UNIX / Linux: Explains setuid File Permission

What does it mean for a file to be "setuid?" How do keep track of all setuid enabled file?

setuid means set user ID upon execution. If setuid bit turned on a file, user executing that executable file gets the permissions of the individual or group that owns the file. You need to use the ls -l or find command to see setuid programs. All setuid programs displays S or s in the permission bit (owner-execute) of the ls command. Type the following command:

ls -l /usr/bin/passwd

Sample outputs:

-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd

How Do I List All setuid Enabled Files?

The following command discovers and prints any setuid files on local system:
# find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l

-rwsr-xr-x 1 root    root          27256 2010-01-29 00:02 /bin/fusermount
-rwsr-xr-x 1 root    root          78096 2009-10-23 09:58 /bin/mount
-rwsr-xr-x 1 root    root          35600 2009-05-12 03:13 /bin/ping
-rwsr-xr-x 1 root    root          31368 2009-05-12 03:13 /bin/ping6
-rwsr-xr-x 1 root    root          36864 2009-07-31 19:29 /bin/su
-rwsr-xr-x 1 root    root          56616 2009-10-23 09:58 /bin/umount
-rwsr-xr-x 1 root    root         578776 2009-10-30 17:51 /etc/thnuclnt/.thnumod
-rwsr-xr-- 1 root    messagebus    47520 2009-10-24 09:00 /lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root    root          13304 2010-02-15 14:03 /opt/google/chrome/chrome-sandbox
-rwsr-xr-x 1 root    root          14720 2009-10-23 10:36 /sbin/mount.ecryptfs_private
-rwsr-xr-x 1 root    root          14640 2009-05-12 03:13 /usr/bin/arping
-rwsr-sr-x 1 daemon  daemon        52112 2009-09-16 03:59 /usr/bin/at
-rwsr-xr-x 1 root    root          41864 2009-07-31 19:29 /usr/bin/chfn
-rwsr-xr-x 1 root    root          37128 2009-07-31 19:29 /usr/bin/chsh
-rwsr-xr-x 1 root    root          59752 2009-07-31 19:29 /usr/bin/gpasswd
-rwsr-xr-x 1 root    lpadmin       14256 2010-01-28 17:28 /usr/bin/lppasswd
-rwsr-xr-x 1 root    root          62368 2008-11-05 18:54 /usr/bin/mtr
-rwsr-xr-x 1 root    root          32384 2009-07-31 19:29 /usr/bin/newgrp
-rwsr-xr-x 1 root    root          42856 2009-07-31 19:29 /usr/bin/passwd
-rwsr-xr-x 1 root    root          14880 2009-10-16 17:13 /usr/bin/pkexec
-rwsr-xr-x 1 root    root         852296 2009-05-23 06:01 /usr/bin/schroot
-rwsr-xr-x 1 root    root         143656 2009-06-22 21:45 /usr/bin/sudo
-rwsr-xr-x 1 root    root         143656 2009-06-22 21:45 /usr/bin/sudoedit
-rwsr-xr-x 1 root    root          18848 2009-05-12 03:13 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root    root         858000 2009-10-30 17:51 /usr/bin/vmware-mount
-rwsr-sr-x 1 root    root          10536 2009-11-10 16:18 /usr/bin/X
-rwsr-xr-x 1 root    root         724784 2009-10-30 17:51 /usr/lib/cups/filter/thnucups
-rwsr-xr-x 1 root    root          10392 2009-04-29 06:09 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root    root         197320 2009-10-23 01:28 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root    root          14712 2009-10-16 17:13 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root    root          10360 2010-01-03 17:33 /usr/lib/pt_chown
-rwsr-sr-x 1 root    root          22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxHeadless
-rwsr-sr-x 1 root    root          10536 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-sr-x 1 root    root          22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetDHCP
-rwsr-sr-x 1 root    root          22920 2009-10-15 10:44 /usr/lib/virtualbox/VBoxSDL
-rwsr-sr-x 1 root    root          27024 2009-10-15 10:44 /usr/lib/virtualbox/VirtualBox
-rwsr-xr-x 1 root    root        9666976 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx
-rwsr-xr-x 1 root    root       11605432 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-debug
-rwsr-xr-x 1 root    root       10192912 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-stats
-rwsr-xr-- 1 root    dip          321600 2009-02-20 23:56 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid       18888 2009-10-23 09:58 /usr/sbin/uuidd
-rwsr-xr-x 1 root    root         898112 2009-10-30 17:51 /usr/sbin/vmware-authd

The s bit can be removed with the following command:
# chmod -s /path/to/file

Setuid Programs Risk

A attacker can exploit setuid binaries using a shell script or by providing false data. Users normally should not have setuid programs installed, especially setuid to users other than themselves. For example, you should not find setuid enabled binary for root under /home/vivek/crack. These are usually Trojan Horses kind of programs.

Example

In this example, user vivek run the command called "/usr/bin/vi /shared/financialdata.txt", and the permission on the vi command and the file /shared/financialdata.txt are as follows:

-rwxr-xr-x 1 root root 1871960 2009-09-21 16:57 /usr/bin/vi
-rw------- 1 root root    3960 2009-09-21 16:57 /shared/financialdata.txt

Vivek has permission to run /usr/bin/vi, but not permission to read /shared/financialdata.txt. So when vi attempts to read the file a "permission denied" error message will be displayed to vivek. However, if you set the SUID bit on the vi:

chmod u+s /usr/bin/vi
ls -l /usr/bin/vi

Now, when vivek runs this SUID program, the access to /shared/financialdata.txt is granted. How does it work? The UNIX system doesn't think vivek is reading file via vi, it thinks "root" is the user and hence the access is granted.

How Do I Audit And Log setuid System Call Under Linux For Each setuid Binary?

auditd can be used for system auditing under Linux. It can log and audit setuid system call. Edit /etc/audit/audit.rules:
# vi /etc/audit/audit.rules

-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

Run the following command to get setuid enabled binary from /bin and add them as above:
# find /bin -type f -perm -04000
Save and close the file. Restart auditd:
# service auditd restart
Use aureport command to view audit reports:
# aureport --key --summary # ausearch --key access --raw | aureport --file --summary # ausearch --key access --raw | aureport -x --summary # ausearch --key access --file /bin/mount --raw | aureport --user --summary -i
See Linux audit files to see who made changes to a file.

References:

man page - chmod, auditd and ls command.
Setuid Demystified

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -