Setuid and setgid

Source: Internet
Author: User

Setuid and setgid (full names: Set User ID upon execution and set group ID upon execution) are the access permission flag of UNIX, which allowsThe user can run the executable file with the permission of the executable file owner or group.. They often apply to: in order to run a specific task, users can temporarily improve permissions. Usage:Temporary Permission escalation.
Under what circumstances do you need setuid and setgid? When a task requires higher permissions than a user, such as modifying the user's logon password. Some tasks that require higher permissions may not be immediately displayed, such as ping. It needs to send and listen to control packets of a certain network interface.

1. setuid acts on executable files
After a binary executable file is set with the setuid attribute, if you have the permission to execute this file, you will be given the permission (usually root) to the owner of this executable file ). After a user obtains the root permission within a process, this user can do things restricted by regular users. Of course, some things are forbidden: for example, using ptrace, LD_LIBRARY_PATH, or send a signal to yourself (but the signal sent from the terminal is acceptable ). Due to potential competition conditions, if setuid acts on shell scripts, Many operating systems will ignore setuid.
Although setuid is useful in many cases, if an executable program is not well designed and set with setuid, it may bring potential risks. People can exploit programs with vulnerabilities to gain permanent permission escalation, or allow users to run a Trojan horse unintentionally.
Setgid can change group permissions, just as setuid can change user permissions.

Setuid acts on the executable file to explain why the system calls chroot, which is not available to non-root users.

You can use chmod to set the flag bit (highest bit) of setuid and setguid ),
4: for setuid

2: For setguid

1: This is a sticky position // you can refer to: http://blog.csdn.net/hzgdiyer/article/details/6788275

"Chmod 6711 file" sets setuid and setguid, And bits (6) is the highest bit.
In addition, the system also supports the "chmod ug + S" command.

The following DEMO code is used to obtain and display the real and dynamic user (user) and group ID of the process:
1. display the printid. C code. This Code prints the real/dynamic tive user/group ID.
2. Compile the program printid
3. Run the program printid and print the real/dynamic tive user/group ID.
4. Change the printid owner to root.
5. Add the setuid and setgid flag to the file printid.
6. Cancel the read R and execute x permissions of other users (other) of the file printid.
7. display file printid attributes
8. Run printid again,
We found that printid permission:
Owner: Root, RWS
GROUP: staff, R-S
Other :---
Although other does not have any permissions, it can still run printid with the user bobie (for printerid, bobie is not the owner or group, and belongs to other, this is because the setuid is added.
Print the information and you can see that the valid tive ID is 0, which is the root ID. For details, see/etc/passwd (which contains the ID corresponding to each user/group)
// Note: if the program runs on Volumn and the 'nosuid' option is added during mounte, the program will fail and no information is printed;
// Volumn: You can create a volume (volumn), a physical volume (PV) = "logical volume (LV) => volume group (VG ), finally, mount the volume group to the specified path.

[Bobie] $ cat printid. c

# Include <sys/types. h>
# Include <unistd. h>
# Include <stdio. h>
Int main (void ){
Printf (
"Uid GID \ n"
"Real % d real % d \ n"
"Valid tive % d \ n ",
Getuid (), getgid (),
Geteuid (), getegid ()
);
Return getegid ();/* always good to return something */
}

[Bobie] $ CC printid. C-o printid
[Bobie] $./printid
UID GID
Real 1008 real 1008
Valid 1008 valid 1008
 
[Bobie] $ sudo chown root printid # To change the owner you need To sudo
Password:
[Bobie] $ sudo chmod ug + S printid # setuid and setgid flags
[Bobie] $ sudo chmod o-Rx printid # Don't let others read or execute it
[Bobie] $ LS-l
-Rwsr-s --- 1 root staff 6944 2011-10-06 10:22 printid
[Bobie] $./printid
UID GID
Real 1008 real 1008
Valid tive 0 valid tive 20

2. Setuid/Setgid act on the path
Setuid and setgid have different meanings when they act on the path.

Set setgid (chmod g + S) for the path.The createdObjects and subfolders inherit the group ID of the user who does not create a file or folder. [only the group ID is affected, and the owner ID is not affected ]. In addition, the newly created subfolders inherit the setgid bit. Note: Setting setgid for the path only affects the group of newly created files and folders.
ID,Existing files and folders are not affected..
Set setgid for an existing sub-folder, which must be done manually by running the following command:
[Root @ Foo] # Find/path/to/directory-type D-exec chmod g + S {}\;

Set the setuid for the path.Ignore.

3. Security
The Setuid/Setgid program must be carefully designed to prevent cache overflow attacks. The consequence of a successful cache overflow attack is that attackers can execute arbitrary code using the process's permissions. If a program with a vulnerability is set with a setuid and the privilege is elevated to root, the attacker will be given the root privilege if the attack succeeds. This is terrible.

4. History
Setuid was invented by Dennis Ritchie. Its company at&t applied for a patent in 1972 and was approved in 1979. Its Patent No.: US 4135240 "Protection of Data File Contents ".

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.