How to work with Set User ID (SUID)?

CrAzYoNi · 07-01-2009, 11:55 AM

Hi all,
I'm trying to better understanding how SUID works.
The theory I guess that I already totally understand:
While a file has the SUID bit set on, then while another user, not it's owner) trying to execute it, it will be run (if the file has the "s" permission) via the file owner permissions - though in a script case, the owner will still be the user that running it.

Though, for executing this file, does the other "zone" in the permissions bar MUST grant execute permission as well?, why is that?

I tried to do as below:
1st session:

Code:

root@Every1:/$ touch ~yoni/test.sh
root@Every1:/$ echo "#"'!'"/bin/bash" > ~yoni/test.sh
root@Every1:/$ echo "gedit empty" >> ~yoni/test.sh
root@Every1:/$ chmod 4744 ~yoni/test.sh

2nd session:

Code:

CrAzYoNi@Every1:~$ ./test.sh
bash: ./test.sh: Permission denied

1st session:

Code:

root@Every1:/$ chmod 4745 ~yoni/test.sh

2nd session:

Code:

CrAzYoNi@Every1:~$ ./test.sh
*Works... *

Thanks for your help!! :-)

kilgoretrout · 07-01-2009, 12:53 PM

I guess the short explanation is that in linux suid designations on bash scripts are ignored for security reasons, i.e. suid doesn't work on scripts. You have to have a real compiled executable for suid to work.

catkin · 07-01-2009, 12:57 PM

Hello Yoni

More information would help:

ls -l ~yoni/test.sh output
What does "*Works... *" mean?
Why are you using users yoni and CrAzYoNi for this test (presuming the "CrAzYoNi@Every1:~$" prompt does signify user CrAzYoNi)?

Best

Charles

CrAzYoNi · 07-01-2009, 01:39 PM

First, kilgoretrout, thank you for the information. :-)

Second, catkin:
1. #root@Every1:/home/yoni# ls -lAh ~yoni/test.sh
-rwsr--r-x 1 root root 25 2009-07-01 21:17 test.sh

2. Works means that "Gedit" application successfully open with an empty file calls "empty".

3. I'm using user CrAzYoNi for test purpose though it's home directory is "/home/yoni".

Well I guess I still have some English issues...

My main question is: Why do I need to supply the regular user execute permission, while the file has the SUID bit enabled on it??

kilgoretrout · 07-01-2009, 03:12 PM

Because of the reason I gave above. Scripts won't execute suid in linux. Even if you give the script suid perms linux ignores that with scripts and will run with the user's permissions that attempted to execute the script. That user didn't have any execute permissions in the first case but did after you did chmod 4745. If you were to check the owner of the process spawned by executing your script in the second case, you would have found that the owner is CrAzYoNi, not root as one would expect if the script executed suid. Look at it this way, in the first case the script had 744 permissions since the suid bit was ignored and in the second case it had 745. The suid bit was ignored because the executable was a script.

This is a well documented security feature in linux. If you want to understand how suid works, you can't use scripts; you will just get confused if you do. If you want to investigate this further, try compiling a simple "Hello World" program in C or C++. If you give that program suid permissions, it will have the behavior you expect from suid. A script that has the identical output will not.

CrAzYoNi · 07-01-2009, 06:41 PM

Thanks for your explanation kilgoretrout :-)

I will try to invistigate this topic deeper @ weekend...

Thanks a lot!

catkin · 07-02-2009, 01:39 AM

Hello Yoni

Quote:

Originally Posted by CrAzYoNi

Well I guess I still have some English issues...

Not English issues; I didn't even suspect it wasn't your first language

What kilgoretrout wrote is perfect; I'd just like to add that you could save yourself the bother of compiling an executable by copying an existing executable and changing its permissions, for example /bin/ls and then you could test it by trying to list the contents of a directory that CrAzYoNi doesn't have r and x permission on.

Safest to delete the suid copy of /bin/ls after testing.

Best

Charles