02-12-2018
What keeps me from abusing setuid(0) and programs with setuid bit set?
Just learning about the privilege escalation method provided by setuid. Correct me if I am wrong but what it does is change the uid of the current process to whatever uid I set. Right ?
So what stops me from writing my own C program and calling setuid(0) within it and gaining root privileges ?
Also my next question will be lets question will be about programs which have the setuid bit set.
If a program has the setuid bit set and the owner as root then can't I just exec that program in to my process and use to wreak havoc ? Its the same problem of gaining root privileges ?
I have seen a lot of documentation online on what these systems do, but none on how these systems are restricted. Hence I am asking the question here.
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
I have a C wrapper programme which basically execute a shell script. The shell script has 700 as permission and oracle is owner of the shell script.
The C execuatble has 4711 permission so that means that it has setuid bit set and group and others can execute the C executable.
The reason why I am... (2 Replies)
Discussion started by: sanjay92
2 Replies
2. UNIX for Advanced & Expert Users
I have a binary. It is having the following permissions
rws rws rwx mqm:mqm runmqtrm
The same program on another machine is
rws rws rwx root: mqm runmqtrm
This program is a setuid program.
This is what my understanding is. Whatever user the program is started under, it will finally be... (0 Replies)
Discussion started by: bandaru
0 Replies
3. UNIX for Advanced & Expert Users
This may be a dumb question, but I've been wondering why programs such as ping and traceroute must be setuid? Are there some restrictions which prevent normal users from accessing the world via sockets?
$ pwd
/bin
$ ls -l ping traceroute
-rwsr-xr-x 1 root root 35616 Apr 7 2005 ping... (1 Reply)
Discussion started by: nathan
1 Replies
4. Programming
hi all,
i have a critical and specific problem with respect to set uid bit on user and the dll's
for a binary, (under the userid A)
it needs libraries from /usr/lib and informix libraries from $INFORMIXDIR/lib/esql
but this binary should be kicked off from id B,
hence s-bit on user is... (5 Replies)
Discussion started by: matrixmadhan
5 Replies
5. HP-UX
hi i have written small script which will login 2 two different users with su but if we run from normal user it prompts for password so
i chnaged the owner of script to root and added setuid bit
with
chmod u+s <script_name>
but when i run the script i get following message
Warning:... (3 Replies)
Discussion started by: zedex
3 Replies
6. Red Hat
Hi,
OS : Linux
I have an executable (P1) owned by user say "abcd" and the setuid bit is set. And there is another executable (P2) which brings up the process (P1).
When the setuid bit is set, the process P1 is failing, if the setuid bit is not set there is no issue.
I was wondering if... (6 Replies)
Discussion started by: ahamed101
6 Replies
7. Solaris
Hi Gurus,
I need your suggestions,to implement setuid.
Here is the situation. I have a user xyz on a solaris zone.He needs to install a package using a pkgadd command but i guess only a root can run that .Is there any way I can set the setuid bit on the pkgadd which is in the location... (6 Replies)
Discussion started by: rama krishna
6 Replies
8. UNIX for Dummies Questions & Answers
Can anyone explain me difference between setuid and sticky bit? and also between setuid and chown? (3 Replies)
Discussion started by: kkalyan
3 Replies
9. Linux
Dear all,
I am newbie with linux, i dont understand any code. I have googled a long time. Please help me explain about setuid bit on linux (Centos 6)
Here:
1/ I chmod u+s for /sbin/iptables but normal user still cannot perform command (ex: /sbin/iptables -L)
2/Someone says : setuid only... (6 Replies)
Discussion started by: all4cfa
6 Replies
10. UNIX for Dummies Questions & Answers
This is a quote from the Apple security configuration (you can download it from Apple)
" Using ACLs to Restrict Usage of Setuid Programs
The ACL feature of Mac OS X can also be used to restrict the execution of setuid
programs. Restricting the execution of setuid programs to administrators... (3 Replies)
Discussion started by: Vera
3 Replies
LEARN ABOUT SUSE
setuid32
SETUID(2) Linux Programmer's Manual SETUID(2)
NAME
setuid - set user identity
SYNOPSIS
#include <sys/types.h>
#include <unistd.h>
int setuid(uid_t uid);
DESCRIPTION
setuid() sets the effective user ID of the calling process. If the effective UID of the caller is root, the real UID and saved set-user-ID
are also set.
Under Linux, setuid() is implemented like the POSIX version with the _POSIX_SAVED_IDS feature. This allows a set-user-ID (other than root)
program to drop all of its user privileges, do some un-privileged work, and then reengage the original effective user ID in a secure man-
ner.
If the user is root or the program is set-user-ID-root, special care must be taken. The setuid() function checks the effective user ID of
the caller and if it is the superuser, all process-related user ID's are set to uid. After this has occurred, it is impossible for the
program to regain root privileges.
Thus, a set-user-ID-root program wishing to temporarily drop root privileges, assume the identity of an unprivileged user, and then regain
root privileges afterwards cannot use setuid(). You can accomplish this with seteuid(2).
RETURN VALUE
On success, zero is returned. On error, -1 is returned, and errno is set appropriately.
ERRORS
EAGAIN The uid does not match the current uid and uid brings process over its RLIMIT_NPROC resource limit.
EPERM The user is not privileged (Linux: does not have the CAP_SETUID capability) and uid does not match the real UID or saved set-user-ID
of the calling process.
CONFORMING TO
SVr4, POSIX.1-2001. Not quite compatible with the 4.4BSD call, which sets all of the real, saved, and effective user IDs.
NOTES
Linux Notes
Linux has the concept of file system user ID, normally equal to the effective user ID. The setuid() call also sets the file system user ID
of the calling process. See setfsuid(2).
If uid is different from the old effective uid, the process will be forbidden from leaving core dumps.
SEE ALSO
getuid(2), seteuid(2), setfsuid(2), setreuid(2), capabilities(7), credentials(7)
COLOPHON
This page is part of release 3.25 of the Linux man-pages project. A description of the project, and information about reporting bugs, can
be found at http://www.kernel.org/doc/man-pages/.
Linux 2010-02-21 SETUID(2)