By Konstantinos Patronas

SUID permission, what is it and why can be dangerous?

SUID stands for “Set User ID” its a special permission in Unix and Linux operating systems which allows a command to be executed with the…

SUID permission, what is it and why can be dangerous?
Photo by mostafa meraji on Unsplash

SUID stands for “Set User ID” its a special permission in Unix and Linux operating systems which allows a command to be executed with the rights of the owner of the file and not with the rights of the user which will execute the file.

Why SUID is useful?

SUID is useful when you need to execute a file with elevated rights, this is quite common in system tools like passwd password is owned by root user but is needed to be executed from casual users as well in order to change their password without the need for root access!

Why SUID can be dangerous?

SUID can be a security concern if the files that SUID is applied have as owner the root user and the files can be exploited somehow to execute arbitrary shell commands! is the equal for a casual user to gain root access!

How to set SUID

Lets create a simple c program that will print the executing username, save it as suid_example.c

#include <stdio.h> 
#include <unistd.h> 
 
int main() { 
    printf("Real User ID: %d\n", getuid()); 
    printf("Effective User ID: %d\n", geteuid()); 
    return 0; 
}

Now lets compile the program using the gcc compiler!

gcc suid_example.c -o suid_example

If no errors occured the suid_example binary should be created, running suid_example will print two things, the Real User ID and the Effective User ID. Real user id is the id of the actual user running the program and effective user id is the user id where its rights used to run the file, in this case is 501 which maps to my username.

./suid_example                                                                                                                              20:46:24 
Real User ID: 501 
Effective User ID: 501

Lets change the owner to root using the chowncommand with sudo

sudo chown root ./suid_example  # Change owner to root 
sudo chmod +s ./suid_example  # Set the SUID bit

We verify that the owner is now root using the ls command and the SUID bit has been set (rwsr-sr).

ls -ltrh ./suid_example 
-rwsr-sr-x  1 root  staff    33K Sep 27 20:45 ./suid_example

Lets re-run the file now that we have changed the owner to root and set SUID bit!

~ ❯ ./suid_example                                                                                                                             20:56:00 
Real User ID: 501 
Effective User ID: 0

We see that the real user id is still 501 but the effective user id permissions are 0 which maps in Linux and Unix like systems to the root user, this means that user with id 501 a casual user executed this program with the rights of root user.

SUID and scripts

Now you might be wondering! “Oh! wow this can be a great security risk! if someone sets SUID bit to a script then anyone who has access to modify this script can effectively execute commands as root!, well… you can do this but will not work!, This is because the script itself isnt execute any code, the interpreter executes the code and most intepreters (bash, python, perl) do not support SUID bit which means that the SUID bit is not effective, lets do some experiments.

Create the following file as show_id.sh

#!/bin/bash 
 
# Print the User ID (UID) 
echo "User ID (UID): $UID" 
 
# Print the Effective User ID (EUID) 
echo "Effective User ID (EUID): $EUID"

Make it executable using chmod and run-it, as expected the User id and the Effective User id is the same.

chmod +x ./show_id.sh 
~ ❯ ./show_id.sh                                                                                                                               21:07:32 
User ID (UID): 501 
Effective User ID (EUID): 501

Now lets set SUID to the script and re-run it, nothing changes User Id and Effective User Id are still the same! this means that despite we set SUID and root as owner the change was not effective because bash interpreter does not care about SUID

~ ❯ sudo chown root ./show_id.sh                                                                                                               21:09:06 
Password: 
~ ❯ sudo chmod +s ./show_id.sh                                                                                                                 21:09:22 
~ ❯ ./show_id.sh                                                                                                                               21:09:27 
User ID (UID): 501 
Effective User ID (EUID): 501

How to find files that have SUID enabled and user is root

Since SUID bits can be a security concern it would be nice to be able to create a list of programs that use SUID so we can audit them, to do this we can use the find command

sudo find / -type f -perm +u=s -exec ls -l {} \; 2>/dev/null

Conclusion

SUID is a very useful functionality but if not used properly and not audited can be a major security concern!. I hope you enjoyed the article as much as i enjoyed writing this article! also i will love to see your comments for this article!

Join Medium with my referral link - Konstantinos Patronas
As a Medium member, a portion of your membership fee goes to writers you read, and you get full access to every story…