What Happens When You Run sudo ls?

When you run sudo ls, the process creation sequence introduces an additional layer due to the role of sudo in handling privilege escalation. This also involves modifications to the environment variables to ensure security.

1. Shell Forks a Child Process for sudo

• When you type sudo ls and press Enter, the shell (e.g., bash) creates a new child process using the fork() system call.

• The child process inherits:

  • The parent shell's environment variables.

  • Open file descriptors (e.g., stdin, stdout, stderr).

  • Permissions (UID and GID of the user running the shell).

• After forking, the child process replaces its code with the sudo binary using the execve() system call. This means:

  • The child process is now running the sudo program.

  • The parent shell process waits for the sudo process to complete.

2. sudo Modifies the Environment

• Before executing the ls command, sudo makes significant changes to the environment variables to prevent privilege escalation attacks. This ensures a secure execution context.

What Changes Does sudo Make?

1. Environment Variables Cleared:

   • Most environment variables inherited from the shell are cleared. This includes variables like $LD_PRELOAD or $LD_LIBRARY_PATH, which could be exploited to inject malicious libraries.

2. Essential Variables Retained:

   • A minimal set of variables is retained for compatibility:

     • $TERM: Maintains terminal settings.

     • $HOME: Often set to /root for the root user.

     • $PATH: Adjusted to include directories like /sbin and /usr/sbin, which are required for root-only commands.

   • Example of modified $PATH:

1. Optional Behavior:

   • If you run sudo with the -E flag (sudo -E ls), it preserves the parent shell's environment variables without clearing them. This can be useful but potentially insecure.

• At this stage, the modified environment is prepared, and sudo moves to execute the next process.

3. sudo Forks Another Child Process for ls

• After verifying your credentials (via cached credentials or a password prompt), sudo forks another child process.

• The new child process inherits the sanitized environment prepared by sudo.

• The child’s privileges are elevated to root:

  • UID is set to 0 (root user).

  • GID is set to 0 (root group).

• The child process replaces its code with the ls binary using the execve() system call, inheriting the adjusted environment and root-level permissions.

4. The ls Process Executes

• The ls process now executes with elevated privileges:

  • It runs with the environment prepared by sudo, allowing it to access files and directories restricted to regular users.

  • Example: Listing files in /root, which would be inaccessible without root privileges.

• Once ls completes its execution:

  • It sends an exit signal to the sudo process.

  • The sudo process terminates, passing control back to the original shell process.

Key Takeaways About Environment Changes

• 1. Default Behavior:

     • sudo sanitizes the environment by clearing potentially dangerous variables and retaining only essential ones for security.

  2. Customizing Behavior:

     • Use the -E flag to retain the parent shell's environment when running commands with sudo.

     • Define environment variables to keep using the env_keep directive in the /etc/sudoers file.

  3. Security Implications:

     • Clearing the environment helps prevent privilege escalation attacks where malicious code could be injected via variables like $LD_PRELOAD.

Revised Process Hierarchy

• Here’s the updated process flow with environment changes highlighted:

• This careful orchestration by the shell, sudo, and the kernel highlights Linux’s robust approach to process management and security. Understanding these details provides clarity on how Linux balances functionality with protection.

GOPAKUMAR RAJAPPAN

Programs and Process in Linux - 3

How the Linux Kernel Manages Multiple Processes…

Read more

7 months ago · GOPAKUMAR RAJAPPAN