UNIX / Linux: Explains setuid File Permission

Author: Vivek Gite Last updated: February 24, 2010 8 comments

What does it mean for a file to be “setuid?” How do keep track of all setuid enabled file?

setuid means set user ID upon execution. If setuid bit turned on a file, user executing that executable file gets the permissions of the individual or group that owns the file. You need to use the ls -l or find command to see setuid programs. All setuid programs displays S or s in the permission bit (owner-execute) of the ls command. Type the following command:

ls -l /usr/bin/passwd

Sample outputs:

-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd

How Do I List All setuid Enabled Files?

The following command discovers and prints any setuid files on local system:
# find / -xdev $ -perm -4000 $ -type f -print0 | xargs -0 ls -l

-rwsr-xr-x 1 root    root          27256 2010-01-29 00:02 /bin/fusermount
-rwsr-xr-x 1 root    root          78096 2009-10-23 09:58 /bin/mount
-rwsr-xr-x 1 root    root          35600 2009-05-12 03:13 /bin/ping
-rwsr-xr-x 1 root    root          31368 2009-05-12 03:13 /bin/ping6
-rwsr-xr-x 1 root    root          36864 2009-07-31 19:29 /bin/su
-rwsr-xr-x 1 root    root          56616 2009-10-23 09:58 /bin/umount
-rwsr-xr-x 1 root    root         578776 2009-10-30 17:51 /etc/thnuclnt/.thnumod
-rwsr-xr-- 1 root    messagebus    47520 2009-10-24 09:00 /lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root    root          13304 2010-02-15 14:03 /opt/google/chrome/chrome-sandbox
-rwsr-xr-x 1 root    root          14720 2009-10-23 10:36 /sbin/mount.ecryptfs_private
-rwsr-xr-x 1 root    root          14640 2009-05-12 03:13 /usr/bin/arping
-rwsr-sr-x 1 daemon  daemon        52112 2009-09-16 03:59 /usr/bin/at
-rwsr-xr-x 1 root    root          41864 2009-07-31 19:29 /usr/bin/chfn
-rwsr-xr-x 1 root    root          37128 2009-07-31 19:29 /usr/bin/chsh
-rwsr-xr-x 1 root    root          59752 2009-07-31 19:29 /usr/bin/gpasswd
-rwsr-xr-x 1 root    lpadmin       14256 2010-01-28 17:28 /usr/bin/lppasswd
-rwsr-xr-x 1 root    root          62368 2008-11-05 18:54 /usr/bin/mtr
-rwsr-xr-x 1 root    root          32384 2009-07-31 19:29 /usr/bin/newgrp
-rwsr-xr-x 1 root    root          42856 2009-07-31 19:29 /usr/bin/passwd
-rwsr-xr-x 1 root    root          14880 2009-10-16 17:13 /usr/bin/pkexec
-rwsr-xr-x 1 root    root         852296 2009-05-23 06:01 /usr/bin/schroot
-rwsr-xr-x 1 root    root         143656 2009-06-22 21:45 /usr/bin/sudo
-rwsr-xr-x 1 root    root         143656 2009-06-22 21:45 /usr/bin/sudoedit
-rwsr-xr-x 1 root    root          18848 2009-05-12 03:13 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root    root         858000 2009-10-30 17:51 /usr/bin/vmware-mount
-rwsr-sr-x 1 root    root          10536 2009-11-10 16:18 /usr/bin/X
-rwsr-xr-x 1 root    root         724784 2009-10-30 17:51 /usr/lib/cups/filter/thnucups
-rwsr-xr-x 1 root    root          10392 2009-04-29 06:09 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root    root         197320 2009-10-23 01:28 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root    root          14712 2009-10-16 17:13 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root    root          10360 2010-01-03 17:33 /usr/lib/pt_chown
-rwsr-sr-x 1 root    root          22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxHeadless
-rwsr-sr-x 1 root    root          10536 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-sr-x 1 root    root          22928 2009-10-15 10:44 /usr/lib/virtualbox/VBoxNetDHCP
-rwsr-sr-x 1 root    root          22920 2009-10-15 10:44 /usr/lib/virtualbox/VBoxSDL
-rwsr-sr-x 1 root    root          27024 2009-10-15 10:44 /usr/lib/virtualbox/VirtualBox
-rwsr-xr-x 1 root    root        9666976 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx
-rwsr-xr-x 1 root    root       11605432 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-debug
-rwsr-xr-x 1 root    root       10192912 2009-10-30 17:51 /usr/lib/vmware/bin/vmware-vmx-stats
-rwsr-xr-- 1 root    dip          321600 2009-02-20 23:56 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid       18888 2009-10-23 09:58 /usr/sbin/uuidd
-rwsr-xr-x 1 root    root         898112 2009-10-30 17:51 /usr/sbin/vmware-authd

The s bit can be removed with the following command:
# chmod -s /path/to/file

Setuid Programs Risk

A attacker can exploit setuid binaries using a shell script or by providing false data. Users normally should not have setuid programs installed, especially setuid to users other than themselves. For example, you should not find setuid enabled binary for root under /home/vivek/crack. These are usually Trojan Horses kind of programs.

