Setuid
Setuid Bits
The "setuid" bit is placed programs, and causes them to run as the user who owns of the file, instead of as the user running the program. This allows non-priviledge users (e.g. non-root users) to perform certain actions that they would not otherwise be able to do.
For example, in order to change the password on a user account, the /etc/shadow file (and /etc/passwd on systems not using shadow passwords) must be changed to have the new password hash. The permissions on this files do not permit modification by general users:
ls -l /etc/shadow /etc/passwd [root@somehost ~]# ls -l /etc/passwd /etc/shadow -rw-r--r-- 1 root root 1893 May 16 11:04 /etc/passwd -r-------- 1 root root 1440 May 16 11:04 /etc/shadow
The passwd
command will permit users to change their password without having to have complete root access. This is because the passwd
command is
- owned by root
- has the setuid bit enabled
[root@station12 ~]# ls -l /usr/bin/passwd -r-s--x--x 1 root root 21200 Jun 17 2005 /usr/bin/passwd
The program is executable by everyone (the "user", "group", and "others"). However, when it is run, it will run as root.
Shell scripts
The setuid bit is typically ignored on shell scripts as a security precaution. On systems that do support it, it should probably be avoided.
See http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/shell.html and http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html for more details.
Setgid bits
The setgid bit works in the same way that the setuid bit, with one notable exception: directories.
Normally, when a user creates a file, that new file is created with the ''primary group'' of the user. When a directory has the setgid set, new files are created with the same group as that directory.
[root@station12 data]# ls -ld /data drwxr-xr-x 2 root root 4096 May 16 16:43 /data [root@station12 data]# touch file1 [root@station12 data]# ls -l file1 -rw-r--r-- 1 root root 0 May 16 16:47 file1 [root@station12 data]# chgrp web /data [root@station12 data]# chmod g+s /data [root@station12 data]# ls -ld /data drwxr-sr-x 2 root web 4096 May 16 16:48 /data [root@station12 data]# touch file2 [root@station12 data]# ls -l file1 file2 -rw-r--r-- 1 root root 0 May 16 16:47 file1 -rw-r--r-- 1 root web 0 May 16 16:48 file2