Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

ES1.7 Linux Authentication and Privilege Model

· Module 1 · Free
Operational Objective
Linux privilege escalation is the attack phase that transforms a web application compromise or a stolen SSH key into full root access. The Linux authentication and privilege model — PAM, sudo, capabilities, SUID/SGID binaries, polkit — provides multiple paths from unprivileged user to root, and each path has specific defensive controls. Understanding these mechanisms at the OS level explains why certain endpoint security configurations matter: why sudo logging is not optional, why SUID auditing catches privilege escalation that process monitoring misses, why capabilities are both a security improvement and a new attack surface, and why the Linux privilege model creates fundamentally different security challenges than Windows.
Deliverable: Understanding of the Linux authentication and privilege model, the specific privilege escalation paths attackers exploit, and the endpoint security controls that defend each path — with practical detection and hardening guidance for each mechanism.
Estimated completion: 30 minutes
LINUX PRIVILEGE ESCALATION PATHS → DEFENSIVE CONTROLSSUDO ABUSEMisconfigured sudoersNOPASSWD on dangerous cmdssudo -l enumerationGTFOBins shell escapesDEFEND: sudo loggingauditd sudo rulessudoers least privilegeSysmon Event ID 1T1548.003SUID/SGIDSUID binaries run as ownerCustom SUID = root shellfind / -perm -4000Buffer overflows in SUIDDEFEND: SUID auditnosuid mount optionFile integrity monitoringSysmon Event ID 11T1548.001CAPABILITIESFine-grained root powersCAP_NET_RAW, CAP_SYS_ADMINGranted to non-root binariesgetcap enumerationDEFEND: capability auditMinimal capability grantsContainer capability dropeBPF capability monitoringT1548KERNEL EXPLOITCVE in kernel moduleContainer escape via vulnDirty Pipe, Dirty COWOverlayFS exploitsDEFEND: patch managementseccomp profilesAppArmor/SELinuxeBPF runtime detectionT1068PAM ABUSEMalicious PAM modulesPAM config modificationCredential harvestingauth bypass via pam_permitDEFEND: PAM config FIMauditd file watchesModule hash verificationSysmon for LinuxT1556.003

Figure ES1.7 — Five Linux privilege escalation paths with their defensive controls. Each path exploits a different OS mechanism. Effective Linux endpoint security requires coverage across all five — relying on a single mechanism leaves the others undefended.

PAM: the authentication gateway

Pluggable Authentication Modules is the framework through which every Linux authentication event passes. When a user logs in via SSH, types a password for sudo, or authenticates to any PAM-aware service, the request passes through a stack of PAM modules defined in configuration files under /etc/pam.d/. Each module performs a specific function: pam_unix checks the password against /etc/shadow, pam_faillock tracks failed attempts, pam_tally2 enforces lockout policies, pam_google_authenticator provides TOTP-based MFA.

The security implication is dual. PAM is your authentication enforcement point — properly configured, it enforces password complexity, account lockout, MFA, and session controls. But PAM is also an attack surface. An attacker with root access can install a malicious PAM module that logs every password entered on the system (credential harvesting), bypasses authentication entirely (replacing pam_unix with pam_permit), or creates a backdoor that accepts a hardcoded password alongside the legitimate one. The PAM configuration files themselves are high-value targets — a single-line change in /etc/pam.d/sshd can disable authentication for the SSH service.

Expand for Deeper Context

The PAM module stack is processed in order. Each module returns one of four results: success, failure, ignore, or die. The required control flag means the module must succeed for authentication to succeed, but processing continues through the remaining stack (accumulating results). The sufficient flag means if this module succeeds, authentication succeeds immediately without processing further modules. The requisite flag means if this module fails, authentication fails immediately. These flags determine the behavior: an attacker who inserts a sufficient PAM module at the top of the stack creates a backdoor that bypasses all subsequent authentication checks.

At NE, the 6 RHEL servers use PAM for SSH authentication. The PAM configuration is default — no MFA, no session logging, no file integrity monitoring on PAM configuration files. An attacker who compromises root on any RHEL server can install a credential-harvesting PAM module that captures every password entered on the system going forward, including passwords for service accounts that authenticate to databases and manufacturing systems. The detection: file integrity monitoring (auditd watches or AIDE) on /etc/pam.d/ and /lib64/security/ (the directory containing PAM shared objects). Any modification to files in these directories should trigger an immediate alert.

