1.6. Set-uid
In Table 1.1 (see p. 6) there was an entry for user or group set-ID (suid and guid). This permission bit has been a hot potato for the last few years. Some vendors do not allow the implementation of this bit or completely ignore it even if it has been set, because of the security risk it allows. So what’s all the fuss about?
The idea behind suid is that the person who is running a script where the owner has set the suid inherits the permissions of the owner of the script. So if root has a script that has a suid bit set and an ordinary user runs this script, he assumes root privileges for the script’s run time. The same principle applies to guid, which assumes the privileges of the group that owns the script.
1.6.1. Why use set-uid ?
Why use this type of script? Well here’s a good case. I look after a few large database systems, and to back-up these databases requires a special system admin profile. I have created a few scripts and made them guid, so that certain users who I allow to run these scripts do not have to log in as the database administrator and possibly cause accidental damage to the servers. By running these scripts they get all the rights to do the database dumps and other admin stuff, but when the script ends they are back to their normal user privileges.
Quite a few UNIX commands are also suid and guid. To find out what they are, cd in the /bin or /sbin directory and type:
$ ls -l | grep '^...s'
The above lists suid files.
$ ls -l | grep '^...s..s'
The above lists suid and guid files.
Now we understand what setid is how do we set them? Here’s how. For a suid you put 4 in front of the permission bits that you are going to set. For a guid you put 2 in front of the permission bits that you are going to set. To have both suid and guid add 4 and 2 together.
With the bits set, an ‘s’ is placed over the position of the ‘x’. Please note: an execute bit must be set as well; for example, if I wanted to set a guid, I would also make sure that group had execute permission.
If I wanted to change my file login to be suid, and it currently has permissions of rwx rw- r-- (741), I need to put a 4 in front of my normal chmod permissions, so I type chmod 4741, which changes it to rws rw- r--.
$ chmod 4741 logit
1.6.2. Adding set-uid permission examples
Here are a couple of examples:
| Doing this | Sets it to this | Which means |
|---|---|---|
| chmod 4755 | rws r-x r-x | File has suid set, owner has read write and executes, group and others have read and execute. |
| chmod 6711 | rws --s --s | File has suid and guid set, owner has read, write and execute. |
| chmod 4764 | rws rw- r-- | File has suid set, owner has read, write and execute. Group has read and write, other has read. |
I could also use the symbolic method to add the suid bit if I wanted. If my file had the set of permissions rwx r-x r-x, then by giving it suid:
chmod u+s <filename>
The permissions of the file would then look like: rws r-x r-x.
You may sometimes see an S when looking for suid files similar to rwS r-x r-x. What this means is that the execute bit has not been set under the s, so the chmod gives it an upper case S. It is a useless suid permission state; ignore it.
Note that chown does no sanity checks, and by this I mean you can give a file containing garbage any permission you like, and chown will not check it. Just because a file has an execute bit set, do not assume it is a program or script.