stat - display file or file system status
$ stat /etc/passwd File: /etc/passwd Size: 965 Blocks: 8 IO Block: 4096 regular file Device: 2eh/46d Inode: 13631986 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2021-09-03 07:48:11.000000000 +0000 Modify: 2021-09-03 07:48:11.000000000 +0000 Change: 2021-09-12 19:40:02.730102800 +0000 Birth: -
The system files have the milliseconds of the
Modify date set to
000000000. If this is not the case, the user has probably installed the file by hand.
find - search for files in a directory hierarchy
Find SUID bit.
$ find / -perm /4000 -user root -type f -ls 2>/dev/null 13501117 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn 13501166 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd 13501219 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd 13501209 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp 13501120 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh 13500615 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su 13500597 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount 13500622 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount
Find files creation between two date.
$ find / -perm /4000 -user root -type f -newermt '28 jul 2018 00:00:00' ! -newermt '11 jan 2019 00:00:00' -ls 2>/dev/null 13500615 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /bin/su 13500597 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /bin/mount 13500622 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /bin/umount
Find files of a specific user with a name that match a regex.
$ find / -user www-data -name '*.conf' -type f 2>/dev/null /var/www/html/ecommerce/database.conf
/proc/<pid>/ : PID n°\<pid>.
/proc/self/ : The link
self points to the process reading the file system.
||Clears page referenced bits shown in smaps output|
||Command line arguments|
||Current and last cpu in which it was executed|
||Symlink to the current working directory|
||Values of environment variables|
||Link to the executable of this process|
||Directory, which contains all file descriptors|
||Memory maps to executables and library files|
||Memory held by this process|
||Link to the root directory of this process|
||Process memory status information|
||Process status in human readable form|
||Present with CONFIG_KALLSYMS=y: it shows the kernel function symbol the task is blocked in - or “0” if not blocked.|
||Report full stack trace, enable via CONFIG_STACKTRACE|
||An extension based on maps, showing the memory consumption of each mapping and flags associated with it|
||Accumulated smaps stats for all mappings of the process. This can be derived from smaps, but is faster and more convenient|
||An extension based on maps, showing the memory locality and binding policy as well as mem usage (in pages) of each mapping.|
Display capabilities :
$ capsh --print
Example of usage
I want to use python HTTP server on port < 1024 without using
$ python3 -m http.server 80 Traceback (most recent call last): File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main return _run_code(code, main_globals, None, File "/usr/lib/python3.9/runpy.py", line 87, in _run_code exec(code, run_globals) File "/usr/lib/python3.9/http/server.py", line 1290, in <module> test( File "/usr/lib/python3.9/http/server.py", line 1245, in test with ServerClass(addr, HandlerClass) as httpd: File "/usr/lib/python3.9/socketserver.py", line 452, in __init__ self.server_bind() File "/usr/lib/python3.9/http/server.py", line 1288, in server_bind return super().server_bind() File "/usr/lib/python3.9/http/server.py", line 138, in server_bind socketserver.TCPServer.server_bind(self) File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind self.socket.bind(self.server_address) PermissionError: [Errno 13] Permission denied
Let's add the capability
$ sudo setcap CAP_NET_BIND_SERVICE+eip $(which python3) Invalid file '/usr/bin/python3' for capability operation $ ls -al /usr/bin/python3 lrwxrwxrwx 1 root root 9 Aug 31 15:28 /usr/bin/python3 -> python3.9 $ sudo setcap CAP_NET_BIND_SERVICE+eip /usr/bin/python3.9 $ python3.9 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
It's working !
- CAP_NET_ADMIN : Allows you to perform various network-related operations.
- CAP_SETUID / CAP_SETGID : Allows you to make arbitrary manipulations of process UIDs / GIDs.
fstab - File System Table
System configuration file commonly found at
/etc/fstab. The fstab file typically lists all available disk partitions and other types of file systems and data sources.
This configuration file is read by the
mount command, which happens automatically at boot time to determine the overall file system structure, and thereafter when a user executes the mount command to modify that structure.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
- device-spec : Device name, label, UUID, ...
- mount-point : Where the contents of the device may be accessed after mounting (for swap partitions or files, this is set to none).
- fs-type : Type of file system.
- options : Options describing various other aspects of the file system, such as whether it is automatically mounted at boot, which users may mount or access it, whether it may be written to or only read from, its size, and so forth (the special option defaults refers to a pre-determined set of options depending on the file system type).
- dump : A number indicating whether and how often the file system should be backed up by the dump program (a zero indicates the file system will never be automatically backed up).
- pass : A number indicating the order in which the fsck program will check the devices for errors at boot time (0 : do not check, 1 :check immediately during boot, 2 : check after boot).
Options common to all filesystems
noauto: With the
autooption, the device will be mounted automatically at bootup or when the
mount -acommand is issued.
autois the default option. With
noauto, the device can be only mounted explicitly.
nodev: Controls behavior of the interpretation of block special devices on the filesystem.
execlets binaries that are on the partition be executed, whereas
noexecis the opposite.
ro: Mount the filesystem in either read write or read only mode.
async: How the input and output to the filesystem should be done, synchronously or asynchronously.
nosuid: Controls the behavior of the operation of suid, and sgid bits.
userpermits any user to mount the filesystem. This automatically implies noexec, nosuid, nodev unless explicitly overridden. If
nouseris specified, only root can mount the filesystem. If
usersis specified, every user in group users will be able to unmount the volume.
defaults: Use default settings. Default settings are defined per file system at the file system level.
owner(Linux-specific) : Permit the owner of device to mount.
strictatime(Linux-specific) : The Unix stat structure records when files are last accessed (atime), modified (mtime), and changed (ctime). One result is that atime is written every time a file is read, which has been heavily criticized for causing performance degradation and increased wear. However, atime is used by some applications and desired by some users, and thus is configurable as atime (update on access), noatime (do not update), or (in Linux) relatime (update atime if older than mtime). Through Linux 2.6.29, atime was the default; as of 2.6.30, relatime is the default.
mtab - Mounted File System Table
System configuration file commonly found at
/etc/mtab (it can be a symlink to
/proc/self/mounts). This file lists all currently mounted filesystems along with their initialization options.
/dev/sdb1 / ext3 rw,relatime,errors=remount-ro 0 0 proc /proc proc rw,noexec,nosuid,nodev 0 0 /sys /sys sysfs rw,noexec,nosuid,nodev 0 0 varrun /var/run tmpfs rw,noexec,nosuid,nodev,mode=0755 0 0 varlock /var/lock tmpfs rw,noexec,nosuid,nodev,mode=1777 0 0 udev /dev tmpfs rw,mode=0755 0 0 devshm /dev/shm tmpfs rw 0 0 devpts /dev/pts devpts rw,gid=5,mode=620 0 0 lrm /lib/modules/2.6.24-16-generic/volatile tmpfs rw 0 0 securityfs /sys/kernel/security securityfs rw 0 0 gvfs-fuse-daemon /home/alice/.gvfs fuse.gvfs-fuse-daemon rw,nosuid,nodev,user=alice 0 0