Information About

Setuid
  CATEGORIES ABOUT SETUID
   
unix
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...



setuid and '''setgid''' are Unix terms, which are short for "Set User ID" and "Set Group ID", respectively. setuid (also sometimes referred to as "suid") and setgid are access right flags that can be assigned to files and directories is a Unix system. They are mostly used to allow users on a computer system to execute binary Executable s with temporarily elevated privileges in order to perform a specific task.

setuid and setgid are needed for tasks that require higher privileges than those which a common user has, such as changing his or her login password. Some of the tasks that require elevated privilege may not immediately be obvious, though — such as the Ping command, which must send and listen for Control Packet s on a network interface.


SETUID ON EXECUTABLES


When a '' Binary '' executable file has been given the setuid attribute, normal users on the system can execute this file and gain the privileges of the user who owns the file (commonly Root ) within the created Process . When root privileges have been gained within the process, the application can then perform tasks on the system that regular users normally would be restricted from doing. The invoking user will be prohibited by the system from altering the new process in any way, such as by using Ptrace , LD_LIBRARY_PATH or sending signals to it (signals from the terminal will still be accepted, however). Due to the increased likelihood of security flaws, many operating systems ignore the setuid attribute when applied to executable '' Shell Scripts ''.

While the setuid feature is very useful in many cases, it can pose a security risk if the setuid attribute is assigned to Executable programs that are not carefully designed. Users can Exploit vulnerabilities in flawed programs to gain permanent Elevated Privileges , or unintentionally execute a Trojan Horse program.

The setgid attribute will allow for changing the group based privileges within a process, like the setuid flag does for user based privileges.

The presence of setuid executables justifies the fact that the Chroot system call is not available to non- Root users on Unix.

The setuid and setgid bits are normally set with the command Chmod by setting the high-order octal to 4 or 2 (or 6 to set both). `chmod 6711` will set the setuid and setgid bit (6) make the file read/write/executable for the owner (7) and executable by the group and others (11). All chmod flags are octal, and the least significant bit of the high-order octal is used for a special mode known as the Sticky Bit .


Demonstration


{Link without Title} $ cat /etc/passwd
alice:x:1007:1007::/home/alice:/bin/bash
bob:x:1008:1008::/home/bob:/bin/bash

{Link without Title} $ cat printid.c

#include
#include
#include
#include

int main(void)
{
printf("Real UID = %d
", getuid());
printf("Effective UID = %d
", geteuid());
printf("Real GID = %d
", getgid());
printf("Effective GID = %d
", getegid());

return EXIT_SUCCESS;
}

{Link without Title} $ gcc -Wall printid.c -o printid
{Link without Title} $ chmod ug+s printid
{Link without Title} $ su alice
Password:
{Link without Title} $ ./printid
Real UID = 1007
Effective UID = 1008
Real GID = 1007
Effective GID = 1008
{Link without Title} $



SETUID ON DIRECTORIES


setuid and setgid flags on a directory have an entirely different meaning.

Directories with the setgid permission will force all files and sub-directories created in them to be owned by the directory group and not the group of the user creating the file. The setgid flag is inherited by newly created subdirectories.

The setuid permission set on a directory is ignored on UNIX and GNU/Linux systems 1. FreeBSD can be configured to interpret it similarly to setgid, namely, to force all files and sub-directories to be owned by the top directory owner.2


SEE ALSO



REFERENCES



EXTERNAL LINKS