Score:1

Ubuntu

can user under www-data (PHP) escalate privileges by only knowing root password

Akam

5/25/24, 7:53 PM

The scenario is Ubuntu system with web server:

SSH Disabled
User doesn't have any terminal access
UFW enabled only HTTP and HTTPS allowed
PHP and Apache ran under www-data
www-data not added to sudeors

Considering a user who uploaded a php shell in the system, can this user escalate privilege only by knowing root password? considering that system() function can only run shell commands under www-data.

398

1 + 8

security

command-line

apache2

doneal24

5/25/24, 7:56 PM

Is `www-data` in the wheel group? And why would you allow an anonymous user to upload a script that can then be executed by the web server?

Akam

5/25/24, 8:04 PM

@doneal24: consider wordpress vulnerabilities, by any chance, an attachek can upload a php file

Thomas Ward

5/25/24, 8:14 PM

@Akam you could always run the stuff in a chroot so the core root system can't be affected. But what you're asking is a hypothetical AND there's other considerations than just what you've described. WP vulnerabilties don't *usually* gain root privs, they just take over your site and execute things via the site and what the site has access to, I don't know of a root escalation priv that hasn't been patched yet in PHP for the use case you're describing, and even if there were teh Security Team would patch Apache and PHP *VERY* fast for that (it's in their supported packages they patch)

John Hanley

5/25/24, 10:17 PM

If the user can upload a PHP script and the user knows the root password, you are in trouble. Yes, the user can then launch a shell command that assumes the root identity. That would not be a PHP or Apache security vulnerability. That would be deficient site management. 1) The root password must be protected. 2) No unauthorized user should be able to upload a PHP script.

Akam

5/25/24, 10:28 PM

@JohnHanley I did a detailed research on that, it seems that its very hard to run commands using php as root, I just wanted to know how secure is linux and what are the consequences.

John Hanley

5/25/24, 10:32 PM

It is not hard at all. If you did detailed research, why did you post on a public forum? Remember, even if something hard but if it is possible, someone knows how. I have worked in software and security forensics since the 1990s.

Akam

5/25/24, 10:37 PM

@JohnHanley theorotically its possible, but there is no practical example as proof of the concept, it seems that running su needs a terminal and sudo issue no tty error

John Hanley

5/25/24, 10:49 PM

What is `sudo` written in? It is written in C. That code is published. The fact that you cannot find a proof of concept means nothing. Since opinions are off-topic, I will not comment further.

Score:1

Ubuntu

waltinator

5/25/24, 11:34 PM

By default, unless you've messed with it, Ubuntu does not have a "root password.
Not an empty password, but an "encrypted password" in /etc/passwd (Read man 5 passwd) that no plaintext (entered) password encrypts to.
Ubuntu uses sudo (man sudo sudoers) for system admin tasks.

Password checking on Unix/Linux works like this: The checking process extracts three peices of data from the encrypted password field of the user's /etc/passwd entry: 1) The actual encrypted password; 2) The encryption algorithm used to encrypt the password; 3) The "salt", a quantity used to increase the randomness. Then, it encrypts the (plaintext) password you provided, using the same encryption algorithm and the "salt". If the result of the encryption is the same as the actual encrypted password, you entered the correct password.
By setting the encrypted password to a string that NEVER results from any encryption of any password, logins are prevented.
Of course, www-data can su otheruser, if otheruser's password is known.

+ 1

Akam

5/26/24, 10:01 AM

"Of course, www-data can su otheruser, if otheruser's password is known." but this needs a terminal, in my case, there is no terminal, is that possible without terminal or ssh session?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: can user under www-data (PHP) escalate privileges by only knowing root password

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.