What is SUID and how to set SUID in Linux/Unix?

# ls -l /etc/shadow

---------- 1 root root 5218 Oct  8 08:42 /etc/shadow

This is one of the most critical file in any Linux system in which user passwords are being stored.

Please have a look on permission part, you can see that permission section is empty that means none of user can do any operation(read/write/execute) on this file, but as root is absolute(super) user in Linux/Unix systems so it can perform file operations.

If I am root user I can read this file but if I run same command or program(every command is a program in background) with normal user I can't read this file-
[root@localhost ~]# whoami
root
[root@localhost ~]# tail -n 2 /etc/shadow
tcpdump:!!:17868::::::
suid:!!:17918:0:99999:7:::
[root@localhost ~]# su - suid
[suid@localhost ~]$ whoami
suid
[suid@localhost ~]$ tail -n 2 /etc/shadow
tail: cannot open `/etc/shadow' for reading: Permission denied
[suid@localhost ~]$

It is a small myth that user only decide if he can access a particular file or not, while the reality is that user never decide which file they can access or not, while file itself decides which user can access or what they can access, all depends on permission(rwx).

For example-

[suid@localhost ~]$ ll hi.txt
-rw-rw-r--. 1 suid suid 0 Jan 22 15:05 hi.txt
[suid@localhost ~]$

If suid user wants to do some operation on hi.txt file so that hi.txt file checks who is suid user for me, if he is owner then he can do rw operations but if any other user who are not part of suid group try to access the same file then he can do only r operation on the file.

[root@localhost ~]# su - suid
[suid@localhost ~]$ whoami
suid
[suid@localhost ~]$ id
uid=500(suid) gid=500(suid) groups=500(suid) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$ ls -l /etc/shadow
----------. 1 root root 935 Jan 22 14:28 /etc/shadow
[suid@localhost ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[suid@localhost ~]$

This file doesn't have any permission for usid user so cat program is not able to read this file. That's why I said user never read or write a file, programs read or write but programs runs with the power of logged in user.

Now the important part of this topic comes into the picture - If I try to read or write operation  on /etc/shadow file using cat command(program) I am not able to do so but if I do the same with passwd program I can do easily(every user can change their password using passwd command) that means passwd program reads the file and update new password, save and quite the operation. Really sounds very interesting, how is it possible?

[suid@localhost ~]$ whoami
suid
[suid@localhost ~]$ id
uid=500(suid) gid=500(suid) groups=500(suid) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$ ls -l /etc/shadow
----------. 1 root root 935 Jan 22 14:28 /etc/shadow
[suid@localhost ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied

[suid@localhost ~]$ passwd

Changing password for user suid.

Changing password for suid.

(current) UNIX password:

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[suid@localhost ~]$

The answer is all because of SUID(Set User ID) permission. how it works? lets see..

For this, there has been done some internal manipulation, as we know root is super user and has unlimited power to execute the programs, if somehow we can give root user power to cat program then cat program can read /etc/shadow file easily.

For this SUID is only the concept which help us to provide root user power to cat or any other program so that it can do file operation with the root user power.

[suid@localhost ~]$ which passwd

/usr/bin/passwd

[suid@localhost ~]$ ls -l /usr/bin/passwd

-rwsr-xr-x. 1 root root 30768 Feb 17  2012 /usr/bin/passwd

[suid@localhost ~]$

Please have look on owner permission part(rws) which mean SUID is set for /usr/bin/passwd file, and owner of this file is root so whenever this file will be executed, it will be executed with root power. That's why users can change their password using passwd command while they are not authorized to access /etc/shadow file.

If I remove SUID from /usr/bin/passwd file normal users won't be able to change their password.

[root@localhost ~]# chmod 0755 /usr/bin/passwd

[root@localhost ~]# ls -l /usr/bin/passwd

-rwxr-xr-x. 1 root root 30768 Feb 17  2012 /usr/bin/passwd
[suid@localhost ~]$ su - suid

[suid@localhost ~]$ passwd

Changing password for user suid.

Changing password for suid.

