LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-27-2013, 09:12 AM   #1
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Rep: Reputation: 137Reputation: 137
Thumbs up What is really SUID?


Hi Everybody

I've some issue with SUID. Until now, i thought i'm comfortable with the understanding of SUID/SGID/Sticky Bit. Infact, i have explained (theoretically) so many people about them - How to set/check SUID/SGID/Sticky. I've always explained SUID as

"The Set-User-ID bit is used to execute a file with its owner permissions, not with the user-who-launch-the-executable permissions as it is with classic permissions set."

...and gave example of /usr/bin/passwd file.

I've applied Sticky bit many a times since from time to time I've to create a shared folder for some project or other. But i've never used SUID/SGID.

But today, one of my colleague asked me to explain SUID (practically), and boy it was a spectacular fail. Hmmm i thought i knew it.

Anyway, following are the steps i tried to explain him about SUID, similar to passwd/shadow example.

The idea is to create a text file as root which has no permissions, and hence cannot be read/written to from regular users. And then, create a script as root, which can edit that text file. Give that script SUID permission, so that regular users can write to the text file through script only and hence they cannot read/write to text file directly.

Following steps should be self explanatory:

1. As root, create text & script file, give permissions and add some data:

Code:
# touch /etc/mydata.txt

# chmod 000 /etc/mydata.txt

# ls -l /etc/mydata.txt /etc/shadow
----------. 1 root root    0 Nov 27 01:43 /etc/mydata.txt
----------. 1 root root 1044 Nov 26 12:49 /etc/shadow

# cat > /bin/addit
#!/bin/bash
printf "$1\t$2\n" >> /etc/mydata.txt
^D

# chmod 4755 /bin/addit

# ls -l /bin/addit /usr/bin/passwd
-rwsr-xr-x. 1 root root    49 Nov 27 01:45 /bin/addit
-rwsr-xr-x. 1 root root 32200 Jan 28  2010 /usr/bin/passwd

# addit Redhat Linux
# addit Solaris Unix

# cat /etc/mydata.txt
Redhat	Linux
Solaris	Unix
2. As regular user, try adding records
Code:
# su - dummy

$ addit Vista Windows
/bin/addit: line 2: /etc/mydata.txt: Permission denied

$ ls -l /bin/addit
-rwsr-xr-x. 1 root root 49 Nov 27 01:45 /bin/addit
Why i'm not able to add records using addit script even-though i have given SUID bit? Isn't it the purpose of SUID - run-as-root-user, and hence write to mydata.txt file.

Did i get the whole concept of SUID wrong, or is it just applied to built-in binaries only and not to user-made scripts.

Any light on this will be much appreciated.

Thanks

Last edited by mddnix; 11-29-2013 at 12:07 AM.
 
Old 11-27-2013, 09:38 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
addit is a shell script, not a binary. The real running binary is /bin/bash, that will interpret and execute your script line by line.
Therefore you ought to set sticky bit on the interpreter, not on the script. I suggest you to copy bash to your home and use that one instead of the original (that one must not be altered).
 
Old 11-27-2013, 10:28 AM   #3
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Original Poster
Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by pan64 View Post
addit is a shell script, not a binary. The real running binary is /bin/bash, that will interpret and execute your script line by line.
Therefore you ought to set sticky bit on the interpreter, not on the script. I suggest you to copy bash to your home and use that one instead of the original (that one must not be altered).
Thanks for reply.

Since the assumption is 'addit' to be portable app, so instead of copying /bin/bash to user's directory, i converted addit script to binary.

Code:
# mv /bin/addit ~/addit.sh

# shc -v -e 20/12/2015 -m "Command expired" -r  -T  -f addit.sh
shc shll=bash
shc [-i]=-c
shc [-x]=exec '%s' "$@"
shc [-l]=
shc opts=
shc: cc  addit.sh.x.c -o addit.sh.x
addit.sh.x.c: In function 'chkenv':
addit.sh.x.c:211: warning: cast from pointer to integer of different size
shc: strip addit.sh.x
shc: chmod go-r addit.sh.x

# ls -l addit*
-rwxr-xr-x. 1 root root   49 Nov 27 20:32 addit.sh
-rwx--x--x. 1 root root 9216 Nov 27 20:48 addit.sh.x
-rw-r--r--. 1 root root 9579 Nov 27 20:48 addit.sh.x.c

# cp addit.sh.x /bin/addit

# chmod 4755 /bin/addit

# ls -l /bin/addit
-rwsr-xr-x. 1 root root 9216 Nov 27 20:50 /bin/addit

# file /bin/addit
/bin/addit: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

# file /usr/bin/passwd
/usr/bin/passwd: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

# su - dummy

$ addit Vista Windows
addit: line 1: /etc/mydata.txt: Permission denied
Still the same problem...
 
