What is SUID
SUID abbreviation bit, the full English name is Set owner User ID up on execution, it is a special file permissions, to enable users (such as Bob) with other users (such as root user) permissions to run a program, without the need to use sudo to temporarily elevate privileges.
In the same category there is SGID, so without going into detail, the principle is the same as SUID, so take SUID as an example.
There are three ID states when a program is executed, and you must be able to distinguish between the following three IDs before learning more about SUID.
- Real User ID
- Effective User ID
- Saved User ID
Real User ID
is the real ID of the user executing the program, it is the ID of the user when logging in.
Effective User ID
is the user ID that really works during the execution of the program when using permissions, the operating system will look at this ID when checking if a program has a certain permission.
Saved User ID
is the previous user ID that needs to be saved when the program temporarily raises privileges, and needs to be reverted to this user ID after the end of the program.
What SUID does
If user user2 has execute privileges for a program of another user user user1, and user1 sets the SUID bit to this program, then user2 can execute this program with user1’s privileges.
Simply put, SUID enables a user (such as Bob) to run a program with the privileges of another user (such as the root user) without the need to use sudo to temporarily prompt for privileges.
As an example.
All users’ passwords are stored in the /etc/shadow
file, but this file can only be written by the root user.
So if a normal user wants to change their password, do they need to ask the root user to do it for them?
Obviously not. To change the password, we use the program /usr/bin/passwd
, and let’s take a look at its permissions.
As you can see, the owner of the program is the root user, but all users have execute privileges and the s-bit is set.
This way the SUID mechanism works when the program is executed, allowing normal users to modify the /etc/shadow
file with root privileges.
The existence of the SUID mechanism makes it easier to control program permissions, allowing users to execute a program without having to log in to the program owner’s account.
How to use SUID
View SUID
With the command ls -l
you can see the details of the file, including the permission table -rwxrwxrwx
.
|
|
Set SUID
Use chmod 4000 filename
to set the SUID bit.
Use chmod 2000 filename
to set the SGID bit.
Use chmod 6000 filename
to set both SGID and SUID bits.
Note: 2000/4000/6000 are incomplete permissions, so you should replace 000 with the appropriate permissions, e.g. 4755.
Cancel SUID
Use chmod 755 filename
to remove the SGID and SUID bits.
Or chmod u-s filename
or chmod g-s filename
will also work.
SUID elevation privileges
Since the SUID bit gives the program owner’s privileges when it is executed, you can use this for elevation of privileges.
Example.
SUID is disabled in the script
If user1 sets the SUID bit for the script.sh
script with chmod 4777 /home/user1/script.sh
, and logs in to user2 and executes the script with no privileges
This is because the SUID bit only works for compiled executables, the actual executor of the sh script is sh or bash or something, if they don’t check the SUID bit of the script file when executing it, it won’t work.
The Perl executor checks the SUID bit of perl scripts, so you can set the SUID bit for pl scripts.