[SOLVED] Why the EUID of a setuid program is not 0?

glenjoker · 10-15-2015, 03:46 AM

1. I created a script named 'testfile' under the root account and set the permission to be "4755". The code contained in the script is shown below:

Code:

echo $UID
echo $EUID

Then, I switched to my normal user account, say 'glen', and ran that script 'testfile'. What baffled me was that the output was

Code:

1000
1000

Shouldn't it be

Code:

1000
0

as I was running this script under root privilege?

2. Since we are on this topic, hope you guys can also answer me another question related to this.

When I wrote the code above, I first tried to output the uid and euid by calling the function getuid() and geteuid(), which, according the to manual page, return the real user id and effective user id respectively, but the problem was that it didn't work, and nor did it work when I keyed in the command 'getuid' on the terminal directly. It output an error saying that the command 'getuid' was not found. WHY?

In case it matters, my distribution is Ubuntu 14.04

Hope you guys can help me out here, thanks in advance!

HMW · 10-15-2015, 04:48 AM

Hi!

First of all, the getuid() and geteuid() functions are both in the C language. Not the shell. An example:

Code:

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>

int main()
{
    int UID = 0;
    int EUID = 0;

    UID = getuid();
    EUID = geteuid();

    printf("UID: %d, EUID: %d\n", UID, EUID);

    return 0;
}

Running this C program yields:

Code:

$ ./uid_c 
UID: 501, EUID: 501

...as a regular user, and

Code:

# ./uid_c 
UID: 0, EUID: 0

...as root.
^Note that I run this under OS X, hence 501 as regular user.

But to answer your other question. If you invoke your script as non-root, you will always get a different value than 0. It works as expected.
And here is a thread on the difference between UID and EUID:
http://www.linuxquestions.org/questi...nd-euid-75124/

Best regards,
HMW

berndbausch · 10-15-2015, 04:52 AM

setuid only works on compiled programs, not shell scripts. See http://www.faqs.org/faqs/unix-faq/fa...section-7.html.

getuid() and geteuid() are system calls that can be made from a compiled program, not from a script. In a shell script, UID and EUID serve the same purpose.

chrism01 · 10-15-2015, 04:54 AM

Also, the suid bit is not honoured for scripts.

glenjoker · 10-15-2015, 05:19 AM

Thank you all for replying.

Just to clarify, UID and EUID would be exactly the same if I am running a shell script whose setuid bit is on, but if it is for a compiled program (Does this term exclusively refer to binary file?) and this compiled program has its setuid bit turned on, then I would have the UID reading my UID and EUID reading the root's(i.e. 0). Am I right?

jpollard · 10-15-2015, 05:44 AM

Quote:

Originally Posted by glenjoker

Thank you all for replying.

Just to clarify, UID and EUID would be exactly the same if I am running a shell script whose setuid bit is on, but if it is for a compiled program (Does this term exclusively refer to binary file?) and this compiled program has its setuid bit turned on, then I would have the UID reading my UID and EUID reading the root's(i.e. 0). Am I right?

Only if the ownership of the binary is root.

The setuid bit only flags that the EUID should set to the owner of the binary, and that owner can be set to any UID by root - otherwise it is owned by the creator.

That is why it is considered a security issue. Some places do not want users to be able to give away access to their login - thus having user writable filesystems mounted as "nosuid", prevents users from creating a setuid binary and allowing other users access it (the setuid bit is not honored when the filesystem the binary is on is mounted "nosuid").

Note: it is rather difficult to get a setuid binary secure. There are a LOT of things you must not do - buffer overruns, some system calls (system, popen ...) can be coerced to give away inappropriate access. Also note: the real UID also give the binary access to the users files as well...

glenjoker · 10-15-2015, 05:51 AM

Quote:

Originally Posted by jpollard

Only if the ownership of the binary is root.

The setuid bit only flags that the EUID should set to the owner of the binary, and that owner can be set to any UID by root - otherwise it is owned by the creator.

That is why it is considered a security issue. Some places do not want users to be able to give away access to their login - thus having user writable filesystems mounted as "nosuid", prevents users from creating a setuid binary and allowing other users access it (the setuid bit is not honored when the filesystem the binary is on is mounted "nosuid")

Get it. Thanks!