Example

In this example, user vivek run the command called “/usr/bin/vi /shared/financialdata.txt”, and the permission on the vi command and the file /shared/financialdata.txt are as follows:

-rwxr-xr-x 1 root root 1871960 2009-09-21 16:57 /usr/bin/vi
-rw------- 1 root root    3960 2009-09-21 16:57 /shared/financialdata.txt

Vivek has permission to run /usr/bin/vi, but not permission to read /shared/financialdata.txt. So when vi attempts to read the file a “permission denied” error message will be displayed to vivek. However, if you set the SUID bit on the vi:

chmod u+s /usr/bin/vi
ls -l /usr/bin/vi

Now, when vivek runs this SUID program, the access to /shared/financialdata.txt is granted. How does it work? The UNIX system doesn’t think vivek is reading file via vi, it thinks “root” is the user and hence the access is granted.

How Do I Audit And Log setuid System Call Under Linux For Each setuid Binary?

auditd can be used for system auditing under Linux. It can log and audit setuid system call. Edit /etc/audit/audit.rules:
# vi /etc/audit/audit.rules

-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

Run the following command to get setuid enabled binary from /bin and add them as above:
# find /bin -type f -perm -04000
Save and close the file. Restart auditd:
# service auditd restart
Use aureport command to view audit reports:
# aureport --key --summary # ausearch --key access --raw | aureport --file --summary # ausearch --key access --raw | aureport -x --summary # ausearch --key access --file /bin/mount --raw | aureport --user --summary -i
See Linux audit files to see who made changes to a file.

References:

man page – chmod, auditd and ls command.
Setuid Demystified

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 8 comments so far... add one ↓

Related Tutorials

Category	List of Unix and Linux commands
Disk space analyzers	df • duf • ncdu • pydf
File Management	cat • cp • mkdir • tree
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Modern utilities	bat • exa
Network Utilities	NetHogs • dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • glances • gtop • jobs • killall • kill • pidof • pstree • pwdx • time • vtop
Searching	ag • grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

8 comments… add one

sunardo Apr 1, 2010 @ 3:13

nice tutorial..
thanks..

Reply Link
Deniz Gezmis Aug 19, 2013 @ 3:16

Great write up. Thanks a bunch.

Reply Link
--p Oct 23, 2013 @ 12:50

This article just saved couple of my days works. i accidentally chown /usr which turns out to remove the setuid bit on couple of file. the list of file makes my computer works again. Thx

Reply Link
dr.ubisha Jan 2, 2015 @ 17:01

Hello,
I have a following situation…
File named “exe” is a shell that I want to execute and which will change content of the file named “file”…
————-
-r-sr-xr-x 1 testuser testuser 55 Jan 2 16:33 exe
-rw——- 1 testuser testuser 347 Jan 2 17:37 file
————-

I’m trying to execute “exe” as another user (not the testuser which is the owner) but I always get the error: ./exe: line 3: file: Permission denied

The content of the “exe” folows:
————-
#!/bin/sh
X=`date`;
echo “$X | Hello World” >> file
————-

I’m I missing something? What’s wrong here?

Reply Link
Kristian May 4, 2015 @ 20:46

@dr.ubisha:

You have to add execution permission to your exe file. That means, you have to write the command:

chmod +x exe

If that is done, you can start your exe ;-)

Reply Link
- DEEPAK Jun 13, 2015 @ 4:57
  
  It would be “S” if the didn’t have executable permission, Since it has executable permission the exe file has “s” . The problem is with the Concatenation Operator >> ..
  
  Reply Link
Mathew Aug 15, 2015 @ 0:18

It seems to me that there is an issue with this solution: It only tracks explicitly defined files for a change in suid/sgid status. In other words, it will only tell you when a file that you expressly tell auditd to track has been altered. More often than not what someone will want is to keep track of any file that has been altered to have the suid/sgid bit set when it did not before.

Reply Link
reese parker Nov 4, 2015 @ 16:12

-rwxrwxr-xr-x. 1 root root 2 jan 22 2015 view -> vi

can anyone explain to me what this means? thanks

Reply Link

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum