From Single-User Simplicity to Multi-User Complexity: Exploring Privilege Management and Security Evolution in Operating Systems

Written by Wyatt Melin on 7/23/24

To clarify why I'm writing this article, I'm currently preparing for the OSCP exam. My experience in hacking has taught me that while a month of enumeration might suffice, delving deeper can make a significant difference. Hacking is not just about technical skills—it's a mindset. There is no single solution or programming language that dominates; rather, all options are on the table. I believe in the importance of becoming familiar with various subsystems of the operating system, as this knowledge is crucial for effective enumeration.

The primary goal of this article is to deepen my understanding of key components of the operating system and how they integrate into the process of privilege escalation. Operating systems are a complex network of subsystems designed to segregate user processes from sensitive system operations. With my exam focusing on exploiting applications on Linux, Windows, Active Directory, and reporting, I will specifically concentrate on access control and privilege escalation, while placing less emphasis on other subsystems.

During graduate school, I discovered that teaching topics to others was the most effective way for me to understand them. The exams were challenging, and this method helped solidify my knowledge. I'm grateful for all feedback—positive or negative—as it is always welcome. Occasionally, I incorporate meta-characters or humor into my writing to aid memory retention. Fair warning: sometimes the jokes land well, and other times, not so much.

Winding Back to a Simpler Time: MS-DOS

When computers first emerged in the mid-20th century, they were designed to run a single program at a time. The boot process of MS-DOS exemplifies this simplicity. Upon starting, the computer would first execute a POST (Power-On Self Test) to check the hardware's functionality. If the hardware checks were successful, the BIOS (Basic Input/Output System) would then search for a bootable disk, usually a floppy disk or hard drive. Once found, it would load the initial system files of MS-DOS into memory, namely IO.SYS and MSDOS.SYS, effectively handing control over to the operating system. IO.SYS acted as the interface between MS-DOS and the computer's hardware, managing device interactions and system initialization. Following this, MSDOS.SYS took over, providing the essential system services for file and memory management, and program execution. The final step in the boot process involved loading COMMAND.COM, the command line interpreter, which allowed users to interact with the system by typing commands. This sequence ushered in the MS-DOS era of single-tasking capability, reflective of both early hardware limitations and the nascent state of software development.[1]

In the MS-DOS era, physical security was the ultimate cybersecurity tool. Lacking robust security features, protecting a computer required controlling physical access to prevent malicious software, or malware, from sneaking in. Imagine a vigilant sentinel, Chuck, guarding the computer like a saloon door. He'd eye you up and down before growling, "What do you need access for, partner?" If you didn't have a legitimate reason, he'd block you faster than a sheriff slapping handcuffs on a rustler. Chuck was the best form of access control, and if you somehow managed to sweet-talk your way past him, you'd still have free rein over the system. With no concepts like user accounts or privilege levels, if you got past Chuck, you could privilege escalate faster than a cowboy lassoing a steer. But Chuck was the ultimate gatekeeper, and with him on watch, the MS-DOS computer was safer than a gold nugget in a locked safe. And that attack surface was narrow, limited to physical access and a handful of system calls.

...

Evolution to Modern Operating Systems

As computers evolved, it became clear that there was a need for multi-tasking and multi-user capabilities in operating systems. Modern operating systems like Unix, Linux, and Windows introduced concepts of users, permissions, and privilege levels, allowing multiple users to operate concurrently, each with different levels of access and control over the system. This capability is crucial for both personal computing and enterprise environments, where resources need to be shared among multiple users and processes.

Access Control and Permissions in Modern Operating Systems

To manage multitasking effectively, operating systems must work closely with the processor to develop a framework for parallel processing. This collaboration ensures that multiple processes can be executed simultaneously without interference, making efficient use of the CPU’s capabilities. Managing multiple processes and users involves scheduling, resource allocation, and isolation. Strict isolation between user-level operations and system-level operations is necessary to ensure security and stability. This isolation prevents user processes from interfering with critical system operations and other user processes. For example, it would be a significant concern if your local text editor had full access to processes and memory locations throughout the operating system, as this could lead to security breaches or system instability. When the computer first boots up, it initially starts in kernel mode, and then the operating system transitions between kernel mode and user mode as needed. This process is often referred to as a “Protection ring” [2].

