Skip to main content

What is SUID and how to set SUID in Linux/Unix?


# ls -l /etc/shadow
---------- 1 root root 5218 Oct  8 08:42 /etc/shadow
This is one of the most critical file in any Linux system in which user passwords are being stored.

Please have a look on permission part, you can see that permission section is empty that means none of user can do any operation(read/write/execute) on this file, but as root is absolute(super) user in Linux/Unix systems so it can perform file operations.

If I am root user I can read this file but if I run same command or program(every command is a program in background) with normal user I can't read this file-
[root@localhost ~]# whoami
root
[root@localhost ~]# tail -n 2 /etc/shadow
tcpdump:!!:17868::::::
suid:!!:17918:0:99999:7:::
[root@localhost ~]# su - suid
[suid@localhost ~]$ whoami
suid
[suid@localhost ~]$ tail -n 2 /etc/shadow
tail: cannot open `/etc/shadow' for reading: Permission denied
[suid@localhost ~]$

It is a small myth that user only decide if he can access a particular file or not, while the reality is that user never decide which file they can access or not, while file itself decides which user can access or what they can access, all depends on permission(rwx).

For example-
[suid@localhost ~]$ ll hi.txt
-rw-rw-r--. 1 suid suid 0 Jan 22 15:05 hi.txt
[suid@localhost ~]$

If suid user wants to do some operation on hi.txt file so that hi.txt file checks who is suid user for me, if he is owner then he can do rw operations but if any other user who are not part of suid group try to access the same file then he can do only r operation on the file.

[root@localhost ~]# su - suid
[suid@localhost ~]$ whoami
suid
[suid@localhost ~]$ id
uid=500(suid) gid=500(suid) groups=500(suid) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$ ls -l /etc/shadow
----------. 1 root root 935 Jan 22 14:28 /etc/shadow
[suid@localhost ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[suid@localhost ~]$

This file doesn't have any permission for usid user so cat program is not able to read this file. That's why I said user never read or write a file, programs read or write but programs runs with the power of logged in user.

Now the important part of this topic comes into the picture - If I try to read or write operation  on /etc/shadow file using cat command(program) I am not able to do so but if I do the same with passwd program I can do easily(every user can change their password using passwd command) that means passwd program reads the file and update new password, save and quite the operation. Really sounds very interesting, how is it possible?

[suid@localhost ~]$ whoami
suid
[suid@localhost ~]$ id
uid=500(suid) gid=500(suid) groups=500(suid) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$ ls -l /etc/shadow
----------. 1 root root 935 Jan 22 14:28 /etc/shadow
[suid@localhost ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[suid@localhost ~]$ passwd
Changing password for user suid.
Changing password for suid.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[suid@localhost ~]$

The answer is all because of SUID(Set User ID) permission. how it works? lets see..
For this, there has been done some internal manipulation, as we know root is super user and has unlimited power to execute the programs, if somehow we can give root user power to cat program then cat program can read /etc/shadow file easily.

For this SUID is only the concept which help us to provide root user power to cat or any other program so that it can do file operation with the root user power.

[suid@localhost ~]$ which passwd
/usr/bin/passwd
[suid@localhost ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 Feb 17  2012 /usr/bin/passwd
[suid@localhost ~]$
Please have look on owner permission part(rws) which mean SUID is set for /usr/bin/passwd file, and owner of this file is root so whenever this file will be executed, it will be executed with root power. That's why users can change their password using passwd command while they are not authorized to access /etc/shadow file.

If I remove SUID from /usr/bin/passwd file normal users won't be able to change their password.
[root@localhost ~]# chmod 0755 /usr/bin/passwd
[root@localhost ~]# ls -l /usr/bin/passwd
-rwxr-xr-x. 1 root root 30768 Feb 17  2012 /usr/bin/passwd
[suid@localhost ~]$ su - suid
[suid@localhost ~]$ passwd
Changing password for user suid.
Changing password for suid.
(current) UNIX password:
New password:
Retype new password:
passwd: Authentication token manipulation error
[suid@localhost ~]$

If I change the owner of /usr/bin/passwd no one will be able to change their password including root, we all know that root has unlimited power but still it(root) won't be able to change its own password.

[root@localhost ~]# chmod 4755 /usr/bin/passwd
[root@localhost ~]# chown suid /usr/bin/passwd
[root@localhost ~]# ll /usr/bin/passwd
-rwsr-xr-x. 1 suid root 30768 Feb 17  2012 /usr/bin/passwd
[root@localhost ~]# passwd
Changing password for user root.
New password:
Retype new password:
passwd: System error
[root@localhost ~]# su - suid
[suid@localhost ~]$ passwd
Changing password for user suid.
Changing password for suid.
(current) UNIX password:
passwd: Authentication token manipulation error
[suid@localhost ~]$

One more myth in market, I have seen on multiple blogs and tech pages that SUID is used to run a program with root power. No! No! No! it is very big myth, SUID never decide that file operation will be done with root power, while depends on owner of the file.

Now let's understand SUID in another way where I will set SUID to /bin/cat file and by default the owner of this file is root only, so that if users use cat command to do file operation, all the users would be able to do operations with root power including /etc/shadow same as user are able to do using passwd command.