(current) UNIX password:

New password:

Retype new password:

passwd: Authentication token manipulation error

[suid@localhost ~]$

If I change the owner of /usr/bin/passwd no one will be able to change their password including root, we all know that root has unlimited power but still it(root) won't be able to change its own password.

[root@localhost ~]# chmod 4755 /usr/bin/passwd
[root@localhost ~]# chown suid /usr/bin/passwd

[root@localhost ~]# ll /usr/bin/passwd

-rwsr-xr-x. 1 suid root 30768 Feb 17  2012 /usr/bin/passwd

[root@localhost ~]# passwd

Changing password for user root.

New password:

Retype new password:

passwd: System error

[root@localhost ~]# su - suid

[suid@localhost ~]$ passwd

Changing password for user suid.

Changing password for suid.

(current) UNIX password:

passwd: Authentication token manipulation error

[suid@localhost ~]$

One more myth in market, I have seen on multiple blogs and tech pages that SUID is used to run a program with root power. No! No! No! it is very big myth, SUID never decide that file operation will be done with root power, while depends on owner of the file.

Now let's understand SUID in another way where I will set SUID to /bin/cat file and by default the owner of this file is root only, so that if users use cat command to do file operation, all the users would be able to do operations with root power including /etc/shadow same as user are able to do using passwd command.

[root@localhost ~]# which cat
/bin/cat
[root@localhost ~]# ll /bin/cat
-rwxr-xr-x. 1 root root 48568 Apr 17  2012 /bin/cat
[root@localhost ~]# chmod 4755 /bin/cat
[root@localhost ~]# ll /bin/cat
-rwsr-xr-x. 1 root root 48568 Apr 17  2012 /bin/cat

Let's check if normal user is able to read /etc/shadow file or not.
[root@localhost ~]# su - suid
[suid@localhost ~]$ cat /etc/shadow
root:$6$Vts698qm$8lQTSH3afGRJ99/LcyZSl7YlottJ5Imi9obt8vOCIctKkNRSDroGilBC1KsRUYn4C/rBwObhUXTKs1C.Ze8SD0:17918:0:99999:7:::
bin:*:15615:0:99999:7:::
daemon:*:15615:0:99999:7:::
adm:*:15615:0:99999:7:::
lp:*:15615:0:99999:7:::
sync:*:15615:0:99999:7:::
shutdown:*:15615:0:99999:7:::
halt:*:15615:0:99999:7:::
mail:*:15615:0:99999:7:::
uucp:*:15615:0:99999:7:::
operator:*:15615:0:99999:7:::
games:*:15615:0:99999:7:::
gopher:*:15615:0:99999:7:::
ftp:*:15615:0:99999:7:::
nobody:*:15615:0:99999:7:::
dbus:!!:17868::::::
usbmuxd:!!:17868::::::
vcsa:!!:17868::::::
rpc:!!:17868:0:99999:7:::
rtkit:!!:17868::::::
avahi-autoipd:!!:17868::::::
abrt:!!:17868::::::
rpcuser:!!:17868::::::
nfsnobody:!!:17868::::::
haldaemon:!!:17868::::::
gdm:!!:17868::::::
ntp:!!:17868::::::
apache:!!:17868::::::
saslauth:!!:17868::::::
postfix:!!:17868::::::
pulse:!!:17868::::::
sshd:!!:17868::::::
tcpdump:!!:17868::::::
suid:$6$K.V/jc/y$xm79v2PfPkyqkCmPnZ150eODlbwFFSmfBSm8ea8uwni/ddQkd9qNoaVz9t6ympC0v4vH01fCY8mPnV5gCW7SO1:17918:0:99999:7:::
[suid@localhost ~]$

Yes, I am able to read /etc/shadow file.

Guys, SUID is very sensitive permission, which should be used with proper plan and only when required otherwise there will be some compromise with security(loop hole in system security) as we have seen normal users are not allowed to do any operation on /etc/shadow file but somehow we are able to do with the help of SUID.

How it can be dangerous for system security?
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$ id
uid=500(suid) gid=500(suid) groups=500(suid) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$

Please have a look on root user id and normal user id, if I replace normal user id to zero(0) super user id. Normal user will automatically get all the privileges of root user, which is not a big deal as we have allowed all file operation on any file using cat command.