... Figure 2: The Privilege Rings model in x86 computer systems, depicting different levels of access permissions from Ring 0 (Kernel) with the highest privilege to Ring 3 (Applications) with the lowest privilege. This model helps ensure system stability and security by restricting access to critical resources and operations based on the level of privilege. https://en.wikipedia.org/wiki/Protection_ring

While it is clear that computers have become more efficient with time, even with all these improved security controls, this has still come with the tradeoff of a wide attack surface. Attackers can effectively take advantage of this complexity that follows modern computers, often without the victim knowing it’s happening. We must remain vigilant of evolving threats and get creative in how we detect and trap such attacks, in conjunction with maintaining pristine access control.

Understanding Windows and Permissions

In my exploration of Windows, I've noted that certain aspects of the operating system remain undocumented by Microsoft, likely due to its proprietary nature. This includes details like the API calls of NTDLL. In contrast, information about Linux is more readily accessible online, which aligns better with my personal setup that predominantly features MacOS and Linux systems on a pfSense network. Despite these challenges, I occasionally find valuable nuggets of information directly on the Microsoft website, or through YouTube professionals who delve into the intricacies of the boot process and hardware level operations. To ensure accuracy and integrity in my understanding, I make it a point to meticulously cite these sources.

... The architecture of the Windows operating system, highlighting the interaction between system processes, services, applications, and the kernel. This structure, originating from earlier versions like Windows 2000, has evolved in modern versions such as Windows 10 with enhanced security, performance, and additional features. https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/overview-of-windows-components

To help better understand the technical components of the Windows boot process and system management, I've added some cowboy characters to illustrate how these technologies communicate and work together. These characters will provide a memorable way to grasp these concepts.

The Windows boot process begins with the BIOS/UEFI performing a Power-On Self Test (POST), followed by the bootloader (Bootmgr) loading the Windows Boot Manager from the Master Boot Record (MBR) or GUID Partition Table (GPT). The Boot Manager reads the Boot Configuration Data (BCD) to locate and execute the OS loader (Winload.exe), which loads essential system drivers, the kernel (ntoskrnl.exe), and the Hardware Abstraction Layer (HAL). NTDLL.dll is loaded early to provide essential system calls and support for the Windows kernel, effectively linking user-mode applications and processes to ntoskrnl.exe. [3] [4]

The Session Manager Subsystem (smss.exe) is the first user-mode process, initializing system sessions and starting the Client Server Runtime Subsystem (csrss.exe). SMSS is responsible for setting up the environment in which the rest of the system operates, including the creation of paging files and various system variables. (Sheriff Sam "Smss" Masters: The Sheriff of the town, responsible for setting up the town's daily operations and ensuring everything runs smoothly. Sheriff Sam rides into town at dawn, setting up the town's environment, ensuring all the structures (paging files) and rules (system variables) are in place. He kicks off the day by waking up his deputies and setting them to work.) [5]

The Client Server Runtime Subsystem (csrss.exe) manages user-mode graphical interfaces and threading. It handles console windows, creating and deleting threads, and crucial operations needed for the Win32 subsystem. CSRSS is essential for the graphical user interface and user interaction in the system. (Deputy Clint "Csrss" Springer: The Deputy who manages the town's interactions and keeps everything running smoothly in the user interface. Deputy Clint is the backbone of the town’s activities, handling all interactions between the townsfolk (user-mode graphical interfaces) and ensuring that tasks (threads) are carried out efficiently. He's the go-to guy for opening and closing shops (console windows) and making sure everyone is doing their job.) [6]

The WinLogon process (winlogon.exe) handles secure user logon procedures. It is responsible for managing user logins and logouts, starting the user session, and launching the initial user applications. Winlogon also manages the secure attention sequence (Ctrl+Alt+Del) to ensure that the login interface is secure. (Gatekeeper Wyatt "Winlogon" Gates: The town’s gatekeeper, responsible for managing who enters and leaves the town, ensuring that only authorized folks get in. Gatekeeper Wyatt stands at the town's entrance, verifying the identities of everyone who comes in (user logon procedures). He's also responsible for the town’s safety rituals (Ctrl+Alt+Del), making sure that no outlaw can sneak in unnoticed.) [9]

