Linux File Special Permissions - SUID

In an earlier post we saw different types of basic Linux file permissions. In addition to the basic file permission there are three more  special permissions. They are
  • Set User ID (SUID)
  • Set Group ID (SGID)
  • Sticky Bit
This is first of the three series posts regarding Linux special file permissions and we will be discussing about SUID in this post.

Set User ID (SUID)


When SUID is set on a file, the user trying to execute the file will temporarily receive the permission as well as the UID and GID of the files' owner. SUID on a file is used when normal users with lesser privilege need to perform tasks which require higher previleges.

To explain SUID lets see how the passwd command works. passwd is the *nix command used to update user's password. When passwd command is executed, the command will access and update system files like /etc/shadow and /etc/passwd. Normal users rightfully doesn't have the permission to these files. If a normal user tries to execute the passwd command with out setting SUID, the command will exit with error since passwd command was unable to make changes in the system files with current user's permissions. If SUID is set, the user will temporarily receive the permissions  of the root user and will be able to update the password without changing the access rights of the system files.

To check whether SUID on a file is set or notuse the ls -l output
In the screenshot above you can see the owner's execute permission displaying 's' instead of 'x'. This means the the file is set with SUID bit. In some cases you will see a 'S' (capital letter S) instead of  's' (small letter s). This means SUID bit is set even though the owner don't have execute permission.

Using chmod command we can either add or remove SUID bit to a file. SUID can be set in two methods
  • symbolic method - chmod u+s <filename> will set SUID bit on a file
  • numeric method - chmod 4xxx <filename> will set SUID bit on a file where 4 represents  SUID bit and xxx represents the access permissions of owner, group and other users in numeric method.
Lets check two example to understand how to add/remove SUID on a file and the impact SUID has

# 1) In this first example with passwd command lets see how to remove SUID from a file and its impact.  First lets find the location of passwd command using which command and view the access permission of the file with ls -l










Now lets remove SUID permission bit from the file with chmod command
chmod -v u-s /bin/passwd
or
chmod -v 0755 /bin/passwd


Sample Output:
mode of ‘/bin/passwd’ changed from 4755 (rwsr-xr-x) to 0755 (rwxr-xr-x)

The below screenshot shows the impact on passwd command after removing SUID bit
Password update will fail when user calypso execute  passwd command  setting the SUID bit. In this case user calypso has the permission to execute passwd command but do not have the permission to make changes to the necessary system files

# 2) In the next example we will see how to add SUID bit to a file and its impact. Here we are going to restore the default permission of the passwd command by adding the SUID bit. To add SUID bit, execute

chmod -v u+s /bin/passwd
or
chmod -v 4755 /bin/passwd

Sample Output:
mode of ‘/bin/passwd’ changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)

Now lets see the impact after adding SUID bit










In this case also user calypso has the permission to execute passwd command but do not have the permission to make changes to the necessary system files. But this time passwd command is set with SUID bit. As a result user calypso will temporarily gain the permission of the root user (file owner) and will be able to make necessary changes in the system files.

In the next part of Linux special file permission we will discuss about SGID

Comments

Post a Comment

Popular posts from this blog

Understanding awk command with examples

Image
Awk is a simple and powerful programming language used for processing text files. It is widely used by system administrators as a data manipulation, extraction and reporting tool. Awk treats every file as a sequence of records and by default each records are separated by a new line. Each record consist of one or more fields which are by default separated by a space. The syntax for awk command is
Read more

what is an inode?

Image
In Unix/*nix every file has a data structure known as i-nodes (index nodes). Each i-node stores all the information regarding a file like File type File mode or permission Number of links User ID Group ID File size Time stamp File deletion time
Read more

Understanding sed command with example -Part 1

sed is a *nix stream editor command with the ability to filter and transform input text files line by line. sed command works very well with awk command and they are used together by System Administrators to simplify day to day activities. The syntax for sed command is sed [options] commands <input-file> One thing that distinguishes sed from other editors are its ability to filter text in a pipeline. In this first of the two post series on sed we will cover 3 of the most often used commands. They are Print (p) command Quit (q) command Delete (d) command
Read more