Using SUID and SGID on regular files

When a regular file has its SUID permission set, whoever accesses the file will have the same privileges as the user of the file.

To demo this, let's say that Maggie, a regular, unprivileged user, wants to change her own password. Since it's her own password, she would just use the one-word passwd command, without using sudo:

[maggie@localhost ~]$ passwd
Changing password for user maggie.
Changing password for maggie.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[maggie@localhost ~]$

To change a password, a person has to make changes to the /etc/shadow file. On my CentOS machine, the shadow file's permissions look like this:

[donnie@localhost etc]$ ls -l shadow
----------. 1 root root 840 Nov  6 19:37 shadow
[donnie@localhost etc]$

On an Ubuntu machine, they look like this:

donnie@ubuntu:/etc$ ls -l shadow
-rw-r----- 1 root shadow 1316 Nov  4 18:38 shadow
donnie@ubuntu:/etc$

Either way, the permissions settings don't allow Maggie to modify the shadow file. However, by changing her password, she is able to modify the shadow file. So, what's going on? To answer this, let's go into the /usr/bin directory and look at the permissions settings for the passwd executable file:

[donnie@localhost etc]$ cd /usr/bin

[donnie@localhost bin]$ ls -l passwd
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 passwd
[donnie@localhost bin]$

For the user permissions, you will see rws instead of rwx. s indicates that this file has the SUID permission set. Since the file belongs to the root user, anyone who accesses this file has the same privileges as the root user. The fact that we can see a lowercase s means that the file also has the executable permission set for the root user. Since the root user is allowed to modify the shadow file, whoever uses this passwd utility to change his or her own password can also modify the shadow file.

A file with the SGID permission set has an s in the executable position for the group:

[donnie@localhost bin]$ ls -l write
-rwxr-sr-x. 1 root tty 19536 Aug  4 07:18 write
[donnie@localhost bin]$

The write utility, which is associated with the tty group, allows users to send messages to other users via their command-line consoles. Having tty group privileges allows users to do this.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.114.142