The Local Security Authority Subsystem Service (lsass.exe) enforces security policies, manages user authentication, and oversees access controls. LSASS is critical for maintaining system security, as it ensures that users are properly authenticated and that security policies are enforced throughout the operating system, making it vital for preventing unauthorized privilege escalation. (Marshal Luke "Lsass" Steele: The Marshal who enforces the town's laws and security policies, ensuring that the town remains safe from any threats. Marshal Luke is the law enforcer, making sure that everyone in town is who they say they are (user authentication) and that all the laws (security policies) are followed to the letter. He’s always on the lookout for troublemakers trying to cause chaos (preventing unauthorized privilege escalation).) [10]

Finally, the Service Host (svchost.exe) runs multiple instances to manage various system services efficiently. Svchost.exe is a generic host process for services that run from dynamic-link libraries (DLLs). By grouping multiple services into a single process, it helps to reduce system resource usage and improve overall efficiency. (Rancher Ray "Svchost" Clark: The Rancher who efficiently manages multiple tasks and services, ensuring that the town runs smoothly without wasting resources. Rancher Ray oversees a group of hardworking ranch hands (services) who handle various tasks around the town. By organizing them into groups (processes), he ensures that the town operates efficiently and resourcefully, without any unnecessary waste.) [24]

How They Communicate:

  • Sheriff Sam (smss.exe) kicks off the day by setting up the town and calling Deputy Clint (csrss.exe) to manage the daily operations.
  • Deputy Clint (csrss.exe) ensures all interactions and tasks are handled properly, coordinating closely with Gatekeeper Wyatt (winlogon.exe) to manage who enters and exits the town.
  • Gatekeeper Wyatt (winlogon.exe) verifies and allows the town's residents to start their day, ensuring security protocols are followed.
  • Marshal Luke (lsass.exe) keeps an eye on everyone, making sure that only the right people are in town and that they follow the law.
  • Rancher Ray (svchost.exe) ensures that all the daily tasks are done efficiently, grouping services together to maximize productivity.

Throughout this process, components like NTDLL.dll and lsass.exe play key roles in access control by ensuring that only authorized users and processes can gain elevated privileges, thus protecting the system from potential security breaches.

In addition to these processes, it's important to understand where Windows stores user account information. For non-Active Directory user accounts, the Security Account Manager (SAM) database stores the account information and hashed passwords. The SAM database is located in the C:\Windows\System32\config\SAM[7] file. For environments using Active Directory, user account information and passwords are stored in the Active Directory database, which is contained in the NTDS.dit file, typically located in the C:\Windows\NTDS\[8] directory on domain controllers.

Windows hardening is a crucial practice to enhance the security of a system and prevent privilege escalation. Here are the primary steps and considerations for effective Windows hardening:



1. Secure Clean OS Installation

  • Custom Image Creation: Develop a custom OS image tailored to your environment to ensure consistency and eliminate unnecessary software.
  • Inclusions: Essential applications, necessary configuration changes, and tested updates should be included in the custom image.
  • Benefits: Avoids preinstalled bloatware, ensures uniformity across hosts, and simplifies troubleshooting and updates.

2. Updates and Patching

  • Automatic Updates: Use Windows Update Orchestrator for automatic updates or set up a WSUS server for centralized update management.
  • Regular Restarts: Some updates require a restart, so regular host reboots are recommended.
  • Testing: Test updates in a development environment before deploying them enterprise-wide to prevent disruptions.

3. Configuration Management

  • Group Policy: Utilize Group Policy for centralized management of user and computer settings.
  • Granular Control: Manage detailed configurations such as user backgrounds, Windows Defender settings, and browser preferences.

4. User Management

  • Account Limitations: Minimize the number of user and admin accounts, enforce strong password policies, and use two-factor authentication (2FA).
  • Group Membership: Ensure users are not placed in groups with excessive privileges and enforce login restrictions for administrator accounts.

5. Audit

  • Regular Security Checks: Perform periodic security and configuration audits using security baselines like DISA STIGs or Microsoft's Security Compliance Toolkit.
  • Supplementary Measures: Combine audits with vulnerability scans, penetration tests, and strong patch management for comprehensive security.

6. Logging

  • Sysmon: Implement Sysmon for detailed logging of processes, network connections, and login attempts.
  • Network and Host Logs: Use tools like PacketBeat and Security Onion for network traffic monitoring and log analysis.

