Quote from: Ro-Jaws on June 29, 2013, 01:53 amAh I see, now I am progressing.Sorry if I am being slow here but could an attack gain root privileges if there is no password set? presumably if system services require root access it can be accessed to allow them to run without any password being set by the user?+1 for patient explanationsThe kernel has a process table that tracks stuff about each program running -- files currently opened by the process, the user ID of the account that started it, etc.. Basically when you try to do something basic in a program (basic as in read a file from the hard drive, etc.), you make a system call to the kernel. When you do that, the kernel checks the information for the calling process. Part of what it checks are the permissions of the file for the user ID that owns the process and whether the requested access to the file should be allowed (read, write, execute, etc.). If it decides access should be granted, it gets the data you requested and hands it to the calling program. The details vary by system call, but that's the basic idea.If you somehow manage to replace the user ID of who started the calling process with root's user ID in the process table, the kernel will see the program as having been executed by the superuser no matter who actually started the program. Doing that is very tricky, but that's basically what a privilege escalation attack comes down to. So the password is pretty much a moot point. In fact, locking an account with the "passwd" program at a shell actually is accomplished by changing the password for that account to something impossible (at least that's how it was a decade ago) -- so really the account doesn't get disabled, it's more that logging in as that user becomes impossible; but nothing else is actually done to the account.In short, it really doesn't much matter if the account can't be logged in to if you can find a way to just bypass logging in and directly change the owning user for a process in the kernel's little "process info" section.Also, when you execute a program in linux (which amounts to creating a new process), what happens is the current process is cloned. A lot of the data is just copied from the entry in the process table, including the owning user. Since the kernel runs as root, everything that executes during boot is "copied" directly and is therefore executed as root as well. It's not until something deliberately changes it's owning process (which root can always do, because root can do anything at all) that you actually end up as a different user.So you can see how stuff like drivers and system management programs don't need to use a password at all -- they run as root no matter what the password for root is, provided the process that actually cloned itself to start a new program was root.