Sudo: the privilege boundary

Sudo is the primary mechanism for privilege escalation on Linux — the legitimate mechanism. The /etc/sudoers file (and files in /etc/sudoers.d/) defines which users can execute which commands as which other users. A properly configured sudoers file implements least privilege: the web application service account can restart nginx but cannot modify system files. The database administrator can run database maintenance commands but cannot install packages.

Misconfigured sudoers is one of the most common Linux privilege escalation vectors. Common misconfigurations include: ALL=(ALL) NOPASSWD: ALL (user can run any command as root without a password), user ALL=(ALL) NOPASSWD: /usr/bin/vi (the user can run vi as root, then use :!bash to spawn a root shell — GTFOBins), user ALL=(ALL) NOPASSWD: /usr/bin/find (find has an -exec flag that executes arbitrary commands). The GTFOBins project (gtfobins.github.io) catalogues hundreds of Unix binaries that can be abused for privilege escalation when available through sudo.

The endpoint security controls for sudo: audit logging of all sudo commands (enabled by default in most distributions via auth.log or journalctl), auditd rules that monitor /etc/sudoers modifications, Sysmon for Linux Event ID 1 that captures the process creation when sudo is invoked (including the full command line), and regular review of the sudoers file to identify overly permissive configurations. The Defender for Linux agent (mdatp) detects some sudo abuse patterns, but sudoers misconfiguration is primarily a hardening problem — reduce the permissions to the minimum necessary.

SUID/SGID: inherited privilege

SUID (Set User ID) and SGID (Set Group ID) are file permission flags that change the execution context of a binary. When a binary has the SUID flag set, it runs with the permissions of the file owner (usually root), regardless of which user invokes it. This is by design — /usr/bin/passwd needs SUID because changing a password requires writing to /etc/shadow, which only root can modify. /usr/bin/ping historically needed SUID to open raw sockets.

The attack surface: any SUID-root binary with a vulnerability (buffer overflow, command injection, library injection) gives the attacker root access. Custom SUID binaries installed by administrators or applications are particularly dangerous because they receive less security scrutiny than system binaries. An attacker’s first reconnaissance on a Linux system often includes find / -perm -4000 -type f 2>/dev/null — enumerate all SUID binaries, then check each against known exploitation databases.

The defensive controls: regular SUID auditing (scheduled find command that compares current SUID binaries against a known-good baseline), mounting non-system partitions with the nosuid option (prevents SUID from functioning on files in those partitions), and file integrity monitoring that alerts when new SUID binaries appear. Modern Linux distributions have reduced SUID usage — many binaries that historically required SUID now use capabilities instead — but legacy applications and custom installations often introduce new SUID binaries without security review.

Capabilities: fine-grained root powers

Linux capabilities decompose root’s monolithic privilege into 40+ individual capabilities. CAP_NET_RAW allows opening raw sockets. CAP_SYS_ADMIN is a broad capability that covers mounting filesystems, loading kernel modules, and other administrative operations. CAP_DAC_OVERRIDE allows bypassing file permission checks. Instead of making a binary SUID root (granting all root powers), an administrator can assign specific capabilities: setcap cap_net_raw+ep /usr/bin/ping gives ping the ability to open raw sockets without making it SUID.

Capabilities reduce the attack surface compared to SUID because a compromised capability-enabled binary only gains the specific capabilities assigned, not full root. But they introduce a new enumeration vector: getcap -r / 2>/dev/null lists all capability-enabled binaries, and certain capabilities (particularly CAP_SYS_ADMIN, CAP_SYS_PTRACE, and CAP_DAC_OVERRIDE) can be leveraged for privilege escalation. Container escapes frequently exploit capabilities — a container running with CAP_SYS_ADMIN can mount the host filesystem.

Decision Point

A development team requests that their application binary receives CAP_SYS_ADMIN on a production server so it can manage mount points for their data processing pipeline. Do you approve? No — CAP_SYS_ADMIN is effectively equivalent to root for privilege escalation purposes. It allows mounting arbitrary filesystems (including the host filesystem from a container), using ptrace on arbitrary processes, and performing many other operations that compromise system integrity. The correct approach: identify the specific system calls the application needs and grant only the minimal capability that covers those calls. If the application only needs to mount a specific filesystem type, explore alternatives (bind mounts configured by root, a helper service that performs the mount). If CAP_SYS_ADMIN is truly required, the application should run in a container with a restricted seccomp profile that limits the system calls available even with the capability.