7. Key Hardening Measures

  • Secure Boot and Disk Encryption: Enable BitLocker for disk encryption.
  • Audit and Clean-Up: Audit writable files and directories, clean up home directories, and remove unnecessary packages and services.
  • Configuration Enforcement: Use Group Policy to enforce security configurations and Device Guard and Credential Guard for added protection.

Conclusion

  • Comprehensive Approach: System hardening involves a combination of proper OS installation, regular updates, configuration management, user management, audits, and logging.
  • Tailored Security: Customize security measures to fit your organization's specific needs and operational environment.
  • Continuous Improvement: Regularly train staff, stay updated on new vulnerabilities, and validate security measures to ensure ongoing protection.

Understanding Linux and Permissions

When a Linux machine first boots up, the initial step involves the Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI). These firmware interfaces are essential as they initialize and test the computer's hardware components, such as the keyboard, mouse, hard drive, and display. The BIOS or UEFI performs a Power-On Self Test (POST) to ensure all hardware components are functioning correctly. This test checks the system memory, processor, and other critical hardware. If the POST completes successfully, it confirms that the hardware is ready for use.

... Diagram showing the Linux boot process, starting from System Startup (BIOS), followed by MBR Bootloader, GRUB, Kernel Initialization, INIT, and finally reaching the Run Level. Source https://www.geeksforgeeks.org/how-linux-kernel-boots/

After the POST, the BIOS or UEFI searches for a boot loader to continue the boot process. The boot loader is a small program responsible for loading the operating system into memory. Typically, the BIOS/UEFI checks the boot order configured in its settings, usually starting with the hard drive but possibly including other devices like USB drives or network options. On BIOS systems, the boot loader is located in the Master Boot Record (MBR) of the primary hard drive. In UEFI systems, it is found in the EFI System Partition (ESP) and follows the GUID Partition Table (GPT) format.

Once the boot loader, such as GRUB (Grand Unified Bootloader), takes control, it presents a menu allowing the user to select the operating system or specific kernel options. After a selection is made, GRUB loads the Linux kernel into memory. The kernel then initializes various components of the computer and operating system. This includes CPU and memory examination, ensuring the CPU and system memory are functioning correctly; device bus discovery, identifying the buses connected to the system, such as PCI or USB; and device discovery and initialization, detecting and initializing devices connected to these buses. Additional kernel setup tasks are performed as required for system operation.

One critical task is mounting the root filesystem. Initially, the kernel mounts it in read-only mode to perform a filesystem check (fsck) if necessary and then remounts it in read-write mode. Once the kernel has completed its initialization tasks, it starts the initial user-space process. Traditionally, this is the init process (or systemd in modern Linux distributions). The initial process is responsible for reading configuration files, such as /etc/inittab in systems using traditional init, and starting the necessary system services based on the run-level configuration. These services and scripts are located in directories like /etc/init.d or /etc/systemd/system.

In systems using traditional init, boot scripts located in /etc/init.d manage individual services. These scripts accept commands like "start" and "stop" to control services. The order in which services start and stop is managed by symbolic links in directories like /etc/rc[0-6S].d, where the naming convention (e.g., S80sendmail) determines the order of execution.

Modern boot loaders, such as GRUB, provide flexibility by allowing users to select from multiple kernels, switch between sets of kernel parameters, and even boot different operating systems. This flexibility is particularly useful for recovery scenarios or custom kernel configurations. GRUB, for instance, allows interactive use to specify an alternative kernel or to pass additional parameters to the kernel. [14][15]

systemd and Its Role in the Boot Process

Systemd is a critical component of modern Linux distributions, acting as the initial process (PID 1) when the system boots. It plays a pivotal role in initializing the system, managing services, and maintaining system stability. As the first process started by the kernel, systemd reads unit files from directories like /etc/systemd/system/ and /lib/systemd/system/ to determine which services to start and in what order. These unit files specify how to manage system services, mount file systems, and perform various initialization tasks. [23]

Systemd handles dependencies between services, ensuring they start in the correct order. For example, the NetworkManager.service should start before the sshd.service to ensure networking components are ready to handle incoming SSH connections. This dependency management ensures that services are started in the correct sequence and can operate smoothly.

At the time of this writing, I have about 34 systemd services running on my Ubuntu machine. Rather than go through the exhaustive list of all services, I will highlight only four that relate to logging in via SSH and have authentication-related functions: sshd, polkit, accounts-daemon, and systemd-logind.

