Privilege Escalation via Writable /etc/sudoers (Conceptual Overview)
The /etc/sudoers file controls sudo privileges. If writable, attackers can grant themselves full sudo access.
βοΈ What is /etc/sudoers?
/etc/sudoers defines which users can run which commands with sudo.
It should only be editable by root via visudo.
π§ How /etc/sudoers Escalation Happens (High-Level)
- β /etc/sudoers is writable by non-root users
- β Attacker adds line granting full sudo access
- β Attacker runs commands as root
visudo to prevent syntax errors.
π₯ Why Writable /etc/sudoers Is Dangerous
- β Immediate root access
- β Simple to exploit
- β Often overlooked
π Real-World Example (Defensive View)
A misconfigured backup tool makes /etc/sudoers world-writable.
A user adds user ALL=(ALL) NOPASSWD:ALL and gets root.
π Detecting Writable /etc/sudoers
- β Check permissions:
ls -la /etc/sudoers - β Monitor file integrity
π‘οΈ Preventing /etc/sudoers Escalation
- β Ensure correct permissions (440)
- β Use visudo for edits
- β Regular permission audits
π§Ύ Key Takeaways
- β /etc/sudoers must not be writable
- β Always use visudo
- β Regular audits are essential
βοΈ /etc/sudoers β Command Awareness
Common commands observed during audits when checking sudoers. Shown for defensive awareness only.
π Permission Checking
-
Check /etc/sudoers permissions
Why used: Verify correct permissions (should be 440).ls -la /etc/sudoers
π‘οΈ Defender Takeaways
- β Verify /etc/sudoers permissions
- β Monitor file changes
- β Use visudo for edits
