Sunday, October 10, 2010
SUID (Set User ID) Explained
The password information of an user account is saved in /etc/shadow file. When you check the file permission of it, you would see that it has Read permission ONLY for root. So ever wondered how can a normal user will be able to Write on this file while executing the ‘passwd’ command for changing his password ??
[adevaraju@hostx ~]$ ls -l /etc/shadow
-r-------- 1 root root 1436 Oct 6 14:40 /etc/shadow
There comes SUID in picture……..If you check the file permission for ‘passwd’ command, you can see that it has a SUID (Set User ID) set for it as shown below. Now lemme tell the definition of SUID. “When SUID bit is set for any command then whoever executes that command, will execute it with the privilege of file owner”.
Here w.r.t ‘passwd’ command, when a normal user executes it, then it will run with “root” ownership. As root user can over-write any local files, he can update the /etc/shadow file, though it doesn’t have Write permission on it. And that’s how a normal user can change his password.
[adevaraju@hostx ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 22984 Jan 6 2007 /usr/bin/passwd
How to set SUID ?
# chmod u+s <command/script name>
# chmod 4755 <command/script name>
How to search files with SUID set?
# find / -perm -4000 -type f -print
Please note while doing security audit on a server, finding and reviewing the existence of executables with SUID set is an important action item that needs to be taken care; as there are very dangerous.