Setuid
Encyclopedia
setuid and setgid are Unix
access rights flags that allow users to run an executable
with the permissions of the executable's owner or group. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
s on a network interface.
When an executable file has been given the
) within the created process
. When root privileges have been gained within the process, the application can then perform tasks on the system that regular users normally would be restricted from doing. The invoking user will be prohibited by the system from altering the new process in any way, such as by using
s.
While this
programs that are not carefully designed. Users can exploit
vulnerabilities in flawed programs to gain permanent elevated privileges
, or unintentionally execute a trojan horse
program.
The
The presence of
users on Unix. See limitations of
The
Most implementations of the
The demonstration C program below simply obtains and reveals the real and effective user and group ID currently assigned to the process. The commands shown first compile the process as user
Note that the demonstration program listed below will silently fail to change the effective UID if run on a volume mounted with the
The
Setting the
The
and Linux
systems. FreeBSD
can be configured to interpret it analogously to
In FreeBSD, directories behave as if their
. His employer, AT&T
, applied for a patent in 1972; the patent was granted in 1979 as patent number . The patent was later placed in the public domain.
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
access rights flags that allow users to run an executable
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
with the permissions of the executable's owner or group. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
setuid
and setgid
are needed for tasks that require higher privileges than those which common users have, such as changing their login password. Some of the tasks that require elevated privileges may not immediately be obvious, though — such as the pingPingPing is a computer network administration utility used to test the reachability of a host on an Internet Protocol network and to measure the round-trip time for messages sent from the originating host to a destination computer...
command, which must send and listen for control packetInternet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
s on a network interface.
setuid
on executables
When an executable file has been given the setuid
attribute, normal users on the system who have permission to execute this file gain the privileges of the user who owns the file (commonly rootSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
) within the created process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
. When root privileges have been gained within the process, the application can then perform tasks on the system that regular users normally would be restricted from doing. The invoking user will be prohibited by the system from altering the new process in any way, such as by using
ptracePtraceptrace is a system call found in several Unix and Unix-like operating systems. By using ptrace one process can control another, enabling the controller to inspect and manipulate the internal state of its target...
, LD_LIBRARY_PATH
or sending signals to it (signals from the terminal will still be accepted, however). Due to potential race conditions, many operating systems ignore the setuid
attribute when applied to executable shell scriptShell script
A shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language...
s.
While this
setuid
feature is very useful in many cases, its improper use can pose a security risk if the setuid
attribute is assigned to executableExecutable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
programs that are not carefully designed. Users can exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
vulnerabilities in flawed programs to gain permanent elevated privileges
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
, or unintentionally execute a trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
program.
The
setgid
attribute will allow for changing the group-based privileges within a process, like the setuid
flag does for user-based privileges.The presence of
setuid
executables explains why the chrootChrootA chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
system call is not available to non-rootSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
users on Unix. See limitations of
chroot
for more details.The
setuid
and setgid
bits are normally set with the command chmodChmodThe chmod command is a Unix command that lets a user tell the system how much access it should permit to a file. It changes the file system modes of files and directories. The modes include permissions and special modes...
by setting the high-order octal digit to 4 (for setuid
) or 2 (for setgid
). `chmod 6711`
will set the setuid
and setgid
bits (6), make the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). All chmod
flags are octal.Most implementations of the
chmod
command also support finer-grained, symbolic arguments to set these bits. This is shown in the demonstration below as the `chmod ug+s`
command.The demonstration C program below simply obtains and reveals the real and effective user and group ID currently assigned to the process. The commands shown first compile the process as user
`bob`
and subsequently use `chmod`
to establish the setuid
and setgid
bits. The `su`
command, itself a client of the setuid
feature, is then used to assume the id of `alice`
. The effectiveness of the `chmod`
command is checked with `ls -l`
, and finally the demonstration program is run, revealing the expected identity change, consistent with the /etc/passwd
file.Note that the demonstration program listed below will silently fail to change the effective UID if run on a volume mounted with the
`nosuid`
option.Demonstration
setuid
and setgid
on directories
The setuid
and setgid
flags, when set on a directory, have an entirely different meaning.Setting the
setgid
permission on a directory (chmod g+s)
causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner ID is never affected, only the group ID). Newly created subdirectories inherit the setgid
bit. Note that setting the setgid
permission on a directory only affects the group ID of new files and subdirectories created after the setgid
bit is set, and is not applied to existing entities. Setting the setgid
bit on existing subdirectories must be done manually, with a command such as the following:
[root@foo]# find /path/to/directory -type d -exec chmod g+s {} \;
The
setuid
permission set on a directory is ignored on UNIXUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
systems. FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
can be configured to interpret it analogously to
setgid
, namely, to force all files and sub-directories to be owned by the top directory owner.In FreeBSD, directories behave as if their
setgid
bit was always set, regardless of its actual value. As is stated in open(2)
, "When a new file is created it is given the group of the directory which contains it."Security
Programs that use this bit must be carefully designed to be immune to buffer overrun attacks. Successful buffer overrun attacks on vulnerable applications allow the attacker to execute arbitrary code under the rights of the process being exploited. In the event a vulnerable process uses thesetuid
bit to run as root
, the code will be executed with root privileges, in effect giving the attacker root access to the system on which the vulnerable process is running.History
Thesetuid
bit was invented by Dennis RitchieDennis Ritchie
Dennis MacAlistair Ritchie , was an American computer scientist who "helped shape the digital era." He created the C programming language and, with long-time colleague Ken Thompson, the UNIX operating system...
. His employer, AT&T
AT&T
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, Dallas, Texas, United States. It is the largest provider of mobile telephony and fixed telephony in the United States, and is also a provider of broadband and subscription television services...
, applied for a patent in 1972; the patent was granted in 1979 as patent number . The patent was later placed in the public domain.
See also
- User identifier
- Group identifierGroup identifierIn Unix-like systems, multiple users can be categorized into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks,...
- Process identifierProcess identifierIn computing, the process identifier is a number used by most operating system kernels to uniquely identify a process...
-
chmod
ChmodThe chmod command is a Unix command that lets a user tell the system how much access it should permit to a file. It changes the file system modes of files and directories. The modes include permissions and special modes... -
sudo
Sudosudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user... - Confused deputy problemConfused deputy problemA confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
- PolicyKitPolicyKitPolicyKit is an operating system component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire...
- Unix securityUnix securityUnix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.- Permissions :...
- File system permissionsFile system permissionsMost current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem....
- Privilege revocationPrivilege revocationPrivilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those rights away.- Information theory :...
- Privilege separationPrivilege separationIn computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
- Environment variableEnvironment variableEnvironment variables are a set of dynamic named values that can affect the way running processes will behave on a computer.They can be said in some sense to create the operating environment in which a process runs...
External links
- Chen, Hao; Wagner, David; and Dean, Drew; Setuid Demystified (pdf)
- Tsafrir, Dan; Da Silva, Dilma; and Wagner, David; The Murky Issue of Changing Process Identity: Revising Setuid Demystified (pdf)
- Pollock, Wayne; Unix File and Directory Permissions and Modes