≡ Menu

UNIX / Linux: Explains setuid File Permission

What does it mean for a file to be "setuid?" How do keep track of all setuid enabled file?

setuid means set user ID upon execution. If setuid bit turned on a file, user executing that executable file gets the permissions of the individual or group that owns the file. You need to use the ls -l or find command to see setuid programs. All setuid programs displays S or s in the permission bit (owner-execute) of the ls command. Type the following command:

ls -l /usr/bin/passwd

Sample outputs:

-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd

How Do I List All setuid Enabled Files?

The following command discovers and prints any setuid files on local system:
# find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l

-rwsr-xr-x 1 root    root          27256 2010-01-29 00:02 /bin/fusermount
-rwsr-xr-x 1 root    root          78096 2009-10-23 09:58 /bin/mount
-rwsr-xr-x 1 root    root          35600 2009-05-12 03:13 /bin/ping
-rwsr-xr-x 1 root    root          31368 2009-05-12 03:13 /bin/ping6
-rwsr-xr-x 1 root    root          36864 2009-07-31 19:29 /bin/su
-rwsr-xr-x 1 root    root          56616 2009-10-23 09:58 /bin/umount
-rwsr-xr-x 1 root    root         578776 2009-10-30 17:51 /etc/thnuclnt/.thnumod
-rwsr-xr-- 1 root    messagebus    47520 2009-10-24 09:00 /lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root    root          13304 2010-02-15 14:03 /opt/google/chrome/chrome-sandbox
-rwsr-xr-x 1 root    root          14720 2009-10-23 10:36 /sbin/mount.ecryptfs_private
-rwsr-xr-x 1 root    root          14640 2009-05-12 03:13 /usr/bin/arping
-rwsr-sr-x 1 daemon  daemon        52112 2009-09-16 03:59 /usr/bin/at
-rwsr-xr-x 1 root    root          41864 2009-07-31 19:29 /usr/bin/chfn
-rwsr-xr-x 1 root    root          37128 2009-07-31 19:29 /usr/bin/chsh
-rwsr-xr-x 1 root    root          59752 2009-07-31 19:29 /usr/bin/gpasswd
-rwsr-xr-x 1 root    lpadmin       14256 2010-01-28 17:28 /usr/bin/lppasswd
-rwsr-xr-x 1 root    root          62368 2008-11-05 18:54 /usr/bin/mtr
-rwsr-xr-x 1 root    root          32384 2009-07-31 19:29 /usr/bin/newgrp
-rwsr-xr-x 1 root    root          42856 2009-07-31 19:29 /usr/bin/passwd
-rwsr-xr-x 1 root    root          14880 2009-10-16 17:13 /usr/bin/pkexec
-rwsr-xr-x 1 root    root         852296 2009-05-23 06:01 /usr/bin/schroot
-rwsr-xr-x 1 root    root         143656 2009-06-22 21:45 /usr/bin/sudo
-rwsr-xr-x 1 root    root         143656 2009-06-22 21:45 /usr/bin/sudoedit
-rwsr-xr-x 1 root    root          18848 2009-05-12 03:13 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root    root         858000 2009-10-30 17:51 /usr/bin/vmware-mount
-rwsr-sr-x 1 root    root          10536 2009-11-10 16:18 /usr/bin/X
-rwsr-xr-x 1 root    root         724784 2009-10-30 17:51 /usr/lib/cups/filter/thnucups
-rwsr-xr-x 1 root    root          10392 2009-04-29 06:09 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root    root         197320 2009-10-23 01:28 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root    root          14712 2009-10-16 17:13 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root    root          10360 2010-01-03 17:33 /usr/lib/pt_chown
-rwsr-sr-x 1 root    root          22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxHeadless
-rwsr-sr-x 1 root    root          10536 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-sr-x 1 root    root          22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetDHCP
-rwsr-sr-x 1 root    root          22920 2009-10-15 10:44 /usr/lib/virtualbox/VBoxSDL
-rwsr-sr-x 1 root    root          27024 2009-10-15 10:44 /usr/lib/virtualbox/VirtualBox
-rwsr-xr-x 1 root    root        9666976 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx
-rwsr-xr-x 1 root    root       11605432 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-debug
-rwsr-xr-x 1 root    root       10192912 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-stats
-rwsr-xr-- 1 root    dip          321600 2009-02-20 23:56 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid       18888 2009-10-23 09:58 /usr/sbin/uuidd
-rwsr-xr-x 1 root    root         898112 2009-10-30 17:51 /usr/sbin/vmware-authd

