The
Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
access rights flags setuid and setgid (short for ''set user identity'' and ''set group identity'') allow users to run an
executable
In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instruction (computer science), instructi ...
with the
file system permissions
Most file systems include attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending ...
of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
The flags
setuid
and
setgid
are needed for tasks that require different privileges than what the user is normally granted, such as the ability to alter system files or databases to change their login password.
Some of the tasks that require additional privileges may not immediately be obvious, though, such as the
ping
Ping may refer to:
Arts and entertainment Fictional characters
* Ping, a domesticated Chinese duck in the illustrated book '' The Story about Ping'', first published in 1933
* Ping, a minor character in ''Seinfeld'', an NBC sitcom
* Ping, a c ...
command, which must send and listen for
control packets on a network interface.
File modes
The
setuid
and
setgid
bits are normally represented as the values 4 for
setuid
and 2 for
setgid
in the high-order octal digit of the file mode. For example,
6711
has both the
setuid
and
setgid
bits () set, and also the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). Most implementations have a symbolic representation of these bits; in the previous example, this could be
u=rwx,go=x,ug+s
.
Typically,
chmod
does not have a recursive mode restricted to directories, so modifying an existing directory tree must be done manually, with a command such as .
Effects
The
setuid
and
setgid
flags have different effects, depending on whether they are applied to a file, to a directory or binary executable or non binary executable file. The
setuid
and
setgid
flags have an effect only on binary executable files and not on scripts (e.g., Bash, Perl, Python).
When set on an executable file
When the
setuid
or
setgid
attributes are set on an
executable
In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instruction (computer science), instructi ...
file, then any users able to execute the file will automatically execute the file with the privileges of the file's owner (commonly
root
In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the sur ...
) and/or the file's group, depending upon the flags set.
This allows the system designer to permit trusted programs to be run which a user would otherwise not be allowed to execute. These may not always be obvious. For example, the
ping
Ping may refer to:
Arts and entertainment Fictional characters
* Ping, a domesticated Chinese duck in the illustrated book '' The Story about Ping'', first published in 1933
* Ping, a minor character in ''Seinfeld'', an NBC sitcom
* Ping, a c ...
command may need access to networking privileges that a normal user cannot access; therefore it may be given the setuid flag to ensure that a user who needs to ping another system can do so, even if their own account does not have the required privilege for sending packets.
Security impact
For security purposes, the invoking user is usually prohibited by the system from altering the new process in any way, such as by using
ptrace
ptrace is a system call found in Unix and several Unix-like operating systems. By using ptrace (the name is an abbreviation of "process trace") one process can control another, enabling the controller to inspect and manipulate the internal state ...
,
LD_LIBRARY_PATH
or sending signals to it, to exploit the raised privilege, although signals from the terminal will still be accepted.
While the
setuid
feature is very useful in many cases, its improper use can pose a security risk
if the
setuid
attribute is assigned to
executable
In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instruction (computer science), instructi ...
programs that are not carefully designed. Due to potential security issues, many operating systems ignore the
setuid
attribute when applied to executable ''
shell script
A shell script is a computer program designed to be run by a Unix shell, a command-line interpreter. The various dialects of shell scripts are considered to be scripting languages. Typical operations performed by shell scripts include file manip ...
s''.
The presence of
setuid
executables explains why the
chroot
A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normall ...
system call is not available to non-
root
In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the sur ...
users on Unix. See
limitations of chroot
for more details.
When set on a directory
Setting the
setgid
permission on a directory causes files and subdirectories created within to inherit its group ownership, rather than the primary group of the file-creating process. Created subdirectories also inherit the
setgid
bit. The policy is only applied during creation and, thus, only prospectively. Directories and files existing when the
setgid
bit is applied are unaffected, as are directories and files moved into the directory on which the bit is set.
Thus is granted a capacity to work with files amongst a group of users without explicitly setting permissions, but limited by the security model expectation that existing files permissions do not implicitly change.
The
setuid
permission set on a directory is ignored on most
UNIX
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
and
Linux
Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
systems. However
FreeBSD
FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...
can be configured to interpret
setuid
in a manner similar to
setgid
, in which case it forces all files and sub-directories created in a directory to be owned by that directory's owner - a simple form of inheritance. This is generally not needed on most systems derived from
BSD
The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berk ...
, since by default directories are treated as if their
setgid
bit is always set, regardless of the actual value. As is stated in
open(2)
, "When a new file is created it is given the group of the directory which contains it."
Examples
Checking permissions
Permissions of a file can be checked in octal form and/or alphabetic form with the command line tool
stat
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ stat -c "%a %A" ~/test/
1770 drwxrwx--T
SUID
4701 on an executable file owned by 'root' and the group 'root'
A user named 'thompson' attempts to execute the file. The executable permission for all users is set (the '1') so 'thompson' can execute the file. The file owner is 'root' and the SUID permission is set (the '4') - so the file is executed as 'root'.
The reason an executable would be run as 'root' is so that it can modify specific files that the user would not normally be allowed to, without giving the user full root access.
A default use of this can be seen with the
/usr/bin/passwd
binary file.
/usr/bin/passwd
needs to modify
/etc/passwd
and
/etc/shadow
which store account information and password hashes for all users, and these can only be modified by the user 'root'.
thompson ~ $ stat -c "%a %U:%G %n" /usr/bin/passwd
4701 root:root /usr/bin/passwd
thompson ~ $ passwd
passwd: Changing password for thompson
The owner of the process is not the user running the executable file but the owner of the executable file
SGID
2770 on a directory named 'music' owned by the user 'root' and the group 'engineers'
A user named 'torvalds' who belongs primarily to the group 'torvalds' but secondarily to the group 'engineers' makes a directory named 'electronic' under the directory named 'music'. The group ownership of the new directory named 'electronic' inherits 'engineers.' This is the same when making a new ''file'' named 'imagine.txt'
Without SGID the group ownership of the new directory/file would have been 'torvalds' as that is the primary group of user 'torvalds'.
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ groups torvalds
torvalds : torvalds engineers
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ stat -c "%a %U:%G %n" ./music/
2770 root:engineers ./music/
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ mkdir ./music/electronic
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ stat -c "%U:%G %n" ./music/electronic/
torvalds:engineers ./music/electronic/
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ echo 'NEW FILE' > ./music/imagine.txt
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ stat -c "%U:%G %n" ./music/imagine.txt
torvalds:engineers ./music/imagine.txt
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ touch ~/test
torvalds ~ Torvalds ({{IPA-sv, ˈtǔːrvalds, lang) is a Swedish/Finnish family name. It may refer to:
People
* Ole Torvalds (1916–1995), journalist and poet
* Nils Torvalds (b. 1945), son of Ole; broadcast journalist, writer and politician
* Linus Torvalds ...
$ stat -c "%U:%G %n" ~/test
torvalds:torvalds ~/test
Sticky bit
1770 on a directory named 'videogames' owned by the user 'torvalds' and the group 'engineers'.
A user named 'torvalds' creates a file named 'tekken' under the directory named 'videogames'. A user named 'wozniak', who is also part of the group 'engineers', attempts to delete the file named 'tekken' but he cannot, since he is not the owner.
Without sticky bit, 'wozniak' could have deleted the file, because the directory named 'videogames' allows read and write by 'engineers'. A default use of this can be seen at the
/tmp
folder.
torvalds /home/shared/ $ groups torvalds
torvalds : torvalds engineers
torvalds /home/shared/ $ stat -c "%a %U:%G %n" ./videogames/
1770 torvalds:engineers ./videogames/
torvalds /home/shared/ $ echo 'NEW FILE' > videogames/tekken
torvalds /home/shared/ $ su - wozniak
Password:
wozniak ~/ $ groups wozniak
wozniak : wozniak engineers
wozniak ~/ $ cd /home/shared/videogames
wozniak /home/shared/videogames/ $ rm tekken
rm: cannot remove ‘tekken’: Operation not permitted
Sticky bit with SGID
3171 on a directory named 'blog' owned by the group 'engineers' and the user 'root'
A user named 'torvalds' who belongs primarily to the group 'torvalds' but secondarily to the group 'engineers' creates a file or directory named 'thoughts' inside the directory 'blog'. A user named 'wozniak' who also belongs to the group 'engineers' cannot delete, rename, or move the file or directory named 'thoughts', because he is not the owner and the sticky bit is set. However, if 'thoughts' is a file, then 'wozniak' can edit it.
Sticky bit has the final decision. If sticky bit and SGID had not been set, the user 'wozniak' could rename, move, or delete the file named 'thoughts' because the directory named 'blog' allows read and write by group, and wozniak belongs to the group, and the default 0002
umask
In computing, umask is a command (computing), command that determines the settings of a Mask (computing), mask that controls how file permissions are set for newly created files. It may also affect how the file permissions are changed explicitly. ...
allows new files to be edited by group. Sticky bit and SGID could be combined with something such as a read-only umask or an append only attribute.
torvalds /home/shared/ $ groups torvalds
torvalds : torvalds engineers
torvalds /home/shared/ $ stat -c "%a %U:%G %n" ./blog/
3171 root:engineers ./blog/
torvalds /home/shared/ $ echo 'NEW FILE' > ./blog/thoughts
torvalds /home/shared/ $ su - wozniak
Password:
wozniak ~/ $ cd /home/shared/blog
wozniak /home/shared/blog/ $ groups wozniak
wozniak : wozniak engineers
wozniak /home/shared/blog/ $ stat -c "%a %U:%G %n" ./thoughts
664 torvalds:engineers ./thoughts
wozniak /home/shared/blog/ $ rm thoughts
rm: cannot remove ‘thoughts’: Operation not permitted
wozniak /home/shared/blog/ $ mv thoughts /home/wozniak/
mv: cannot move ‘thoughts’ to ‘/home/wozniak/thoughts’: Operation not permitted
wozniak /home/shared/blog/ $ mv thoughts pondering
mv: cannot move ‘thoughts’ to ‘pondering’: Operation not permitted
wozniak /home/shared/blog/ $ echo 'REWRITE!' > thoughts
wozniak /home/shared/blog/ $ cat thoughts
REWRITE!
Security
Developers design and implement programs that use this bit on executables carefully in order to avoid security vulnerabilities including
buffer overrun
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memor ...
s and
path injection. Successful buffer-overrun attacks on vulnerable applications allow the attacker to execute arbitrary code under the rights of the process exploited. In the event that a vulnerable process uses the
setuid
bit to run as
root
, the code will execute with root privileges, in effect giving the attacker root access to the system on which the vulnerable process is running.
Of particular importance in the case of a
setuid
process is the
environment
Environment most often refers to:
__NOTOC__
* Natural environment, all living and non-living things occurring naturally
* Biophysical environment, the physical and biological factors along with their chemical interactions that affect an organism or ...
of the process. If the environment is not properly sanitized by a privileged process, its behavior can be changed by the unprivileged process that started it. For example,
GNU libc
The GNU C Library, commonly known as glibc, is the GNU Project's implementation of the C standard library. Despite its name, it now also directly supports C++ (and, indirectly, other programming languages). It was started in the 1980s by t ...
was at one point vulnerable to an
exploit
Exploit means to take advantage of something (a person, situation, etc.) for one's own end, especially unethically or unjustifiably.
Exploit can mean:
*Exploitation of natural resources
*Exploit (computer security)
* Video game exploit
*Exploitat ...
using
setuid
and an environment variable that allowed executing code from untrusted
shared libraries
In computer science, a library is a collection of non-volatile resources used by computer programs, often for software development. These may include configuration data, documentation, help data, message templates, pre-written code and subr ...
.
History
The
setuid
bit was invented by
Dennis Ritchie
Dennis MacAlistair Ritchie (September 9, 1941 – October 12, 2011) was an American computer scientist. He is most well-known for creating the C programming language and, with long-time colleague Ken Thompson, the Unix operating system and B p ...
and included in
su
. His employer, then
Bell Telephone Laboratories
Nokia Bell Labs, originally named Bell Telephone Laboratories (1925–1984),
then AT&T Bell Laboratories (1984–1996)
and Bell Labs Innovations (1996–2007),
is an American industrial research and scientific development company owned by mul ...
, applied for a patent in 1972; the patent was granted in 1979 as patent number . The patent was later placed in the
public domain
The public domain (PD) consists of all the creative work
A creative work is a manifestation of creative effort including fine artwork (sculpture, paintings, drawing, sketching, performance art), dance, writing (literature), filmmaking, ...
.
See also
References
{{Reflist, 30em
External links
* Chen, Hao;
Wagner, David; and Dean, Drew
Setuid Demystified(pdf)
* Tsafrir, Dan;
Da Silva, Dilma; and Wagner, David
The Murky Issue of Changing Process Identity: Revising Setuid Demystified(pdf)
* Pollock, Wayne
Computer security procedures
Unix file system technology
Patents placed into the public domain