One interesting observation about these services is that they initially start the boot process as the root user but then transition to a lower-privileged user. This concept is known as privilege dropping or user dropping. Some of these services require root privileges initially to perform certain tasks, but they don’t need root for every function. [16][13]

For example, let’s examine the OpenSSH service. The sshd service runs as root because it requires access to system-level resources. Specifically, it must listen on the default SSH port 22, a privileged port that requires root privileges to bind. Additionally, it manages user authentication, including verifying passwords and using PAM (Pluggable Authentication Modules), which also necessitates root access. Furthermore, sshd needs to access and manipulate user data to establish user sessions correctly. After successful authentication, sshd switches to the authenticated user's privileges using system calls like setuid() and setgid(), transitioning to the user's UID and GID. This privilege dropping enhances security by ensuring the process runs with only the necessary permissions, minimizing the risk associated with running processes as root. This setup allows sshd to perform the initial tasks that require elevated privileges while maintaining a secure environment for user sessions.

SSH and PAM

When you initiate an SSH connection, the server's SSH Daemon (sshd.service) starts listening and begins the process of authenticating your login. Systemd, the system and service manager, ensures that the sshd service is active and ready to handle these requests.

Authentication is managed by the Pluggable Authentication Modules (PAM), which is a flexible system processing authentication requests configured in /etc/pam.d/sshd. [17] These configuration files utilize a variety of modules to conduct checks such as password verification and the enforcement of security policies. If all criteria are met, the user is successfully authenticated.

PAM acts much like the conceptual Chuck sentinel described earlier in the MS-DOS section, serving as a gatekeeper. Chuck has been virtualized! However, unlike the simple gatekeeping of MS-DOS, PAM is capable of consulting multiple sources for authentication—such as password databases, biometric systems, and hardware tokens. This allows PAM to make nuanced decisions about whether to grant access, the duration of access, and the actions a user is permitted to perform, enhancing both flexibility and security.

UID and GID

After successful authentication, the SSH daemon must switch from running under the root user context to the authenticated user's context. This involves changing the process's User ID (UID) and Group ID (GID) to those of the authenticated user. The UID and GID are unique identifiers assigned to each user and group on the system. They are stored in the system's user database, typically found in /etc/passwd [18] for UIDs and /etc/group [19] for GIDs.

The SSH daemon uses system calls like setuid() and setgid() to switch to the user's UID and GID. This is crucial for enforcing file permissions and access control, ensuring that the user operates with the correct privileges. For instance, the user will have access to their home directory and files, while being restricted from accessing files owned by other users or the system.[12][13]

Elevated Privileges with Polkit

Once authenticated, if you perform actions requiring elevated privileges (e.g., using sudo), the polkit.service (PolicyKit) determines your authorization based on configured policies. PolicyKit is a toolkit for defining and handling authorizations. When you run a command with sudo, it intercepts this request and checks the configured policies to determine whether your user account has the necessary permissions to perform the action. Policies can be configured to require re-authentication, limit access to certain users, or grant permissions based on group membership. For instance, if you attempt to install a package or modify system settings, polkit evaluates the request against its rules and either grants or denies the permission based on your user rights and the current system policy. [20]

Linux Hardening

Linux hardening is a crucial practice to enhance the security of a system and prevent privilege escalation. Here are the primary steps and considerations for effective Linux hardening:

Updates and Patching

  • Periodic Updates: Regularly updating the Linux kernel and all installed packages is essential. This helps mitigate vulnerabilities that could be exploited for privilege escalation.
  • Automated Updates: Use packages like unattended-upgrades on Ubuntu or yum-cron on Red Hat to automate the process of updating and patching systems.

Configuration Management

  • Audit Writable Files and Directories: Regularly check for writable files and directories, especially those that should not be writable by normal users.
  • SUID Bit: Audit binaries set with the SUID bit, which can be used for privilege escalation if misconfigured.
  • Absolute Paths: Ensure all cron jobs and sudo privileges use absolute paths for binaries to avoid path hijacking.
  • Cleartext Credentials: Avoid storing credentials in cleartext in world-readable files.
  • Clean Home Directories: Regularly clean up home directories and bash history to remove sensitive information.
  • Library Permissions: Ensure low-privileged users cannot modify any custom libraries used by programs.
  • Remove Unnecessary Packages and Services: Uninstall any unnecessary software that increases the attack surface.
  • SELinux: Consider implementing SELinux for additional access controls.

