setuid
On Executables
When an executable file has been given the setuid
attribute, normal users on the system who have permission to execute this file gain the privileges of the user who owns the file (commonly root) within the created process. When root privileges have been gained within the process, the application can then perform tasks on the system that regular users normally would be restricted from doing. The invoking user will be prohibited by the system from altering the new process in any way, such as by using ptrace
, LD_LIBRARY_PATH
or sending signals to it (signals from the terminal will still be accepted, however).
While the setuid
feature is very useful in many cases, its improper use can pose a security risk if the setuid
attribute is assigned to executable programs that are not carefully designed. Due to potential security issues, many operating systems ignore the setuid
attribute when applied to executable shell scripts.
The setgid
attribute will allow for changing the group-based privileges within a process, like the setuid
flag does for user-based privileges.
The presence of setuid
executables explains why the chroot
system call is not available to non-root users on Unix. See limitations of chroot
for more details.
The setuid
and setgid
bits are normally set with the command chmod
by setting the high-order octal digit to 4 (for setuid
) or 2 (for setgid
). "chmod 6711 file
" will set both the setuid
and setgid
bits (2+4=6), make the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). When a user other than the owner executes the file, the process will run with user and group permissions set upon it by its owner. For example, if the file is owned by user root
and group wheel
, it will run as root:wheel
no matter who executes the file.
Most implementations of the chmod
command also support finer-grained, symbolic arguments to set these bits. This is shown in the demonstration below as the "chmod ug+s
" command.
Read more about this topic: Setuid