After mis-interpreting this question's meaning, I'm wondering if rootkits and other malicious programs could be effective if the user does not have root permissions.
Rootkits usually trick users with root permissions to give a virus or another malicious program root permissions, therefore enabling them to do pretty much anything. If one of these programs encountered a non-root user, could it be effective?
Linux is not immune to advanced malware, like rootkits and trojan horses, and to Zero Day exploits.
On any generic Linux distribution a rootkit can use social engineering to steal the root password; it can also use a memory exploit if the system is not up-to-date and execute a shell script as administrator without user interaction and without visible effects.
On Ubuntu, where sudo is often installed but not correctly configured, a malware just needs the password of the current user to execute administrative actions and infect the system.
If you have setuid executables installed and they use an interpreter (like, for example, older versions of Nmap did), they can be used to circumvent the account barrier and execute administrative actions.
Modern rootkits will try every possible way to obtain the root access and load a new kernel module to gain total privileges and hide other infections.
I've made a little todo list:
gufw or another wrapper to configure the firewall and block unused ports for IN/OUT:TCP and IN/OUT:UDP.passwd to impose a minimum password length, because a malware can brute-force weak passwords.After that, install and use tiger to check for security issues in your system.
These precautions will drastically improve your security, but they need regular maintenance after installing new software and are for advanced users:
SELinux to protect the sensible configuration files, sudo alone offers limited guarantees of security against security experts. You should consult the official reference before using it, since it can limit the root access rights and lock you out if not configured correctly. It is a very advanced and powerful tool, experiment on a Virtual Machine before using it in production.Apparmor (installed by default on Ubuntu), which provides protection by limiting a program to a particular set of directories and guarantees a good protection even to non-technical users.
To get started with it, you will need to install Apparmor "profiles" to some common programs. You may install them like so: sudo apt install apparmor-profiles apparmor-profiles-extra apparmor-utils and then enable them by running sudo aa-enforce /etc/apparmor.d/*.Firejail is an easy-to-use sandbox that reduces the risk of security breaches by restricting the running environment of untrusted applications with multiple tecniques. You can use it to isolate your web browser and obtain some extra protection against in-memory exploits.All those precautions will increase the security of their respective areas of effect but decrease the performance of the whole system if the hardware is old. In fact, we often find them in enterprise servers, to protect the important (or public) network nodes.
Thank you to user311982 for the useful suggestions.
Even if Linux is more secure than the other systems, it does not mean that is immune. My little guide is not exhaustive, fell free to comment under here if you have more questions.
sudo is installed but not correctly configured (like in many Ubuntu installations) and the malware gets the password of a "non-root" user, it can execute administrative actions and infect the system. All users enabled to have total root access by using sudo should protect their own password with the same security of a root password, because it can be used to execute a command with root privileges. This means that it can infect and harm the system.
– Lorenzo Ancora
Sep 30 '16 at 18:48
admin group to execute ANY administrative action. This is an incorrect configuration, valid only as a "comfort" for the initial setup of the system and should be changed when configuring sudo: some commands must be accessible only to the root user to prevent privilege escalation and permanent damage to the system, and the common users with sudo access should have access only to non administrative commands. Always remember to configure your sudoers config file to reduce the attack surface.
– Lorenzo Ancora
Sep 30 '16 at 19:03
sudo -s to get access to those commands? Or just sudo passwding the root account, using su, doing whatever, cleaning up, and going back to using just sudo?
– Kaz Wolfe
Sep 30 '16 at 19:45
/bin, /sbin, /usr/sbin but not /usr/bin should be restricted. A correct sudoers file should prevent common users from starting a new unsafe session as root or doing accidental damage, but to protect better the sensible authentication/configuration files you should use SELinux, sudo alone offers limited guarantees of security. The use of SELinux is a very complex topic and you should consult the official reference, since it can limit the root access rights.
– Lorenzo Ancora
Sep 30 '16 at 21:27
sudo apt install apparmor-profiles apparmor-profiles-extra apparmor-utils and then enable them by running sudo aa-enforce /etc/apparmor.d*. There is a bug with chromium's profile; follow this link to fix it.
– user311982
Oct 01 '16 at 04:32
Firejail is also very much worth noting here, as it makes sandboxing a program (such as chrome or firefox) extraordinarily easy, with great effect, and it is in the official repositories. See here for a more exhaustive description of the program.
– user311982
Oct 01 '16 at 04:39
By definition, a rootkit is not a kit to obtain root privileges; rather, it is a kit to keep them once they've been obtained. Thus a rootkit in the strictest sense is useless without root permissions.
Of course, in real life, rootkits will likely come as part of a larger overall malicious package, generally fetched and deployed by a dropper, containing various exploits intended to get root privileges. One might colloquially refer to that whole package as "a rootkit" since the rootkit is the payload, and while this isn't a technically accurate way to refer to it, splitting those hairs won't keep your system safe. :)
If you're a normal user, you should be concerned with not introducing malicious software to the system. If you do get rooted, you're going to be completely helpless to do anything about it unless you have root privileges.
Nevertheless, having studied malware fairly extensively, my advice is that if you know a system has been in any way infected by malicious software (regardless of permission level), you should assume the entire thing is now malicious and kill it with fire, which is to say, wipe the hard drive and reinstall, preserving as little data as possible, and that having been scanned from a live OS using multiple anti-malware programs.
The only non-specialized case in which this wouldn't be the proper course of action is if you trust the malware not to do anything too malicious. But why would you trust malware not to be malicious? Sounds like a losing strategy to me.