User Management

  • Limit User Accounts: Minimize the number of user and admin accounts to reduce potential attack vectors.
  • Log and Monitor Logon Attempts: Ensure logon attempts are logged and monitored to detect unauthorized access attempts.
  • Strong Password Policies: Enforce strong password policies and regular password rotations. Use the /etc/security/opasswd file with the PAM module to restrict password reuse.
  • Least Privilege Principle: Limit sudo rights and group memberships based on the principle of least privilege.

Automation and Monitoring

  • Configuration Management Tools: Use tools like Puppet, SaltStack, Zabbix, and Nagios to automate checks and apply consistent configurations across systems.
  • Checksum Verification: Use checksum verification tools like Zabbix's vfs.file.cksum to detect tampering with sensitive binaries.

Audit

  • Regular Audits: Perform regular security and configuration audits using tools like Lynis, which provide comprehensive reports on system hardening.
  • Compliance Frameworks: Follow security baselines such as DISA STIGs, ISO27001, PCI-DSS, and HIPAA to establish and maintain security standards.
  • Supplement with Penetration Testing: Use audits and configuration reviews to supplement regular vulnerability scanning and penetration testing.

Conclusion

In conclusion, the evolution from single-user simplicity to multi-user complexity in operating systems has significantly transformed how we manage privileges and security. The journey from the MS-DOS era, where physical security was paramount, to modern operating systems like Unix, Linux, and Windows, underscores the importance of comprehensive access control and the enforcement of privilege levels.

My exploration and study for the OSCP exam have reinforced that mastering these concepts requires not only technical skills but also a mindset that embraces the complexity and nuances of different operating systems. Teaching and sharing this knowledge through articles has not only helped me solidify my understanding but also connect with a broader audience who share similar interests and challenges.

As we've seen, modern operating systems implement sophisticated mechanisms for managing multitasking and user isolation, enhancing both security and system stability. However, this complexity also broadens the attack surface, making it crucial to remain vigilant against evolving threats. Effective system hardening, regular updates, and rigorous access control are essential practices for maintaining security in both Windows and Linux environments.

Looking ahead, the ongoing efforts in 2024 to rewrite the entire technology stack to optimize for AI mark a significant milestone. This includes advancements in hardware, compilers, and the software stack. Notably, my former professor, Brighten Godfrey, is part of a $12 million NSF-funded project to develop a new AI-driven operating system. This intelligent and self-adaptive operating system aims to enhance performance and energy efficiency by leveraging machine learning. This ambitious project highlights the future direction of operating systems, integrating AI to create more adaptive and efficient systems. Who knows what kind of daemons and access control we will see in the future.

In summary, the comprehensive approach to understanding and securing operating systems involves continuous learning, adapting to new vulnerabilities, and employing best practices for system management. By doing so, we can ensure robust security and efficient operation in an increasingly interconnected and complex digital landscape.

For more insights into the AI operating system project led by Professor Brighten Godfrey, visit this article.

References

  1. booting-process-in-dos-operating-system [1]
  2. Farivar, Reza. "Brief History Lesson." Week 12: Virtualization: System Background. Cloud Computing Applications, University of Illinois. [2]
  3. How Computers BOOT: From Startup to Viruses [3]
  4. Overview of Windows Components [4]
  5. Session Manager Subsystem [5]
  6. Client/Server Runtime Subsystem [6]
  7. Security Account Manager [7]
  8. Understanding NTDS.DIT: The Core of Active Directory [8]
  9. Winlogon [9]
  10. Local Security Authority Subsystem Service [10]
  11. bootup - System bootup process [11]
  12. uidswap.c [12]
  13. sshd.c [13]
  14. boot - System bootup process based on UNIX System V Release 4 [14]
  15. How Linux Kernel Boots? [15]
  16. setuid, seteuid, setgid, setegid — set user and group ID [16]
  17. Configure SSH to use two-factor authentication [17]
  18. passwd - the password file [18]
  19. group - user group file [19]
  20. polkit - Authorization Framework [20]
  21. How to get root on Ubuntu 20.04 by pretending nobody’s /home [21]
  22. systemd-logind.service, systemd-logind - Login manager [22]
  23. SystemdForUpstartUsers [23]
  24. svchost.exe [24]