1) The setuid attribute is meaningful for executable files. If this bit is set then the user ID would be set as that of the owner of executable rather than the current user. For example the sudo tool owner is root and the setuid bit is set on, and when another user run this program, it will be executed as root. If set off the setuid attribute, then the sudo tool will not work, because it will run as a normal user without root permissions.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ which sudo | |
| /usr/bin/sudo | |
| $ cp /usr/bin/sudo ./ # copy sudo tool | |
| $ sudo chown root:root sudo #convert owner to root | |
| $ ll | |
| ... | |
| -rwxr-xr-x 1 root root 147872 2011-03-31 19:50 sudo* | |
| $ | |
| $ ./sudo echo 1 #this will give error | |
| sudo: must be setuid root | |
| $ sudo chmod u+s ./sudo | |
| $ ll #see added setuid attribute | |
| .. | |
| -rwsr-xr-x 1 root root 147872 2011-03-31 19:50 sudo* | |
| $ | |
| $ ./sudo echo 1 # try again | |
| 1 | |
| $ #it works. |
2) Setgid attribute is the analog to setuid, but for group ID.
3) In Linux sticky bit is meaningful for directories only(in old *nix systems it had another meaning also). If this bit is enabled on directory then the files in that directory may only be deleted or renamed by root or by their owner.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ mkdir tmp | |
| $ sudo chown root:root tmp # change owner to root | |
| $ sudo chmod o+w tmp # add permission to other user to add files | |
| $ | |
| $ sudo mkdir tmp/123 # create a directory owned by root | |
| $ sudo chmod 777 tmp/123 # give all permissions, so other user can remove it. | |
| $ rm -r tmp/123 # remove it without any problem. | |
| $ | |
| $ sudo mkdir tmp/123 # create a directory owned by root again | |
| $ sudo chmod 777 tmp/123 # give all permissions, so other user can remove it. | |
| $ sudo chmod +t tmp # set on sticky bit | |
| $ rm -r tmp/123/ # try to remove it. | |
| rm: cannot remove `tmp/123': Operation not permitted | |
| $ |
One more sample related to setuid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ echo -e "#"\!"/bin/dash\nwhoami" | sudo tee a.sh # create a script | |
| #!/bin/dash | |
| whoami | |
| $ sudo chmod +x a.sh # add executable flag | |
| $ ll # see root is the owner | |
| ... | |
| -rwxr-xr-x 1 root root 19 2011-03-31 20:32 a.sh* | |
| $ | |
| $ ./a.sh # it will print my username | |
| <my user name> | |
| $ sudo chmod +s a.sh # set on setuid | |
| $ ./a.sh # surprisingly it prints my username again. | |
| <my user name> | |
| $ # the cause of above behavior is that, | |
| $ # the a.sh isn't executable actually, | |
| $ # the /bin/dash with a.sh argument is called, | |
| $ # so we need to add +s to /bin/dash | |
| $ sudo chmod +s /bin/dash # set on setuid | |
| $ ./a.sh # now it gives root | |
| root | |
| $ | |
| $ sudo rm -rf * # remove all | |
| $ echo -e "#"\!"/bin/dash\nwhoami" > a.sh # create a script | |
| $ chmod +x ./a.sh # add executable flag | |
| $ ll # now I am the owner | |
| -rwxr-xr-x 1 <user name> <group name> 19 2011-03-31 20:30 a.sh | |
| $ | |
| $ ./a.sh # it gives root again, because of setuid of /bin/dash | |
| root | |
| $ | |
| $ # At last, don't forget to bring back the attributes of dash | |
| $ sudo chmod -s /bin/dash | |
| $ |
No comments:
Post a Comment