The s bit can be removed with the following command:
# chmod -s /path/to/file

Setuid Programs Risk

A attacker can exploit setuid binaries using a shell script or by providing false data. Users normally should not have setuid programs installed, especially setuid to users other than themselves. For example, you should not find setuid enabled binary for root under /home/vivek/crack. These are usually Trojan Horses kind of programs.

Example

In this example, user vivek run the command called "/usr/bin/vi /shared/financialdata.txt", and the permission on the vi command and the file /shared/financialdata.txt are as follows:

-rwxr-xr-x 1 root root 1871960 2009-09-21 16:57 /usr/bin/vi
-rw------- 1 root root    3960 2009-09-21 16:57 /shared/financialdata.txt

Vivek has permission to run /usr/bin/vi, but not permission to read /shared/financialdata.txt. So when vi attempts to read the file a "permission denied" error message will be displayed to vivek. However, if you set the SUID bit on the vi:

chmod u+s /usr/bin/vi
ls -l /usr/bin/vi

Now, when vivek runs this SUID program, the access to /shared/financialdata.txt is granted. How does it work? The UNIX system doesn't think vivek is reading file via vi, it thinks "root" is the user and hence the access is granted.

How Do I Audit And Log setuid System Call Under Linux For Each setuid Binary?

auditd can be used for system auditing under Linux. It can log and audit setuid system call. Edit /etc/audit/audit.rules:
# vi /etc/audit/audit.rules

-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

Run the following command to get setuid enabled binary from /bin and add them as above:
# find /bin -type f -perm -04000
Save and close the file. Restart auditd:
# service auditd restart
Use aureport command to view audit reports:
# aureport --key --summary
# ausearch --key access --raw | aureport --file --summary
# ausearch --key access --raw | aureport -x --summary
# ausearch --key access --file /bin/mount --raw | aureport --user --summary -i

See Linux audit files to see who made changes to a file.

References:

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 6 comments… add one }

  • sunardo April 1, 2010, 3:13 am

    nice tutorial..
    thanks..

  • Deniz Gezmis August 19, 2013, 3:16 am

    Great write up. Thanks a bunch.

  • --p October 23, 2013, 12:50 pm

    This article just saved couple of my days works. i accidentally chown /usr which turns out to remove the setuid bit on couple of file. the list of file makes my computer works again. Thx

  • dr.ubisha January 2, 2015, 5:01 pm

    Hello,
    I have a following situation…
    File named “exe” is a shell that I want to execute and which will change content of the file named “file”…
    ————-
    -r-sr-xr-x 1 testuser testuser 55 Jan 2 16:33 exe
    -rw——- 1 testuser testuser 347 Jan 2 17:37 file
    ————-

    I’m trying to execute “exe” as another user (not the testuser which is the owner) but I always get the error: ./exe: line 3: file: Permission denied

    The content of the “exe” folows:
    ————-
    #!/bin/sh
    X=`date`;
    echo “$X | Hello World” >> file
    ————-

    I’m I missing something? What’s wrong here?

  • Kristian May 4, 2015, 8:46 pm

    @dr.ubisha:

    You have to add execution permission to your exe file. That means, you have to write the command:

    chmod +x exe

    If that is done, you can start your exe ;-)

    • DEEPAK June 13, 2015, 4:57 am

      It would be “S” if the didn’t have executable permission, Since it has executable permission the exe file has “s” . The problem is with the Concatenation Operator >> ..

Leave a Comment