Why /bin/su permission with SUID?


 
Thread Tools Search this Thread
Operating Systems AIX Why /bin/su permission with SUID?
# 1  
Old 07-24-2014
Why /bin/su permission with SUID?

Dear all experts in this forum,
I have faced a audit issue as auditor told that we should not have SUID on /bin/su. As I have checked using Google, I found most of the site only telling that /bin/su should have the permission bit as -rwsr-xr-x but never explain why /bin/su need this permission setting?

Any expert out there can explain this to me why we need the SUID on /bin/su?
As the auditor asked to remove the SUID, what will be the result after that? And why the /bin/su without SUID is more secure? Is that a industry standard for this?

Thanks.
# 2  
Old 07-24-2014
The reason that the su command is SUID is that without this attribute, a non-superuser would not have the privilege to switch user at all, it would simply be running as the original account. The SUID means that for the execution of the code, you will be as the owner of the code, which must be root or another superuser account (i.e. User ID zero)

The code will then be powerful enough to do what it needs and within the code, it will verify that you are allowed to do what you are asking it to, i.e. it may prompt for the target user password.




Robin
These 2 Users Gave Thanks to rbatte1 For This Post:
# 3  
Old 07-24-2014
There's no other way to say it, so I'll say it: your auditor is incompetent.

There are numerous setuid programs in any Unix or Unix-style OS. Many of them need to be setuid for them to operate properly. "su" is one. X windows servers tend to be another. "passwd" also needs to be setuid or users won't be able to set their own passwords. Don't tell me that audit report says to remove the setuid bit from "passwd"...

There are many others, too.

I'd be real careful following the recommendations of that audit report. You're likely to find yourself with non-working systems.
These 3 Users Gave Thanks to achenle For This Post:
# 4  
Old 07-24-2014
Permit me to be quite extremely blunt. Your auditor is an idiot. He has heard that "SUID is bad" and parroted it, but has no real understanding of it. Following his advice will ruin your machine.

su couldn't possibly work if it weren't SUID. It needs to access the shadow files, which are locked to root!

Now, if there are things which are set SUID but shouldn't be, that would be bad. Having cp set SUID would be a recipe for disaster for example.
These 3 Users Gave Thanks to Corona688 For This Post:
# 5  
Old 07-24-2014
Okay, I was just too polite. I am British, so what do you expect? I agree.

If they are asking you why, then they don't understand enough to do their job safely.
  • Tell them that the root account is never logged on to, and thye'll probably tell you to remove it.
  • Tell them that you have RW filesystems, they will probably insist that they are remounted as RO.
  • Tell them that you use telnet to access the server and they will tell you to turn it off, even if you have no other access except the console.
Who would you let near the server that could cost you your job?


Regards,
Robin

Last edited by rbatte1; 07-24-2014 at 12:55 PM.. Reason: nutralising gender, although it's probably some daft bloke anyway
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Usage of #!/bin/sh vs #!/bin/bash shell scripts?

Some question about the usage of shell scripts: 1.) Are the commands of the base shell scripts a subset of bash commands? 2.) Assume I got a long, long script WITHOUT the first line. How can I find out if the script was originally designed für "sh" or "bash"? 3.) How can I check a given... (3 Replies)
Discussion started by: pstein
3 Replies

2. UNIX for Dummies Questions & Answers

Difference between inbuilt suid programs and user defined root suid programs under bash shell?

Hey guys, Suppose i run passwd via bash shell. It is a suid program, which temporarily runs as root(owner) and modifies the user entries. However, when i write a C file and give 4755 permission and root ownership to the 'a.out' file , it doesn't run as root in bash shell. I verified this by... (2 Replies)
Discussion started by: syncmaster
2 Replies

3. AIX

Redistribution bin required for AIX. j7r164redist.7.1.0.25.bin

Hi, I am planning to install a version of Informatica on my AIX box. It requires a specific java build in pap6470_27sr2-20141101_01(SR2). The current link for IBM 64-bit SDK for AIX®, JavaTM Technology Edition, Version 7 Release 1 has a more recent version in j7r164redist.7.1.0.75.bin. Is... (4 Replies)
Discussion started by: meetpraveens
4 Replies

4. Shell Programming and Scripting

[Solved] Retrieve all the permission of the /bin folder

hello friends, By mistake I have run find / -type f -exec chmod 644 {} \; now all permission has been chaged of /bin I am not able to change the permission. I am working on the virtuozzo VPS. Is their any way to retrieve the permission to 770 to /bin Note /bin/chmod also not executing... (2 Replies)
Discussion started by: sharlin
2 Replies

5. OS X (Apple)

When to use /Users/m/bin instead of /usr/local/bin (& whats the diff?)?

Q1. I understand that /usr/local/bin means I can install/uninstall stuff in here and have any chance of messing up my original system files or effecting any other users. I created this directory myself. But what about the directory I didn't create, namely /Users/m/bin? How is that directory... (1 Reply)
Discussion started by: michellepace
1 Replies

6. Red Hat

/bin strange permission, corrupted? [solved]

Hi I think my /bin is corrupted which is why I can’t boot my server.. Anyone knows what below file permission means? # ls -l /mnt/sysimage | grep bin drwxr-xr-x 2 root root 12288 Sep 29 11:23 sbin ?r--rw-x 41112 16694 1305152 0 Feb 10 2055 bin Tried overwriting, deleting,chmod,chown but... (0 Replies)
Discussion started by: halacil
0 Replies

7. OS X (Apple)

I accidentally changed to only write permission on /usr/bin... please Help!

I accidentally changed to sudo chmod a=w to my /usr/bin folder on my macbook with OS 10.5.8... Please help! I can't even get into a terminal correctly cause it displays: -bash: uname: command not found -bash: cut: command not found -bash: uname: command not found -bash: cut: command not found... (6 Replies)
Discussion started by: scaryMac23
6 Replies

8. Solaris

/usr/bin has been changed with 777 permission

Hello Guruz, Relay bad condition :mad: Some has changed the permission to 777 recursively for /usr/bin directory by mistake. Now all the permission looks to be 777 on /usr/bin Hence I am so many system related errors as 1 show below. When I am trying to change the password, I am getting... (5 Replies)
Discussion started by: bullz26
5 Replies

9. UNIX for Dummies Questions & Answers

fuser: difference with bin/sh and bin/ksh shell script

Hi, I have a problem I don't understand with fuser. I launch a simple shell script mysleep.sh: I launch the command fuser -fu mysleep.sh but fuser doesn't return anything excepted: mysleep: Then I modify my script switching from #!/bin/sh to #!/bin/ksh I launch the command fuser -fu... (4 Replies)
Discussion started by: Peuj
4 Replies

10. Shell Programming and Scripting

/bin/sh: bad interpreter: Permission denied

today i started the LFS book (version 4.0). Basically i am using slackware 9.0 to try and install a new linux completely from source on another partition. Now i took the book's recommendations and created a user called lfs so i wouldn't have to do the stuff as root, and i have got the new LFS... (4 Replies)
Discussion started by: Calum
4 Replies
Login or Register to Ask a Question