What is SUID

SUID abbreviation bit, the full English name is Set owner User ID up on execution, it is a special file permissions, to enable users (such as Bob) with other users (such as root user) permissions to run a program, without the need to use sudo to temporarily elevate privileges.

In the same category there is SGID, so without going into detail, the principle is the same as SUID, so take SUID as an example.

There are three ID states when a program is executed, and you must be able to distinguish between the following three IDs before learning more about SUID.

  • Real User ID
  • Effective User ID
  • Saved User ID

Real User ID is the real ID of the user executing the program, it is the ID of the user when logging in.

Effective User ID is the user ID that really works during the execution of the program when using permissions, the operating system will look at this ID when checking if a program has a certain permission.

Saved User ID is the previous user ID that needs to be saved when the program temporarily raises privileges, and needs to be reverted to this user ID after the end of the program.

What SUID does

If user user2 has execute privileges for a program of another user user user1, and user1 sets the SUID bit to this program, then user2 can execute this program with user1’s privileges.

Simply put, SUID enables a user (such as Bob) to run a program with the privileges of another user (such as the root user) without the need to use sudo to temporarily prompt for privileges.

As an example.

All users’ passwords are stored in the /etc/shadow file, but this file can only be written by the root user.

1
2
root@kali:~# ls -l /etc/shadow
-rw-r----- 1 root shadow 1639 Jan 27 12:50 /etc/shadow

So if a normal user wants to change their password, do they need to ask the root user to do it for them?

Obviously not. To change the password, we use the program /usr/bin/passwd, and let’s take a look at its permissions.

1
2
root@kali:~# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 63944 Dec 20 10:39 /usr/bin/passwd

As you can see, the owner of the program is the root user, but all users have execute privileges and the s-bit is set.

This way the SUID mechanism works when the program is executed, allowing normal users to modify the /etc/shadow file with root privileges.

The existence of the SUID mechanism makes it easier to control program permissions, allowing users to execute a program without having to log in to the program owner’s account.

How to use SUID

View SUID

With the command ls -l you can see the details of the file, including the permission table -rwxrwxrwx.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
- rwx rwx rwx

The first bit is the file type, - is the ordinary file, d represents the directory, l represents the link file, there are some other types of files not to be detailed

The next nine bits can be divided into three groups, which represent the owner's rights, the rights of users in the same group, and the rights of other users outside the group

Each group has three bits, r means read permission, w means write permission, x means execute permission, if it is _ it means no corresponding permission

If the x of file owner permission is replaced by s, it means that SUID is set.

Similarly, if x is replaced by s in the group user permission, it means SGID is set.

Set SUID

Use chmod 4000 filename to set the SUID bit.

Use chmod 2000 filename to set the SGID bit.

Use chmod 6000 filename to set both SGID and SUID bits.

Note: 2000/4000/6000 are incomplete permissions, so you should replace 000 with the appropriate permissions, e.g. 4755.

Cancel SUID

Use chmod 755 filename to remove the SGID and SUID bits.

Or chmod u-s filename or chmod g-s filename will also work.

SUID elevation privileges

Since the SUID bit gives the program owner’s privileges when it is executed, you can use this for elevation of privileges.

Example.

1
2
3
4
# 进入nmap的交互模式
nmap --interactive
# 执行sh,提权成功
!sh

SUID is disabled in the script

If user1 sets the SUID bit for the script.sh script with chmod 4777 /home/user1/script.sh, and logs in to user2 and executes the script with no privileges

This is because the SUID bit only works for compiled executables, the actual executor of the sh script is sh or bash or something, if they don’t check the SUID bit of the script file when executing it, it won’t work.

The Perl executor checks the SUID bit of perl scripts, so you can set the SUID bit for pl scripts.