LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-01-2009, 11:55 AM   #1
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Rep: Reputation: 0
Question How to work with Set User ID (SUID)?


Hi all,
I'm trying to better understanding how SUID works.
The theory I guess that I already totally understand:
While a file has the SUID bit set on, then while another user, not it's owner) trying to execute it, it will be run (if the file has the "s" permission) via the file owner permissions - though in a script case, the owner will still be the user that running it.

Though, for executing this file, does the other "zone" in the permissions bar MUST grant execute permission as well?, why is that?

I tried to do as below:
1st session:
Code:
root@Every1:/$ touch ~yoni/test.sh
root@Every1:/$ echo "#"'!'"/bin/bash" > ~yoni/test.sh
root@Every1:/$ echo "gedit empty" >> ~yoni/test.sh
root@Every1:/$ chmod 4744 ~yoni/test.sh
2nd session:
Code:
CrAzYoNi@Every1:~$ ./test.sh
bash: ./test.sh: Permission denied
1st session:
Code:
root@Every1:/$ chmod 4745 ~yoni/test.sh
2nd session:
Code:
CrAzYoNi@Every1:~$ ./test.sh
*Works... *
Thanks for your help!! :-)
 
Old 07-01-2009, 12:53 PM   #2
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,533

Rep: Reputation: 211Reputation: 211Reputation: 211
I guess the short explanation is that in linux suid designations on bash scripts are ignored for security reasons, i.e. suid doesn't work on scripts. You have to have a real compiled executable for suid to work.
 
Old 07-01-2009, 12:57 PM   #3
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Hello Yoni

More information would help:
  • ls -l ~yoni/test.sh output
  • What does "*Works... *" mean?
  • Why are you using users yoni and CrAzYoNi for this test (presuming the "CrAzYoNi@Every1:~$" prompt does signify user CrAzYoNi)?
Best

Charles
 
Old 07-01-2009, 01:39 PM   #4
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
First, kilgoretrout, thank you for the information. :-)

Second, catkin:
1. #root@Every1:/home/yoni# ls -lAh ~yoni/test.sh
-rwsr--r-x 1 root root 25 2009-07-01 21:17 test.sh

2. Works means that "Gedit" application successfully open with an empty file calls "empty".

3. I'm using user CrAzYoNi for test purpose though it's home directory is "/home/yoni".


Well I guess I still have some English issues...

My main question is: Why do I need to supply the regular user execute permission, while the file has the SUID bit enabled on it??
 
Old 07-01-2009, 03:12 PM   #5
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,533

Rep: Reputation: 211Reputation: 211Reputation: 211
Because of the reason I gave above. Scripts won't execute suid in linux. Even if you give the script suid perms linux ignores that with scripts and will run with the user's permissions that attempted to execute the script. That user didn't have any execute permissions in the first case but did after you did chmod 4745. If you were to check the owner of the process spawned by executing your script in the second case, you would have found that the owner is CrAzYoNi, not root as one would expect if the script executed suid. Look at it this way, in the first case the script had 744 permissions since the suid bit was ignored and in the second case it had 745. The suid bit was ignored because the executable was a script.

This is a well documented security feature in linux. If you want to understand how suid works, you can't use scripts; you will just get confused if you do. If you want to investigate this further, try compiling a simple "Hello World" program in C or C++. If you give that program suid permissions, it will have the behavior you expect from suid. A script that has the identical output will not.

Last edited by kilgoretrout; 07-01-2009 at 03:22 PM.
 
Old 07-01-2009, 06:41 PM   #6
CrAzYoNi
Member
 
Registered: Sep 2008
Posts: 36

Original Poster
Rep: Reputation: 0
Re:

Thanks for your explanation kilgoretrout :-)

I will try to invistigate this topic deeper @ weekend...

Thanks a lot!
 
Old 07-02-2009, 01:39 AM   #7
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Hello Yoni

Quote:
Originally Posted by CrAzYoNi View Post
Well I guess I still have some English issues...
Not English issues; I didn't even suspect it wasn't your first language

What kilgoretrout wrote is perfect; I'd just like to add that you could save yourself the bother of compiling an executable by copying an existing executable and changing its permissions, for example /bin/ls and then you could test it by trying to list the contents of a directory that CrAzYoNi doesn't have r and x permission on.

Safest to delete the suid copy of /bin/ls after testing.

Best

Charles
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
A Question related to SUID (Set UID) saagar Linux - Newbie 3 02-03-2009 05:21 PM
The passwd command is usually set suid root. this is because, Simon Adebisi Linux - Software 1 06-28-2005 08:10 AM
passwd command is set in suid root. why??? Simon Adebisi Linux - Software 2 06-27-2005 10:02 PM
Suid only for one user? sti2envy Linux - Security 2 11-04-2004 09:43 PM
how to set artswrapper suid root ? chokecherry Linux - General 3 11-27-2003 03:32 AM


All times are GMT -5. The time now is 10:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration