LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-27-2017, 02:34 AM   #1
Ankit yadav
LQ Newbie
 
Registered: Jun 2017
Posts: 22

Rep: Reputation: Disabled
setuid why? and how?


I got confused with setuid concept. What I have understood is that if setuid set on any file.Anybody run(execute) it, it will run as it has ran by its owner.

Is it my concept is correct.
If not please make me explain from example other than passwd.

If it is correct than check my example that I performed.

I have created a file lsscript.sh with permission 4700, means owner has full permission with setuid bit.

now I switched user and tried to run lsscript.sh. But its shows permission denied.

Why? It should have run with owner permission.
 
Old 06-27-2017, 02:38 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,518

Rep: Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555
you cannot use setuid bits on scripts, but on binaries. Scripts are not standalone executables but there are interpreters (like bash/perl/whatever) to interpret/execute/run them.
Therefore setuid on the script (which is a plain text file) is meaningless.
You ought to set it on the binary, but I do not really suggest you to set setuid on bash or similar (but you can make a local copy of it and try that one).
 
Old 06-27-2017, 04:25 AM   #3
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,426

Rep: Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054Reputation: 2054
Quote:
Originally Posted by Ankit yadav View Post
I have created a file lsscript.sh with permission 4700, means owner has full permission with setuid bit.

now I switched user and tried to run lsscript.sh. But its shows permission denied.

Why? It should have run with owner permission.
The 4700 says only the owner can run the script. The 00 for group and others is what gave "permission denied." To try what you want you'd have to set permission to 4750 (if the other user is in the same group) or 4755 so any other user can run the script. Note in both cases, you wouldn't be allowing others to change the script, only read and execute it.

That said, pan64 may be right about when to use setuid. Personally, I have only used it on directories to force the files within them to be owned by the user (or group), and not on scripts or binaries.
 
Old 06-27-2017, 04:44 AM   #4
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
you cannot use setuid bits on scripts, but on binaries. Scripts are not standalone executables but there are interpreters (like bash/perl/whatever) to interpret/execute/run them.
Therefore setuid on the script (which is a plain text file) is meaningless.
You ought to set it on the binary, but I do not really suggest you to set setuid on bash or similar (but you can make a local copy of it and try that one).
Actually, there is way to make scripts executable with setuid, but never tried it personally. Here is good explanation about it:https://unix.stackexchange.com/quest...l-scripts#2910
 
Old 06-27-2017, 05:00 AM   #5
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
You can make setuid Perl and Python scripts, just apparently not shell scripts. At least you used to, but perhaps that has changed. You can always write a simple C wrapper around anything and that will be able to get the job done.

EDIT: Yeah, this seems to have changed in most systems and they won't even let Perl do setuid scripts, so you need to write a simple C wrapper that's setuid to launch the script while it is root.

Last edited by Laserbeak; 06-27-2017 at 05:45 AM.
 
Old 06-27-2017, 05:13 AM   #6
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
The main reason is that some things like system utilities need to run as root to get access to certain kernel information, certain files, or perform certain tasks.

Really simple programs to understand the logic behind it would be su or sudo.

In order to be able to switch to root or run another program as root, the program that does it obviously has to be running as root to begin with. So su runs as root, asks for your password, then if it authenticates, it changes your userid to root (or any other user) and executes another shell, then you have a # prompt instead of a $ prompt. Same idea with sudo, but you don't get a root shell, you have run each program separately by using sudo with each one

Last edited by Laserbeak; 06-27-2017 at 05:17 AM.
 
Old 06-27-2017, 05:56 AM   #7
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,502
Blog Entries: 16

Rep: Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263Reputation: 3263
I was always told that the suid bit is not honoured on scripts as a security precaution, to prevent "script kiddies" running malware on your system. Writing and compiling a proper program is beyond the capacity of most of these idiots.

It can't just be because scripts are text, since they can be made executable and most text files can't.
 
Old 06-27-2017, 05:58 AM   #8
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,518

Rep: Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555
Quote:
Originally Posted by dejank View Post
Actually, there is way to make scripts executable with setuid, but never tried it personally. Here is good explanation about it:https://unix.stackexchange.com/quest...l-scripts#2910
This is exactly what I meant. the setuid on text file (script) itself is ignored, not used. You need to have a setuid binary (either interpreter or shebang or similar) to do that.

here you can find a discussion about setuid in perl: https://stackoverflow.com/questions/...sed-as-cgi-bin
 
Old 06-27-2017, 07:02 AM   #9
Ankit yadav
LQ Newbie
 
Registered: Jun 2017
Posts: 22

Original Poster
Rep: Reputation: Disabled
Question

Quote:
Originally Posted by scasey View Post
The 4700 says only the owner can run the script. The 00 for group and others is what gave "permission denied." To try what you want you'd have to set permission to 4750 (if the other user is in the same group) or 4755 so any other user can run the script. Note in both cases, you wouldn't be allowing others to change the script, only read and execute it.

That said, pan64 may be right about when to use setuid. Personally, I have only used it on directories to force the files within them to be owned by the user (or group), and not on scripts or binaries.
Thats what group and other dont have access to run script, so only I tried to setuid as its say it will run as it has run by owner and owner has permission to run it.
And if I give 755 permission to script than why I need to set setuid to it. It already got access to run script.
 
Old 06-27-2017, 07:06 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,518

Rep: Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555Reputation: 5555
Quote:
Originally Posted by Ankit yadav View Post
And if I give 755 permission to script than why I need to set setuid to it. It already got access to run script.
you give setuid to run app (act) as another user.
 
Old 06-28-2017, 08:31 AM   #11
Laserbeak
Member
 
Registered: Jan 2017
Location: Manhattan, NYC NY
Distribution: Mac OS X, iOS, Solaris
Posts: 508

Rep: Reputation: 143Reputation: 143
This is a very simple example how you make an setuid script, you'd probably want to add to it so you can pass parameters, etc.:

Save this, substituting /path/to/myscript.pl with whatever script you want to run as root:

Code:
//
//  main.c
//  suidscript
//

#include <unistd.h>

int main(int argc, const char * argv[]) {

    setuid(0);
    execv("/path/to/myscript.pl", NULL);
    return 0;
}
compile, then as root: chown root, then chmod 4755.

Then it will run that script as root.

Last edited by Laserbeak; 06-28-2017 at 08:38 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] [help] setuid not working? RaptorX Linux - General 7 08-27-2009 09:15 AM
setuid() Loser Linux - Software 1 11-05-2008 03:37 AM
setuid int0x80 Linux - Security 3 12-02-2005 01:33 PM
setuid Help devinWhalen Linux - General 2 12-03-2003 09:57 AM
Setuid SirTurbo Linux - General 1 03-26-2003 06:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration