Wednesday, March 3, 2010

setuid File Permission in UNIX/Linux

In this post I am going to describe you about the 'setuid' in UNIX and Linux.

setuid or 'set user ID upon execution' and setgid or 'set group ID upon execution' are UNIX access right flags which are used to allow users to run an executable file with the permission of the executable file's owner or group. If the setuid is enabled for an executable file, the user executing the file will get permissions of the user or group that owns the executable file. This is very useful for allowing users on a computer system to run programs with temporarily elevated privileges for performing a particular task. 

These programs are needed for performing some tasks like 'ping' from an unprivileged user. The ping executable in /usr/bin folder is set with setuid bit on and consider its owner is root. So that whenever the ping command is used it is executed with elevated privileges and hence all the unprivileged users can use the ping command unless they are explicitly blocked form using it via some other means. By this hope you got the concept of setuid. Please continue reading for knowing more about setting, listing and more about setuid. 

Setting the setuid bit
For example, set the setuid bit if you need to make the /usr/bin/vi executable file, that is our vi editor usable by all.You just need to put 's' in its permission list as follows:

# chmod u+s /usr/bin/vi

This will set the setuid bit for the /usr/bin/vi file.That is its owner-execute permission bit will be set to 's' or 'S'.

Listing the setuid enabled files.
For listing the setuid bit enabled files you can use the common ls command with long list parameter as follows. Lets view our setuid enabled vi file. 

# ls -l /usr/bin/vi

It's output will be as follows:

-rwsr-xr-x 1 root root 42521 2010-03-03 21:30 /usr/bin/vi

You can see that the owner-executable bit is set to 's', that means the executable file is setuid enabled. However making the vi setuid enabled is not at all recommended as now all the users can edit all the files including the system files if they gain access to it. That is an unprivileged user tries to edit a configuration file using 'vi' say our webserver configuration file apache.conf,  the user's permission will be elevated to root's privilege by the setuid and he can easily change your configuration.

Disabling the setuid bit
I have set the setuid bit for the vi file just for demonstrating it and as it is not at all recommended we will remove the 's' bit. Fore that you just have to use '-s' option with chmod command as follows:

# chmod -s /usr/bin/vi

Now check the permission set in the file,

# ls -l /usr/bin/vi
-rwxr-xr-x 1 root root 42521 2010-03-03 21:35 /usr/bin/vi

Voila, it has gone!!!!!

Listing all the setuid enabled files

By chance you may also be interested in displaying all the files that are setuid enabled in your machine, for this type in the command below:

# find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l

Yea thats about the setuid. Hope you enjoyed this post!!!!!
Please feel free to post a command if you have any doubts and it will be my pleasure to help you!!!!!
Also if you need me to write an article about any particular topic please let me know that either by comments or by 'Get Answers' section in this blog. Let me check how could I help you..

No comments:

Post a Comment