Old 11-27-2013, 08:03 PM   #4
BrainReaper
LQ Newbie
 
Registered: Nov 2009
Location: Barcelona, Europe
Distribution: Debian Testing, Linux Mint Debian Edition
Posts: 6

Rep: Reputation: 1
I reproduced the problem. Even the SUIDed bash copy thing. Then I wrote a helloworld in C++.
Code:
#include <fstream>
using namespace std;

int main()
{
  ofstream fs("file");
  fs << "Hello world" << endl;
  fs.close();

  return 0;
}
Compile it as root and give SUID permission.
Touch file "file" with no write rights.
Execute helloworld as regular user and cat "file".

It works just fine so I conclude this is an issue of "in the name of who bash handles filedescriptors when pipelining".
 
1 members found this post helpful.
Old 11-27-2013, 08:35 PM   #5
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,957

Rep: Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267
Quote:
Originally Posted by mddesai View Post
Code:
# su - dummy

$ addit Vista Windows
addit: line 1: /etc/mydata.txt: Permission denied
Still the same problem...
If you were executing the compiled C program, where did the "line 1" in that error message come from? It would appear that you still have a script somewhere named "addit" and were executing that. What does "which addit" and "file $(which addit)", both executed as user "dummy", show? What happens if you use the full path, "/bin/addit Vista Windows"?
 
Old 11-28-2013, 12:50 AM   #6
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Original Poster
Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by BrainReaper View Post
It works just fine so I conclude this is an issue of "in the name of who bash handles filedescriptors when pipelining".
It is necessary that scripts get SUIDed as i and others are comfortable with scripting only. However, i will try other ways to write to text file, check it and get back to you. Thanks anyway.

Quote:
Originally Posted by rknichols View Post
It would appear that you still have a script somewhere named "addit" and were executing that. What does "which addit" and "file $(which addit)", both executed as user "dummy", show? What happens if you use the full path, "/bin/addit Vista Windows"?
Code:
$ which addit
/bin/addit

$ file $(which addit)
/bin/addit: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped

$ less /bin/addit
"/bin/addit" may be a binary file.  See it anyway? n

$ /bin/addit Vista Windows
/bin/addit: line 1: /etc/mydata.txt: Permission denied
 
Old 11-28-2013, 02:46 AM   #7
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
As you are also aware of script files dont honor the suid bit thus you converted the bash script into an executable but maybe that still is the problem. I don't know how the internal works but maybe try to set bash suid to. And then run the addit again.
 
1 members found this post helpful.
Old 11-28-2013, 05:18 AM   #8
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Original Poster
Rep: Reputation: 137Reputation: 137
@zhjim

Gave SUID to /bin/bash, also ran /bin/bash directly.... Still no luck.

Code:
# chmod u+s /bin/bash

$ ls -l /bin/bash /bin/addit
-rwsr-xr-x. 1 root root  12928 Nov 27 20:50 /bin/addit
-rwsr-xr-x. 1 root root 938832 Jul 18 18:49 /bin/bash

$ /bin/addit Vista Windows
addit: line 1: /etc/mydata.txt: Permission denied

$ /bin/bash -c "/bin/addit Vista Windows"
/bin/addit: line 1: /etc/mydata.txt: Permission denied
Is there any other way to write to text files besides output redirection (> and >>)? Googled about it, cant find other way...

Next Step, i'll try to build RPM from script, then install that RPM package and then i'll try again. I'll see what happens. (But before that, i've to learn how to build rpm packages first...)

Last edited by mddnix; 11-28-2013 at 05:20 AM.
 
Old 11-28-2013, 06:53 AM   #9
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
As I told you do not modify /bin/bash it will/may have unpredictable result. If you want to play with it just make a copy and use that one.
 
Old 11-28-2013, 07:16 AM   #10
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Original Poster
Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by pan64 View Post
As I told you do not modify /bin/bash it will/may have unpredictable result. If you want to play with it just make a copy and use that one.
OK Thanks.

