HPE Community
Operating System - HP-UX
1832649 Members
2926 Online
110043 Solutions
New Discussion

setuid

 
manu_9
Frequent Advisor

‎09-02-2004 09:25 PM

‎09-02-2004 09:25 PM

setuid

I want to know the for setuid to woork, the owener should be root only.wil it not work if teh owner is some other user , If yes , Why
0 Kudos
Reply
12 REPLIES 12
Elmar P. Kolkman
Honored Contributor

‎09-02-2004 09:39 PM

‎09-02-2004 09:39 PM

Re: setuid

The system call setuid will only work when your effective uid is root. That's why a program like login or su works. They run with effective uid root, because of the setuid bit on the executable.
It would be a security issue if any user could use the setuid call.

If you want to run a program under a different user id, you need to set the setuid bit on the executable, or run it using the "su -c " syntax and enter the password of the user.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎09-02-2004 09:40 PM

‎09-02-2004 09:40 PM

Re: setuid

The setuid bit will make the process run with the "EUID (effective user id)" of whomever owns it. If the file is owned by "bob", the process will have the same access as "bob".

"root" is the usual, for sysadmin commands etc, but for example if you look in /usr/bin you will see files owned by "lp" and "uucp" etc, which run with their respective permissions.
0 Kudos
Reply
manu_9
Frequent Advisor

‎09-02-2004 09:47 PM

‎09-02-2004 09:47 PM

Re: setuid

So i cannot have a shell script withc owner as a any non root user and set a setuid , it will not work .
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎09-02-2004 09:52 PM

‎09-02-2004 09:52 PM

Re: setuid

It will run as whomever it's owned. As an example: -

(as root)
cat >/tmp/test.sh <#!/usr/bin/sh
id
EOF
chmod 4555 /tmp/test.sh
chown lp /tmp/test.sh

(as normal user)
/tmp/test.sh
uid=335(u20508) gid=102(tsg) euid=9(lp)

You see it runds as effective user id lp. Therefore it will be able to write to files the lp user can.
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎09-02-2004 09:52 PM

‎09-02-2004 09:52 PM

Re: setuid

Remember also you MUST have #!/usr/bin/sh (or any other valid shell) as the first line. If you don't have this, then the shell will not execute it setuid.
0 Kudos
Reply
manu_9
Frequent Advisor

‎09-02-2004 09:57 PM

‎09-02-2004 09:57 PM

Re: setuid

Hi Simon ,
You are setting 4555 permissions , which essentially means execute permissions for others too.Others will anyhow be able to run this shell even without setuid
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎09-02-2004 09:59 PM

‎09-02-2004 09:59 PM

Re: setuid

If you want a script to be runnable setuid, it must be also executable by other people. setting permissions of 4544 (for example) is pointless, since no-one, other than the owner can run it anyway.

perhaps you are misunderstanding the function of setuid?
0 Kudos
Reply
manu_9
Frequent Advisor

‎09-02-2004 10:05 PM

‎09-02-2004 10:05 PM

Re: setuid

H simon ,
My understanding is
If you want that script to be runnable by others the o+x is enough .But if the script has permissions eg 744 and then you set the setuid on that , other will be able to exec the script as the effective user id wil change .
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎09-02-2004 10:10 PM

‎09-02-2004 10:10 PM

Re: setuid

Not quite. If you set the setiud bit on a file, then you still need to set either g+x or o+x in order that other users may execute it.

You could for example chmod 4550 then chown root:nicepeople a file to give a file as follows: -

r-sr-x--- root:nicepeople

This would then be executable only by people in the "nicepeople" group, and would be executed as "root". Since o+x is not set, normal users would not be allowed to execute the file.
0 Kudos
Reply
manu_9
Frequent Advisor

‎09-02-2004 11:00 PM

‎09-02-2004 11:00 PM

Re: setuid

Understood.One more question that comes up here , i have seen the efective user id changes in HP ,while running a executable owned by root and having setuid bit set .eg .
#cat test

!#/usr/bin/sh
id
touch /tmp/cc


in this case is the test the owned by root and have 4777 permmissions , the /tmp/kk willl be created by root as the owner.But if yiu try the same thing in solaris it is created by the uid who is calling seuid exec not as a root.So there is more security in Solaris than HP.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-03-2004 12:47 AM

‎09-03-2004 12:47 AM

Re: setuid

I would not call it more security, just a different way of implementing setuid actions. The purpose for setuid is to run the program/script as another user. With that as a goal, if /tmp/cc is created (touch) with the original user's ownership, then it wouldn't be following the purpose of setuid. Note that 4777 is a VERY bad permission for a script. Never allow write access to such a script--use 4755 as a minimum.

All that being said, setuid for scripts should NEVER be allowed to exist on a production system and all mountpoints should have nosuid in fstab except for / /usr /opt. There is no valid reason to allow users setuid (ie, /home /var /tmp) privileges. Virtually all the requirements to create setuid scripts can be handled with the free program sudo.


Bill Hassell, sysadmin
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-03-2004 08:00 PM

‎09-03-2004 08:00 PM

Re: setuid

File creation permission is based on umask setting ( execute "umask" on shell to know th e permission ). By default it will as 00 so that creation of file will be as,

-rw-rw-rw- (666)

4000 (= u=s) Set user ID on file execution (file only)
2000 (= g=s) Set group ID on file execution (file only)

File execution permission is based on user - group - others permission.

If you want to be executed only by root user then,

It's permission may be as,

4755 --> It will setuid and give read / write access to group and other's.

If you want to block other user's to write then,

4744 - enough

Security to the file is designed on the file permission given to user - group - others.

Regards
Muthu

Easy to suggest when don't know about the problem!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.