How to deal with SUID and SGID?
SUID
If you own an
executable, and another person issues the executable, then it runs with your
permission and not his.
A Good example of the
use of suid is "whoami” command.
$ whoami
lee
$ sudo chmod u+s /usr/bin/whoami
$ whoami
root
$ sudo chmod u-s /usr/bin/whoami
lee
$ sudo chmod u+s /usr/bin/whoami
$ whoami
root
$ sudo chmod u-s /usr/bin/whoami
Example: 2
Another Good example of the use
of SUID bit is /usr/bin/passwd.
Only root user has permission to modify the
/etc/passwd file. If that’s the case, how can a normal user change his
password.
# ls -l /etc/passwd
-rw-r–r– 1 root sys 6001
Aug 27 10:00 /etc/passwd
#ls -l /usr/bin/passwd
-r-sr-sr-x 1 root sys 27228 Aug 16 2007 /usr/bin/passwd
/usr/bin/passwd has it’s SUID bit set. That
means, irrespective of the user who is invoking the passwd program, the program
always executes as the owner of the file (here root), granting it permission to
modify /etc/passwd file.
Example: 3
-rwxrwxrwx lee admin test1
-rwx------ lee admin test2
Here, the test1 is the script which is
intended to write some content to the test2. Because test1 have exe permissions for others,
others can run this script but others dont have write permissions to test2 and
hence it will give error .
Solution is to enable the suid.
.
-rwsrwxrwx lee admin
test1
-rwx------ lee admin test2
Now the program runs as
if the owner is executing hence the others can write data to the test2
And what is SGID used
for ?
It is used when you want a program to execute always as a member of it’s
owners group.
# chmod 2754 test.sh
# ls -l
total 2 -rwxr-sr– 1
a435104 ccusers 50 Oct 17 05:28 test.sh
* 4000 (chmod u+s) is suid; for files execute
as owning user (often root).
* 2000 (chmod g+s) is sgid; for files execute
as owning group (often root);
for directories the group on newly created files
will be set to the directory’s group rather than the creator’s group. Typically
used for shared directories.
If you happy with the above topic, please leave a comments/reactions.