Try it: enumerate privilege escalation paths on a test Linux system

On a test Linux system (not production), run these enumeration commands that an attacker would execute:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# Sudo permissions for the current user
sudo -l

# SUID binaries
find / -perm -4000 -type f 2>/dev/null

# SGID binaries
find / -perm -2000 -type f 2>/dev/null

# Capability-enabled binaries
getcap -r / 2>/dev/null

# Writable directories in PATH
echo $PATH | tr ':' '\n' | xargs -I {} find {} -writable -type d 2>/dev/null

# Cron jobs running as root
cat /etc/crontab 2>/dev/null
ls -la /etc/cron.d/ 2>/dev/null

For each result, assess: is this expected? Does this create a privilege escalation path? On a hardened system, the SUID list should contain only essential system binaries (passwd, su, mount, umount, ping, sudo). Any custom SUID binary or any binary in the GTFOBins list that appears in the sudo permissions warrants investigation.

Compliance Myth: "Linux is more secure than Windows by default — it does not need endpoint security"

The myth: Linux’s permission model, open-source transparency, and smaller malware footprint mean it is inherently secure without additional endpoint security controls.

The reality: Linux has a different security model, not a better one by default. The root user has unrestricted access — there is no equivalent to Windows UAC prompts. Default installations often include unnecessary services. SUID binaries provide privilege escalation paths that many administrators never audit. PAM configuration is powerful but complex. Kernel vulnerabilities (Dirty Pipe CVE-2022-0847, Dirty COW CVE-2016-5195, OverlayFS CVE-2023-0386) provide direct root access regardless of permission configuration. Container environments add an entire additional attack surface (escape via capabilities, namespace breakouts, shared kernel exploitation). Linux servers at NE run manufacturing databases and web applications — they are high-value targets that require the same endpoint security engineering discipline as Windows endpoints.

Troubleshooting

“Our Linux servers use service accounts that require passwordless sudo for automation scripts.” This is common and creates a privilege escalation path. Mitigate by: restricting the NOPASSWD sudo entries to the specific commands the automation requires (not ALL), ensuring the specified commands cannot be used for shell escapes (check GTFOBins), and adding auditd rules that monitor all sudo invocations by service accounts. The goal is not to eliminate passwordless sudo — it is to restrict it to the minimum necessary commands with monitoring.

“We cannot install endpoint security agents on our Linux servers because the operations team says it will affect performance.” Deploy Defender for Linux (mdatp) on a non-production server first. Measure CPU and memory impact during normal workload. The mdatp agent’s real-time protection uses eBPF for kernel monitoring (on supported kernels) with minimal overhead. If performance impact is measurable on specific workloads (database servers under heavy IO), configure exclusions for the specific directories causing the impact (database data files, log directories). Module ES13 covers server-specific Linux endpoint security configuration.

Operational Artifact — Linux Privilege Escalation Audit Checklist

Run this audit quarterly on all Linux servers. Sudo audit: Export and review /etc/sudoers and /etc/sudoers.d/*. Flag any NOPASSWD entries. Flag any entries that grant access to GTFOBins-listed binaries. Flag any ALL=(ALL) entries for non-admin accounts. SUID audit: Run find / -perm -4000 -type f and compare against the baseline. Investigate any new SUID binaries. Capability audit: Run getcap -r / and review each capability grant. Flag CAP_SYS_ADMIN, CAP_SYS_PTRACE, and CAP_DAC_OVERRIDE on non-system binaries. PAM audit: Verify integrity of /etc/pam.d/ files against known-good hashes. Check for unexpected PAM modules in /lib64/security/. Verify no sufficient pam_permit entries exist. This audit feeds into the hardening layer assessment from Module ES0.

An attacker gains access to a Linux server as the www-data user. They run `sudo -l` and see: `(root) NOPASSWD: /usr/bin/vim`. Why is this a complete system compromise, and what should the sudoers entry be instead?
It is not a complete compromise — vim can only edit text files, it cannot execute system commands.
Vim has a built-in command execution feature (`:!bash` or `:!/bin/sh`). When vim runs as root via sudo, the shell it spawns also runs as root. The attacker types `sudo vim`, then `:!bash`, and obtains an interactive root shell. This is a GTFOBins shell escape — vim is one of hundreds of Unix utilities that can spawn shells when run with elevated privileges. The sudoers entry should either be removed entirely (www-data should not need vim as root) or replaced with a restricted command that cannot escape to a shell. If the web team needs to edit specific configuration files as root, use `sudoedit /etc/nginx/nginx.conf` which opens the file in the user's editor but applies changes through a controlled mechanism that does not allow shell escapes.
The NOPASSWD flag is the problem — requiring a password would prevent this escalation even with vim access.
The attacker can only edit files as root through vim, which is dangerous but not a full shell compromise.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →