SUID and SGID in Linux

For details about SUID and SGID in Linux, if you are still confused about SUID and SGID, please refer to them! Users often encounter SUID and SGID concepts in UNIX, and SUID and SGID are related to system security, so users are also concerned about this issue. SUID and SGID in Linux are often related to SUID and SGID. if you are still confused about SUID and SGID, please refer to them! Because users often encounter SUID and SGID concepts in UNIX, and SUID and SGID involve system security, users are also concerned about this issue. Some people often ask questions about SUID and SGID, but the answer is generally not detailed enough. In addition, I have answered questions from two netizens and found some information, I decided to sort out the cost documents for your reference. Due to my own level problems, if any improper content is found in the article, please correct the majority of users. 1. expression of file permissions in UNIX and parsing SUID is Set User ID, and SGID is Set Group ID. In UNIX, you can run the ls-l command to view the file permissions. The format of the representation obtained by using the ls command is similar to-rwxr-xr-x. The meaning of the format is parsed below. This representation has a total of ten digits: 9 8 7 6 5 4 3 2 1 0-r w x r-x 9th bits to indicate the file type, it can be p, d, l, s, c, B, and -: p indicates the named pipeline file d indicates the directory file l indicates the symbolic connection file-indicates the common file s indicates the socket file c indicates the character device file B indicates the 8-6 bits, 5-3 bits, and 2-0 bits of the block device file bits indicate the permissions of the file owner, the permissions of users in the same group. the permissions of other users are in the form of rwx: r, which indicates readable, w indicates writable, and x indicates executable, if this program does not have the permission to run, use "-" for example: ls-l myfile:-rwxr-x --- 1 foo staff 7734 Apr 05 myfile "to indicate that the file myfile is a common file, the owner of the file is the foo user, while the foo user belongs to the staff group. The file has only one hard connection and the length is 7734 bytes. The last modification time is 4. On May 5. The owner foo has the read and write permissions on the file. the members of the staff group have the read and execute permissions on the file. other users have no permissions on the file. If a file is set with a SUID or SGID bit, it is displayed in the executable bit of the permission of the owner or users in the same group. Example: 1.-rwsr-xr-x indicates that the executable bits in SUID and owner permission are set. 2.-rwSr -- r indicates that SUID is set, however, the executable bits in the owner permission are not set. 3.-rwxr-sr-x indicates that the executable bits in the SGID and the same group are set. 4.-rw-r-Sr indicates that the SGID is settings, however, the executable bits in the same group of user permissions are not actually in UNIX implementation. the file permission is represented by 12 binary bits. if the value at this location is 1, permission: 11 10 9 8 7 6 5 4 3 2 1 0 s g t r w x 11th bits are SUID bits, the 10th bits are SGID bits, and the 9th bits are sticky bits. the 8-0 bits correspond to the preceding three groups of rwx bits. 11 10 9 8 7 6 5 4 3 2 1 0 the value of-rwsr-xr-x above is: 1 0 0 1 1 1 1 0 1 1 0 1 1-rw-r-Sr -- the value is: 0 1 0 1 1 0 1 0 0 1 0 Add SUID and SUID to the file by using the following command: chmod u + s filename setting SUID bit chmod u-s filename removing SUID setting chmod g + s filename setting SGID bit chmod g-s filename removing SGID setting another way is to use the chmod command octal represents the setting of the method. If you understand the previous 12-bit permission representation, it is also very easy. II. detailed parsing of SUID and SGID because SUID and SGID work in the execution program (the executable bit of the program is set, the executable bits only make sense for common files and directory files. Therefore, setting the SUID and SGID bits of other types of files does not make much sense. First, we will talk about the SUID and SGID functions of common files. Example: If the myfile of a common file belongs to the foo user and is executable, the SUID bit is not set. The ls command is shown as follows: -rwxr-xr-x 1 foo staff 7734 Apr 05 myfile any user can execute this program. What is the UNIX kernel used to determine the resource access permissions of a process? Is the (valid) ID of the running user of the process, including the user id and group id. You can use the id command to find your or other user's user id and group id. In addition to the common user id and group id, there are two other valid IDs, namely valid IDs. The four IDs above are represented as: uid, gid, euid, and egid. The kernel mainly uses euid and egid to determine the process's access permissions to resources. If a process does not have a SUID or SGID bit, euid = uid egid = gid, which is the uid and gid of the user who runs the program. For example, the uid and gid of the user kevin are 204 and 202 respectively, the uid and gid of the user foo are 200,201, and the euid = uid = 204 of the process formed by running the myfile program, egid = gid = 202. the kernel determines the process's resource access restrictions based on these values. In fact, kevin's user's resource access permissions are irrelevant to foo. If SUID is set for a program, euid and egid are changed to the uid and gid of the owner of the program to be run. for example, if the kevin user runs myfile, euid = 200, egid = 201, uid = 204, gid = 202, the process has the resource access permission of its owner foo. The role of SUID is to allow a user who does not have the corresponding permissions to access resources when running this program. Passwd is a clear example. SUID has a higher priority than SGID. when SUID is set for an executable program, SGID automatically becomes the corresponding egid. The following is an example: a UNIX system has a/dev/kmem device file, which is a character device file that stores the data to be accessed by the Core program, including the user's password. Therefore, this file cannot be read and written to normal users. The permission is set to cr -- r ----- 1 root system 2, 1 May 25 1998 kmem, but ps and other programs need to read this file, ps permission settings are as follows:-r-xr-sr-x 1 bin system 59346 Apr 05 1998 ps This is a program with SGID set, while ps users are bin, it is not root, so SUID cannot be set to access kmem. However, note that both bin and root belong to the system Group, and ps sets SGID. Generally, the user executes ps, the system Group user permissions are obtained, and the permissions of users in the same group of the file kmem are readable. Therefore, it is normal for users to execute ps. But some people say, why not set the ps program as the root user program and then set the SUID bit? This can solve the problem, but why not do it? Because the risk of SGID is much lower than that of SUID, we should try to replace the SUID program with SGID for system security considerations, if possible. The following describes the impact of SGID on the recording. SUID does not affect the directory. If an SGID bit is set for a directory, if any user has the write permission for this directory, the group of files created in this directory will be automatically converted to the group where the owner of this directory is located, and the file owner remains unchanged. 3. the following header files and functions are closely related to SUID and SGID programming and SUID and SGID programming: # include uid_t getuid (void); uid_t geteuid (void ); response getgid (void); gid_t getegid (void); int setuid (uid_t UID); int setruid (uid_t RUID); int seteuid (uid_t EUID); int setreuid (uid_t RUID, uid_t EUID); int setgid (gid_t GID); int setrgid (gid_t RGID); int setegid (git_t EGID); int setregid (gid_t RGID, gid_t EGID ); the specific descriptions of these functions are not listed in detail here, You can use man to check the data. SUID/SGID: assume that you have a file a.txt # ls-l a.txt-rwxrwxrwx # chmod 4777 a.txt-rwsrwxrwx ====> note s location # chmod 2777 a.txt-rwxrwsrwx ====> note s location # chmod 7777 a.txt-rwsrwxswt ====> output TDE, the TDE memory is saved as much as a.txt, saves the system reload time. now let's look at the function of setting SUID/SGID above: # cd/sbin #. /lsusb... # su aaa (common user) $. /lsusb... is an error displayed now? $ Su # chmod 4755 lsusb # su aaa $./lsusb... do you understand now? This is a command that can only be executed by the root user. after SUID is added, normal users can use the command like root, and the permission is improved. The above is for the file, and the directory is similar! The S attribute of the directory makes any files and subdirectories created under the Directory belong to the group owned by the Directory. the T attribute of the directory allows the owner and root of the directory to delete the directory. For s and S, you must have the operation permission to set SUID/SGID. Otherwise, you will see S after using ls-l to prove that the SUID/SGID you set does not work. Why we need suid, how do we use suid? R -- read access w -- write access x -- execute permit s -- SUID/SGID t -- sticky bit. So what is suid/sgid? Why is there a suid? To understand this, let's take a look at the question: If you want each user to change their own password? You can run passwd to change the password. In the end, you must modify the/etc/passwd file, and the attributes of the passwd file are: # ls-l/etc/passwd-rw-r -- 1 root 2520 Jul 12 passwd. we can see that the passwd file is only writable to the root user, all other users do not have the write permission. How can a common user modify the passwd file by running the passwd command? To solve this problem, SUID/SGID came into being. AT&T applied for a patent for it. Haha. How does SUID and SGID solve this problem? First, we need to know that the process has some attributes, including the actual user ID, actual group ID, valid user ID, and valid group ID, when running. The actual user ID and the actual group ID identify who we are and who is running this program. Generally, these two fields are determined at login, and these values remain unchanged during a login session. The valid user ID and valid group ID determine the permissions of the process at runtime. When determining whether a process has the file access permission, the kernel uses the valid user ID of the process for determination. Now that we know this, let's take a look at the SUID solution: When a program is set to a SUID bit, the kernel will know how to run this program, it should be considered that the file owner is running this program. That is, when the program runs, the valid user ID is the owner of the program. For example: [root @ sgrid5 bin] # ls-l passwd-r-s -- x 1 root 16336 Feb 14 2003 passwd although you log on to the system as test, however, when you enter the passwd command to change the password, because passwd sets the SUID bit, although the actual user ID of the process is the ID of the test, however, the valid user ID of a process is the root ID of the owner of the passwd file. Therefore, you can modify the/etc/passwd file. Let's look at another example. The ping command is widely used to test whether the network connection is normal. Ping uses the ICMP protocol during running and Sends ICMP packets. However, only the root user can establish ICMP packets. how can this problem be solved? SUID is also used. [Root @ sgrid5 bin] # ls-l/bin/ping-rwsr-sr-x 1 root 28628 Jan 25 2003/bin/ping we can test it, if you remove the ping SUID and run the command with a common user, what will happen. [Root @ sgrid5 bin] # chmod u-s/bin/ping [root @ sgrid5 bin] # ls-l ping-rwxr-xr-x 1 root 28628 Jan 25 2003 ping [root @ sgrid5 bin] # su test [test @ sgrid5 bin] $ ping byhh.net ping: although icmp open socket: Operation not permitted SUID solves some problems, it also brings some security risks. Because if a program with a SUID bit set is attacked (through buffer overflow and other aspects), hacker can get the root permission. Therefore, pay special attention to the programs with SUID settings in terms of security. Run the following command to find all the suid files on the system: [root @ sgrid5/] # find/-perm-04000-type f-ls why is this 4000, you can see the meaning of each bit in the previous st_mode. In these programs with suid set, if it cannot be used, it is best to cancel the suid bit of the program.