Understanding Set User ID bit

venny · 09-26-2015, 05:19 PM

Hello, Linuxoids.

This is my first post on the forum. I am experimenting with SUID bit on my files in CentOS 5.11.

Scenario:

I created one command script that creates directories on script owner desktop (1 line: mkdir /home/userA/Desktop/testdir );
userA is the owner of the file:-rwxr-xr-x 1 userA userA [omitted] /home/userA/suidtest.sh
userA modified the file with SUID bit: chmod u+s suidtest.sh

My understanding: my understanding now is any user that will use the script will be able to create the directory inside userA Desktop directory even if they're not allowed to do so, because SUID bit will give them privileges of file owner (which in this case userA)

Understanding of logic broken: when I tried to run -rws-r-xr-x suidtest.sh script by userB it came up with permission denied.

Please can somebody correct me if my understanding is wrong, although I proved it to myself, can somebody guide me into.

Greatly appreciated

astrogeek · 09-26-2015, 05:48 PM

The linux kernel does not honor set UID on shell scripts by default, as it opens some rather huge security holes.

I believe it is possible to rebuild the kernel with a patch that will allow it, but it is not a good idea!

Set UID should only be used for, and is only honored for binary executables.

Oh, and welcome to LQ!

venny · 09-26-2015, 06:34 PM

Thank you for a quick reply and explanation. Makes sense now!

jpollard · 09-27-2015, 07:06 AM

It might be useful to know what that "rather huge security holes" is:

When a binary setuid program file is started:

1.the kernel sets the user id for the process copied from the file inode
2.the kernel reads the first block into memory and the id number identifies what is used to load it; and calls the loader,
3.the loader finishes the load and calls the programs start function passing the parameters.

The process is now running under the new UID.

A setuid shell script has a different (and insecure) start up:

1. the kernel sets the user id for the process copied from the file inode
2. the kernel reads the first block into memory and the identification fails (instead of the id number it sees "#!", or some other ascii sequence).
3. If "some other" is the case, then it uses the SHELL environment variable to identify the program to interpret the file.
4. The kernel then reads the first block of the interpreter, and identifies the loader for the interpreter and calls the loader
5. the loader finishes the load and calls the programs start function, passing the parameters.
6. the interpreter uses its parameters to identify the file it is to interpret, opens the file and begins processing under the UID specified on the script (from step 1).

NOTE: the security failure is a race condition between step 1 (the kernel sets the UID from the inode of the file)
and the time the script interpreter opens the file in step 6.

There is nothing that guarantees that the file the kernel opened (step 1) is the SAME file that the interpreter opens in step 6.

Closing that hole is possible - but it makes the binary startup have two different methods to startup - a long one if it is a shell script (where the kernel would have create a file definition and then pass that file definition to the interpreter which has to know it is being started via a script), and a short one where it is just another binary executable... without a file id being passed. And the only determiniation difference is "set the process UID"... and it isn't known at that time whether it is a binary or a script...

So the Linux developers decided the simpler way to solve the problem was to disallow it.

BTW, guess what - it is possible to have a script be specified as the interpreter for another script:

Code:

$ more *.sh
t1.sh
::::::::::::::
#!/usr/bin/bash
. $1

echo "PARAM=" $PARAM
::::::::::::::
t.sh
::::::::::::::
#!/home/<your user name here>/t1.sh

PARAM="xyz"

$ ./t.sh
PARAM= xyz

So determining exactly HOW to close the hole can get rather complicated and error prone.

venny · 10-03-2015, 07:27 PM

Thanks for great explanation!

2.the kernel reads the first block into memory and the id number identifies what is used to load it; and calls the loader,

By loader you mean interpreter, right?

jpollard · 10-03-2015, 08:18 PM

Quote:

Originally Posted by venny

Thanks for great explanation!

2.the kernel reads the first block into memory and the id number identifies what is used to load it; and calls the loader,

By loader you mean interpreter, right?

Nope. The id number could be that of a binary (such as "cat"), in which case it is the ld.so that will create the memory mapping for the binary + shared libraries that will load and start execution. The "#!" string is used as the id number for shell scripts. After that the rest of the line is used to locate a file that will interpret it - and that could be another "#!" script... But eventually, it has to be a binary.

Even "binary" Python programs have a "#!" identification number - the file that follows is a binary that will interpret the "binary" Python program.

There used to be (and may still be) a kernel module that added an id number so that Windows programs would be recognized, and passed to the wine binary for handling. Thus making it appear that Windows executables could be directly executed. This kind of went out of usage - my memory isn't fully clear, but I think it had to do with unintentionally permitting virus propagation due the inherent problems of the Windows architecture.