Code:
$ ls -l /home/dummy/bash
-rwsr-xr-x. 1 dummy dummy 938832 Nov 28 17:40 /home/dummy/bash

$ /home/dummy/bash -c "/bin/addit Vista Windows"
/bin/addit: line 1: /etc/mydata.txt: Permission denied
 
Old 11-28-2013, 07:46 AM   #11
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Could try with chowing to root and chmodding to 700. I had the case where I wanted to delete a directory for which I did not have write permission as a normal user. Also root may go well with what ever permission is set maybe suid works a bit different under the hood.
 
Old 11-28-2013, 08:17 AM   #12
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
It really depends on what you are trying to do.

There are two identifications involved: the real uid (the original), and the effective uid.

All the setuid flag does is change the effective uid to the owner of the binary. For many things (such as file access controls) this is more than sufficient.

SOME things do check the real UID as well. Those activities tend to want to verify that it really really is root doing something - so they check the real uid - which isn't root. The easiest way a program can determine if it is running setuid is to check that the real UID and effective UID are the same. For a user process, both of these are the same. For a root process they are also the same, but both are root.

The advantage of having the effective UID and real UID separate is that it allows a setuid program to drop privileges (file access) very easily - just set the effective UID to the real UID. The process is no longer privileged. It also partitions roots privileges - setuid can give processes file control access, but not device control. In UNIX systems this was more distinctly separated, but in Linux nearly any kernel control is available through a filesystem access (either sys, proc, devfs...) so that
partitioning is much weaker in Linux.
 
2 members found this post helpful.
Old 11-28-2013, 09:16 AM   #13
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Original Poster
Rep: Reputation: 137Reputation: 137
@jpollard

What i understand from you is that if only real/effective uid are same(root in this case), addit will be able to edit text file. Since uid of addit script will be Real=dummy, Effective=root and so addit cannot write to mydata.txt file which has no permission (or just root permission).

Now, the question is how to set real and effective uid to script?

man search gave these results:

Code:
# man -k set.*uid
nfs4_set_debug [nfs4_uid_to_name] (3)  - ID mapping routines used for NFSv4
setegid [seteuid]    (2)  - set effective user or group ID
seteuid              (2)  - set effective user or group ID
seteuid              (3p)  - set effective user ID
setfsuid             (2)  - set user identity used for file system checks
setregid [setreuid]  (2)  - set real and/or effective user or group ID
setresgid [setresuid] (2)  - set real, effective and saved user or group ID
setresuid            (2)  - set real, effective and saved user or group ID
setreuid             (2)  - set real and/or effective user or group ID
setreuid             (3p)  - set real and effective user IDs
setuid               (2)  - set user identity
setuid               (3p)  - set user ID
All i can see is (2) - System Calls and (3p) - C Library Functions POSIX. No (1) - User Commands and (8) - System Administration tools and Deamons. This means only binaries created in C/C++ with appropriate real/effective uid set can only be used for SUID/SGID. Bash scripts wont allow such options, so setting SUID/GUID to bash scripts is of no use...
 
Old 11-28-2013, 10:02 AM   #14
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,957

Rep: Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267
You are right that SUID/SGID on the file containing a script does not work. It has been disabled for a long time now due to many security issues. SUID/SGID should work on a compiled program, but make sure that the file system where you are doing these experiments has not been mounted with the "nosuid" option. You could still set the SUID permission bits there, but they would be ignored.
 
2 members found this post helpful.
Old 11-29-2013, 12:04 AM   #15
mddnix
Member
 
Registered: Mar 2013
Location: Bengaluru, India
Distribution: Redhat, Arch, Ubuntu
Posts: 498

Original Poster
Rep: Reputation: 137Reputation: 137
That cleared my problem. Thanks everybody.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
example for SUID's akhil.mud Linux - Software 1 11-05-2007 01:05 PM
Suid? whishkah Linux - Software 5 09-07-2006 03:17 PM
suid problem Milosevic Programming 3 11-13-2005 12:36 AM
why all these SUID files? edman Linux - Security 1 02-01-2005 02:59 PM
SUID file drops suid bit on append? c_coder Programming 1 03-12-2004 08:59 AM


All times are GMT -5. The time now is 09:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration