| adm | Read system log files | Logs may contain secrets | Audit log access; restrict membership |
| shadow | Read /etc/shadow | Password hash access | Only root and shadow group should read |
| sudo / wheel | Administrative group | Full sudo access | Restrict to authorized admins only |
| video | Access framebuffer devices | Screen capture risk | Remove non-GUI users |
| audio | Access audio devices | Microphone capture risk | Remove non-GUI users |
π§ How Privilege Escalation Happens (High-Level)
- A system file or script has world-writable permissions (e.g., 666, 777)
- A low-privilege user modifies the file with malicious content
- The file is executed by root or a privileged process (cron, service, admin)
- The malicious code runs with elevated privileges
π³ docker group:
docker run -v /:/host -it ubuntu chroot /host bashMounts host filesystem β full root
πΎ disk group:
debugfs /dev/sda1Read/write any file, bypassing permissions
π adm group:
grep "password" /var/log/*Logs may contain credentials
π Real-World Examples (Defensive View)
Misconfiguration: System administrator runs chmod 777 /etc/shadow by accident.
Discovery: Security audit finds /etc/shadow is world-readable and world-writable.
Risk: Any local user can read password hashes OR replace root hash with known password.
Remediation: chmod 640 /etc/shadow; chown root:shadow /etc/shadow
Misconfiguration: Developer added to disk group 2 years ago to troubleshoot disk issues.
Account compromise: Developer laptop infected with malware. SSH keys stolen.
Impact: Attacker logs into production server as developer, uses debugfs to read /etc/shadow, cracks root password.
Defense: Quarterly group membership audits. Remove users from disk group. Use sudo for specific disk commands.
Misconfiguration: Backup script /etc/cron.daily/backup.sh is world-writable (664).
Vulnerability: Any local user can edit the script. Cron runs it as root daily.
Result: Attacker adds chmod 4777 /bin/bash to script. Next day, SUID bash shell available.
Defense: chmod 700 /etc/cron.daily/*; chown root:root /etc/cron.daily/*
π Detecting Weak Permissions & Dangerous Groups
π Permission Audit Commands
- β
find / -type f -perm -0002 -ls 2>/dev/null | grep -v "^/proc"β World-writable files - β
find / -type d -perm -0002 -ls 2>/dev/null | grep -v "^/proc"β World-writable dirs - β
find /etc -type f -perm -o+w 2>/dev/nullβ World-writable config files - β
find / -type f -perm -4000 -ls 2>/dev/nullβ SUID binaries
π₯ Group Audit Commands
- β
getent group dockerβ Users in docker group - β
getent group diskβ Users in disk group - β
getent group admβ Users in adm group - β
getent group shadowβ Users in shadow group - β
getent group sudo; getent group wheelβ Admin users
π‘οΈ Preventing Weak Permission Escalation
π System Files
/etc/passwdβ 644/etc/shadowβ 640/etc/sudoersβ 440/etc/crontabβ 600
π Directories
/etc/cron.dβ 700/etc/cron.dailyβ 700/etc/cron.hourlyβ 700/etc/sshβ 700
π SSH Keys
~/.ssh/β 700~/.ssh/id_rsaβ 600~/.ssh/authorized_keysβ 600
β Group Membership Hardening
- β Docker group: No non-admin users. Use sudo for docker commands.
- β Disk group: No users except system accounts.
- β Adm group: Only users who require log access. Consider centralized logging.
- β Sudo/wheel: Quarterly review; remove inactive admins.
- β Automated audits: Script weekly checks of dangerous group memberships.
π§Ύ Key Takeaways
- β World-writable files are a privilege escalation vector β always fix them
- β Docker group is root-equivalent β never grant to non-admin users
- β Disk group allows reading any file β no users should be in this group
- β Adm group exposes logs that may contain credentials
- β Automated auditing is required β permissions drift over time
- β Configuration management (Ansible/Puppet) prevents permission regressions
π Weak Permissions & Group Abuse β Command Awareness (Defensive Auditing)
Commands used by system administrators and security teams to audit permissions and group memberships. Shown for defensive hardening and verification only.
π File & Directory Permission Auditing
-
Find all world-writable files (excluding /proc)
find / -type f -perm -0002 2>/dev/null | grep -v "^/proc" -
Find all world-writable directories
find / -type d -perm -0002 2>/dev/null | grep -v "^/proc" -
Find world-writable files in /etc
CRITICAL: Any output here is a severe riskfind /etc -type f -perm -o+w 2>/dev/null -
Check permissions on critical system files
ls -la /etc/passwd /etc/shadow /etc/sudoers /etc/crontab -
Find files with no owner or group
Orphaned files may indicate leftover accountsfind / -nouser -o -nogroup 2>/dev/null
πΊ SUID/SGID Binary Audit
-
Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null -
Find all SGID binaries
find / -perm -2000 -type f 2>/dev/null -
Find SUID binaries owned by root
find / -user root -perm -4000 -type f 2>/dev/null -
Check against GTFOBins risk list
https://gtfobins.github.io/
π₯ Dangerous Group Membership Audit
-
Check docker group
Any non-admin user = CRITICALgetent group docker -
Check disk group
Any non-system user = CRITICALgetent group disk -
Check adm group
Review necessity; logs may contain secretsgetent group adm -
Check shadow group
Only root and shadow daemon should be membersgetent group shadow -
Check sudo/wheel group
Quarterly review; remove inactive adminsgetent group sudo; getent group wheel -
Check video/audio groups
Remove non-GUI/server usersgetent group video; getent group audio
π‘οΈ Remediation Commands (Defensive)
-
Fix world-writable file
sudo chmod o-w /path/to/file -
Fix world-writable directory
sudo chmod o-w /path/to/directory -
Remove user from dangerous group
sudo gpasswd -d username docker sudo gpasswd -d username disk sudo gpasswd -d username adm -
Fix ownership on orphaned files
sudo chown root:root /path/to/file
π‘οΈ Defender Takeaways
- β Audit weekly: World-writable system files, dangerous group memberships
- β Automate: Cron job to check critical file permissions and alert on changes
- β Harden: Remove all unnecessary SUID binaries and world-writable files
- β Group reviews: Quarterly audit of docker, disk, adm, sudo group members
- β Configuration management: Enforce permissions with Ansible/Puppet
