SUID permission in Linux

As we all know about the files and directory permissions, modifying the default permissions  and much more with the help of chmod command.,Assigning permissions with read,write and execute  with chmod is the basic way to  protect a file or directory from the anonymous user access,There are chances hackers could get in and attack the data  and could be stolen your valuable information  or they could run some programs as owner to crash the operating system ,so in order to protect your valuable files , programs to be more secure we have some special permissions available, with that we could protect our data  and programs being executed from unknown users.

Let us see the special permission SUID first:

1)SUID(Set user ID)Set owner user ID upon execution

Note: Remeber all these special permissions can apply only with the chmod command

SUID: When an executable file is set with the special permission SUID, then the users those who all are accessing that file will automatically get the owner permission rather than the user permission.

To make this more clear for understanding let me explain this if you are the owner for some executable file and the file is set with SUID, then the users will be getting owner permissions rather than the user permission who runs it.

Another example: “passwd” command

As all we know to change the user password we use the command “passwd” from the terminal and by default this command will open two important configuration file from the /etc directory ,/etc/passwd and /etc/shadow  to update the password modified informations in to the files,by default normal users dont have the access to edit any configutaion files from the /etc/ path as they onl;y have the read access, Now when I set the SUID for passwd command now the users who all are running the passwd command would get the owner permssionirrespective of which user running it.

If you remove the SUID for the command passwd then when the user tries to change the password will get the warning message permission denied as the command passwd doesn’t have the SUID.

Let  me show you with an example, here a user Vasanth is executing the passwd command and let us check  whether the password program is running with the root(owner) permission or Vasanth permission

Check the current setting of passwd command:

#ls  -l  /usr/bin/passwd

Now Switch to Vasanth account:

#su  – Vasanth

Run the passwd command:

$passwd

As a root user now check the “passwd”  command process permissions

#ps  -aux  |grep passwd

From the above output now it has been confirmed the passwd process is running with root user (check the first filed root)permission, So any program or command or files with SUID permission will always run the permission of the owner of the file rather than the user permission who runs it.

Ex:1 How to set SUID on a file

Syntax:

Methods:

1)Symbolic way (s stands for set Special permission)

2) Numeric way (4 will set SUID)

Let me create a file:

#touch   /database
#ls -l /database

Syntax:

#chmod  <special permission><default permission>   <Path to the file/executable file>
#chmod  4644  /ddatabase

From the above syntax first “4” in 4644 indicates SUID

Check whether SUID is applied to the file:

#ls  -l   /database

Now as you can see from the above output at the owner execution field “S” has been added which shows the file has SETUID assigned.

Note: From the output uppercase “S” indicates the file is not set with executable access but in some case, you would see small “s” which indicates the file is set with the executable access.

After assigning the execute access to owner the uppercase “S” will get change it to the lower case “s”

#chmod 4744 /database
#ls -l /database

To remove the assigned SUID access from the file”

It’s very easy, just run the default permission to the file, which will remove any special permissions assigned to it.

#chmod 644 /database

#ls  -l  /database

Now you can check the above output at the owner execute field “s” has been disappeared .

Method: Symbolic
#touch   /mydata

Now let us set the SUID to the file by using the symbolic method:

#chmod  u+s  /mydata    ( u–owner   s –set permission)

#ls  -l  /mydata

From the above screenshot You can see the “S”  at the owner execute field, if you give the execute access  for owner then the upper case “S” will get change it to the lower case “s”

To remove the SUID :

#chmod  u-s   /mydata

#ls  -l  /mydata

As you can see from the above output “s”  has been removed from the owner execute field which confirmed the SUID  permission has been removed from the file.

NOTE:Like “passwd” there are lots of commands exists with SUID, example we can also check it with the “crontab” command(which is used to schedule automatic jobs running) and this file will be opening the configuration file from the path /etc it will not allow the normal users to write any file from this directory, This command also has the SUID permission so that the normal user can have the owner permission to edit the files from the /etc/ directory while they run the crontab command for scheduling some automatic jobs.

************************************************************************************************************************************

I hope you have learned now how to set the SUID permission on files and their importance.

If you like this article, Please do share it and subscribe  here Subscribe here

 

 

 

About Author:

Hello readers! Let me introduce my self first. My name is Vasanth Nirmal Singh J S having 9+ years of experience in IT on all flavours of Unix operating systems ,Storage's and many more .. I would like to share my technical experience i have come across - can be help to other people. So in this blog, I'll post my thoughts related to ITIS. I'll share experiences that I've had while working in different environments. You can expect content related to Unix,Solaris,Linux,EMC Storeages,HP-UX and many others. I hope this blog can be useful for you! Your comments will be appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *