Re: file hiding under Linux

[Brian Hatch <vuln-dev () ifokr org>]

> Ok so I've been working on filehiding for the
> linux operating system (www.linux.org) that you can download for free
> and is very popular. But you probably all know this. I was wondering,
> would it be possible to abuse the linux enviroment to make legitemit users
> think a certain file was not present.

...

> This technique only works for executing binaries, listing
> the directory will still find it.
>
> So for hiding the binaries in /usr/bin an example would be:
>
> $ export PATH="/tmp"
> $ ls
> -bash: ls: command not found
> $ echo "hid all files in /usr/bin"
> hid all files in /usr/bin
> $ whereis echo
> -bash: whereis: command not found
> $

This isn't a terribly robust definition of 'hide'.  Yes, of course
'ls' would find them, as would 'find' or any other program that
can read directories.

Using your definition, consider programs that are needed mainly by
root and administrators and not normal users.  These are typically
stored in /sbin or /usr/sbin, and those dirs are not put in normal
user's $PATH env var.  However any user can easily run them by
changing $PATH, or using the full pathname (/sbin/ifconfig) for example.

To actually 'hide' files, you need to imploy standard Linux
permissions.  For example if you don't want people using
ifconfig, then you can put it into /sbin/hidden/ifconfig and
make /sbin/hidden mode 700 owned by root.  This will, of course,
break a ton of startup scripts and the like which expect ifconfig
to live in /sbin, but let's ignore that for now.

However this still doesn't solve your problem.  If I have login
access to the machine, I can upload a copy of ifconfig from my
machine and run it.  Even if you disable uploads, sftp, or even
old *modem protocols, if I have shell access, I can create a file
one way or another, even if I need to resort to something like

        home$ uuencode /sbin/ifconfig ifconfig
        (copy output)

        server$ cat >./ifconfig.uu <<EOM
        (paste)
        server$ uudecode ifconfig

> So basically I'm building on this, I'd love some feedback and maybe how to
> implement this technique in other scenarios.

If 'hide' means 'prevent users from running certain programs' then
the answer is 

        * make sure users have a restricted shell which doesn't allow
          programs to be run unless they're in $PATH, even if they
          provide a full pathname to it

        * use an advanced linux security patch which can hide files
          from users (lids HIDDEN target, for example) and still force
          users to have a restricted shell or they can upload/create
          programs anyway.

--
Brian Hatch                  A person who smiles
   Systems and                in the face of
   Security Engineer          adversity probably
http://www.ifokr.org/bri/     has a scapegoat.

Every message PGP signed

Attachment: _bin
Description: