Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
access rights flags that allow users to run an executable
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
with the permissions of the executable's owner or group. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
setuid and setgid are needed for tasks that require higher privileges than those which common users have, such as changing their login password. Some of the tasks that require elevated privileges may not immediately be obvious, though — such as the ping
Ping
Ping is a computer network administration utility used to test the reachability of a host on an Internet Protocol network and to measure the round-trip time for messages sent from the originating host to a destination computer...
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
s on a network interface.
setuid on executables
When an executable file has been given the setuid attribute, normal users on the system who have permission to execute this file gain the privileges of the user who owns the file (commonly root
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
. When root privileges have been gained within the process, the application can then perform tasks on the system that regular users normally would be restricted from doing. The invoking user will be prohibited by the system from altering the new process in any way, such as by using ptrace
Ptrace
ptrace is a system call found in several Unix and Unix-like operating systems. By using ptrace one process can control another, enabling the controller to inspect and manipulate the internal state of its target...
, LD_LIBRARY_PATH or sending signals to it (signals from the terminal will still be accepted, however). Due to potential race conditions, many operating systems ignore the setuid attribute when applied to executable shell script
Shell script
A shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language...
s.
While this setuid feature is very useful in many cases, its improper use can pose a security risk if the setuid attribute is assigned to executable
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
programs that are not carefully designed. Users can exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
program.
The setgid attribute will allow for changing the group-based privileges within a process, like the setuid flag does for user-based privileges.
The presence of setuid executables explains why the chroot
Chroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
users on Unix. See limitations of chroot for more details.
The setuid and setgid bits are normally set with the command chmod
Chmod
The chmod command is a Unix command that lets a user tell the system how much access it should permit to a file. It changes the file system modes of files and directories. The modes include permissions and special modes...
by setting the high-order octal digit to 4 (for setuid) or 2 (for setgid). `chmod 6711` will set the setuid and setgid bits (6), make the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). All chmod flags are octal.
Most implementations of the chmod command also support finer-grained, symbolic arguments to set these bits. This is shown in the demonstration below as the `chmod ug+s` command.
The demonstration C program below simply obtains and reveals the real and effective user and group ID currently assigned to the process. The commands shown first compile the process as user `bob` and subsequently use `chmod` to establish the setuid and setgid bits. The `su` command, itself a client of the setuid feature, is then used to assume the id of `alice`. The effectiveness of the `chmod` command is checked with `ls -l`, and finally the demonstration program is run, revealing the expected identity change, consistent with the /etc/passwd file.
Note that the demonstration program listed below will silently fail to change the effective UID if run on a volume mounted with the `nosuid` option.
Demonstration
[bobie]$ cat printid.c
include
include
include
int main(void) {
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid , getgid ,
geteuid, getegid
);
return getegid ; /* always good to return something */
}
[bobie]$ cc printid.c -o printid
[bobie]$ ./printid
UID GID
Real 1008 Real 1008
Effective 1008 Effective 1008
[bobie]$ sudo chown root printid # to change the owner you need to sudo
Password:
[bobie]$ sudo chmod ug+s printid # SetUID and SetGID flags
[bobie]$ sudo chmod o-rx printid # Don't let Others read or execute it
[bobie]$ ls -l
-rwsr-s--- 1 root staff 6944 2011-10-06 10:22 printid
[bobie]$ ./printid
UID GID
Real 1008 Real 1008
Effective 0 Effective 20
setuid and setgid on directories
The setuid and setgid flags, when set on a directory, have an entirely different meaning.
Setting the setgid permission on a directory (chmod g+s) causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner ID is never affected, only the group ID). Newly created subdirectories inherit the setgid bit. Note that setting the setgid permission on a directory only affects the group ID of new files and subdirectories created after the setgid bit is set, and is not applied to existing entities. Setting the setgid bit on existing subdirectories must be done manually, with a command such as the following:
[root@foo]# find /path/to/directory -type d -exec chmod g+s {} \;
The setuid permission set on a directory is ignored on UNIX
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
can be configured to interpret it analogously to setgid, namely, to force all files and sub-directories to be owned by the top directory owner.
In FreeBSD, directories behave as if their setgid bit was always set, regardless of its actual value. As is stated in open(2), "When a new file is created it is given the group of the directory which contains it."
Security
Programs that use this bit must be carefully designed to be immune to buffer overrun attacks. Successful buffer overrun attacks on vulnerable applications allow the attacker to execute arbitrary code under the rights of the process being exploited. In the event a vulnerable process uses the setuid bit to run as root, the code will be executed with root privileges, in effect giving the attacker root access to the system on which the vulnerable process is running.
Dennis MacAlistair Ritchie , was an American computer scientist who "helped shape the digital era." He created the C programming language and, with long-time colleague Ken Thompson, the UNIX operating system...
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, Dallas, Texas, United States. It is the largest provider of mobile telephony and fixed telephony in the United States, and is also a provider of broadband and subscription television services...
, applied for a patent in 1972; the patent was granted in 1979 as patent number . The patent was later placed in the public domain.
In Unix-like systems, multiple users can be categorized into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks,...
The chmod command is a Unix command that lets a user tell the system how much access it should permit to a file. It changes the file system modes of files and directories. The modes include permissions and special modes...
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
PolicyKit is an operating system component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire...
Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.- Permissions :...
Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem....
Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those rights away.- Information theory :...
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer.They can be said in some sense to create the operating environment in which a process runs...
