setuid

From Wikipedia, the free encyclopedia

(Redirected from Setgid)
Jump to: navigation, search

setuid and setgid (short for set user ID and set group ID, respectively) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group. They are often used to allow users on a computer system to execute binary executables with temporarily elevated privileges in order to perform a specific task.

setuid and setgid are needed for tasks that require higher privileges than those which a common user has, such as changing his or her login password. Some of the tasks that require elevated privileges may not immediately be obvious, though — such as the ping command, which must send and listen for control packets on a network interface.

Contents

When a binary executable file has been given the setuid attribute, normal users on the system can execute this file and gain the privileges of the user who owns the file (commonly root) within the created process. When root privileges have been gained within the process, the application can then perform tasks on the system that regular users normally would be restricted from doing. The invoking user will be prohibited by the system from altering the new process in any way, such as by using ptrace, LD_LIBRARY_PATH or sending signals to it (signals from the terminal will still be accepted, however). Due to the increased likelihood of security flaws, many operating systems ignore the setuid attribute when applied to executable shell scripts.

While the setuid feature is very useful in many cases, it can pose a security risk if the setuid attribute is assigned to executable programs that are not carefully designed. Users can exploit vulnerabilities in flawed programs to gain permanent elevated privileges, or unintentionally execute a trojan horse program.

The setgid attribute will allow for changing the group based privileges within a process, like the setuid flag does for user based privileges.

The presence of setuid executables justifies the fact that the chroot system call is not available to non-root users on Unix.

The setuid and setgid bits are normally set with the command chmod by setting the high-order octal to 4 or 2 (or 6 to set both). `chmod 6711` will set the setuid and setgid bit (6) make the file read/write/executable for the owner (7) and executable by the group and others (11). All chmod flags are octal, and the least significant bit of the high-order octal is used for a special mode known as the sticky bit.

[bob@foo]$ cat /etc/passwd
alice:x:1007:1007::/home/alice:/bin/bash
bob:x:1008:1008::/home/bob:/bin/bash

[bob@foo]$ cat printid.c

#include 
#include 
#include 
#include 

int main(void)
{
    printf("Real UID\t= %d\n", getuid());
    printf("Effective UID\t= %d\n", geteuid());
    printf("Real GID\t= %d\n", getgid());
    printf("Effective GID\t= %d\n", getegid());

    return EXIT_SUCCESS;
}

[bob@foo]$ gcc -Wall printid.c -o printid
[bob@foo]$ chmod ug+s printid
[bob@foo]$ su alice 
Password: 
[alice@foo]$ ls -l
-rwsr-sr-x 1 bob bob 6944 2007-11-06 10:22 printid
[alice@foo]$ ./printid 
Real UID        = 1007
Effective UID   = 1008
Real GID        = 1007
Effective GID   = 1008
[alice@foo]$

setuid and setgid flags on a directory have an entirely different meaning.

Setting the setgid permission on a directory (chmod g+s) causes new files and subdirectories created within it to inherit its group, rather than the primary group of the user who created the file (the owner is never affected, only the group). Newly created subdirectories inherit the setgid bit. Note that setting the setgid permission on a directory only affects the group of new files and subdirectories created after the setgid bit is set, and is not applied to existing entities. Setting the setgid bit on existing subdirectories must be done manually, with a command such as the following:

[root@foo]# find /path/to/directory -type d -exec chmod g+s {} \;

The setuid permission set on a directory is ignored on UNIX and GNU/Linux systems [1]. FreeBSD can be configured to interpret it similarly to setgid, namely, to force all files and sub-directories to be owned by the top directory owner.[2]

  1. ^ Bauer, Mick (2004). Paranoid Penguin - Linux Filesystem Security, Part II. linuxjournal.com.
  2. ^ chmod manpage on www.freebsd.org.

Retrieved from "http://en.wikipedia.org/wiki/Setuid"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.