[root@localhost ~]# which cat
/bin/cat
[root@localhost ~]# ll /bin/cat
-rwxr-xr-x. 1 root root 48568 Apr 17  2012 /bin/cat
[root@localhost ~]# chmod 4755 /bin/cat
[root@localhost ~]# ll /bin/cat
-rwsr-xr-x. 1 root root 48568 Apr 17  2012 /bin/cat

Let's check if normal user is able to read /etc/shadow file or not.
[root@localhost ~]# su - suid
[suid@localhost ~]$ cat /etc/shadow
root:$6$Vts698qm$8lQTSH3afGRJ99/LcyZSl7YlottJ5Imi9obt8vOCIctKkNRSDroGilBC1KsRUYn4C/rBwObhUXTKs1C.Ze8SD0:17918:0:99999:7:::
bin:*:15615:0:99999:7:::
daemon:*:15615:0:99999:7:::
adm:*:15615:0:99999:7:::
lp:*:15615:0:99999:7:::
sync:*:15615:0:99999:7:::
shutdown:*:15615:0:99999:7:::
halt:*:15615:0:99999:7:::
mail:*:15615:0:99999:7:::
uucp:*:15615:0:99999:7:::
operator:*:15615:0:99999:7:::
games:*:15615:0:99999:7:::
gopher:*:15615:0:99999:7:::
ftp:*:15615:0:99999:7:::
nobody:*:15615:0:99999:7:::
dbus:!!:17868::::::
usbmuxd:!!:17868::::::
vcsa:!!:17868::::::
rpc:!!:17868:0:99999:7:::
rtkit:!!:17868::::::
avahi-autoipd:!!:17868::::::
abrt:!!:17868::::::
rpcuser:!!:17868::::::
nfsnobody:!!:17868::::::
haldaemon:!!:17868::::::
gdm:!!:17868::::::
ntp:!!:17868::::::
apache:!!:17868::::::
saslauth:!!:17868::::::
postfix:!!:17868::::::
pulse:!!:17868::::::
sshd:!!:17868::::::
tcpdump:!!:17868::::::
suid:$6$K.V/jc/y$xm79v2PfPkyqkCmPnZ150eODlbwFFSmfBSm8ea8uwni/ddQkd9qNoaVz9t6ympC0v4vH01fCY8mPnV5gCW7SO1:17918:0:99999:7:::
[suid@localhost ~]$

Yes, I am able to read /etc/shadow file.

Guys, SUID is very sensitive permission, which should be used with proper plan and only when required otherwise there will be some compromise with security(loop hole in system security) as we have seen normal users are not allowed to do any operation on /etc/shadow file but somehow we are able to do with the help of SUID.

How it can be dangerous for system security?
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$ id
uid=500(suid) gid=500(suid) groups=500(suid) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suid@localhost ~]$

Please have a look on root user id and normal user id, if I replace normal user id to zero(0) super user id. Normal user will automatically get all the privileges of root user, which is not a big deal as we have allowed all file operation on any file using cat command.

Comments

Post a Comment

Please share your experience.....

Popular posts from this blog

error: db5 error(11) from dbenv->open: Resource temporarily unavailable

If rpm command is not working in your system and it is giving an error message( error: db5 error(11) from dbenv->open: Resource temporarily unavailable ). What is the root cause of this issue? How to fix this issue?   just a single command- [root@localhost rpm]# rpm --rebuilddb Detailed error message- [root@localhost rpm]# rpm -q firefox ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages index using db5 - Resource temporarily unavailable (11) error: cannot open Packages database in /var/lib/rpm ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages database in /var/lib/rpm package firefox is not installed [root@localhost rpm]# RPM manage a database in which it store all information related to packages installed in our system. /var/lib/rpm, this is directory where this information is available. [root@localhost rpm]# cd /var/lib/rpm ...

Failed to get D-Bus connection: Operation not permitted

" Failed to get D-Bus connection: Operation not permitted " - systemctl command is not working in Docker container. If systemctl command is not working in your container and giving subjected error message then simple solution of this error is, create container with -- privileged option and also provide init file full path  /usr/sbin/init [root@server109 ~]# docker container run -dit --privileged --name systemctl_not_working_centos1 centos:7 /usr/sbin/init For detailed explanation and understanding I am writing more about it, please have look below. If we have a daemon based program(httpd, sshd, jenkins, docker etc.) running inside a container and we would like to start/stop or check status of daemon inside docker then it becomes difficult for us to perform such operations , because by default systemctl and service  commands don't work inside docker. Normally we run below commands to check services status in Linux systems. [root@server109 ~]# systemctl status ...

AWS cloud automation using Terraform

In this post I'll create multiple resources in AWS cloud using Terraform . Terraform is an infrastructure as code( IAC ) software which can do lots of things but it is superb in cloud automation. To use Terraform we have write code in a high-level configuration language known as Hashicorp Configuration Language , optionally we can write code in JSON as well. I'll create below service using Terraform- 1. Create the key-pair and security group which allow inbound traffic on port 80 and 22 2. Launch EC2 instance. 3. To create EC2 instance use same key and security group which created in step 1 4. Launch Volume(EBS) and mount this volume into /var/www/html directory 5. Upload index.php file and an image on GitHub repository 6. Clone GitHub repository into /var/www/html 7. Create S3 bucket, copy images from GitHub repo into it and set permission to public readable 8 Create a CloudFront use S3 bucket(which contains images) and use the CloudFront URL to update code in /var/w...