Linux Bash Setuid – Setuid Bit Seems to Have No Effect on Bash

bashlinuxsetuid

I was experimenting a bit and noticed something strange: setting the setuid bit on a copy of bash located at /usr/bin/bash-test seemed to have no effect. When I ran an instance of bash-test, my home directory was not set to /root and when I ran the whoami command from bash-test, my username was not reported as being root, suggesting that bash-test was not running as root. However, if I set the setuid bit on whoami, I was reported as being root in any shell, as expected.

I tried setting the setuid bit on /usr/bin/bash as well and observed the same behavior.

Why is bash not running as root when I set the setuid bit on it? Could selinux have something to do with this?

Best Answer

The explanation is kind of annoying: bash itself is the reason. strace is our friend (must be SUID root itself for this to work):

getuid()                                = 1000
getgid()                                = 1001
geteuid()                               = 0
getegid()                               = 1001
setuid(1000)                            = 0
setgid(1001)                            = 0

bash detects that it has been started SUID root (UID!=EUID) and uses its root power to throw this power away, resetting EUID to UID. And later even FSUID, just to be sure...:

getuid()                                = 1000
setfsuid(1000)                          = 1000
getgid()                                = 1001
setfsgid(1001)                          = 1001

In the end: no chance. You have to start bash with UID root (i.e. sudo).

Edit 1

The man page says this:

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

But this does not work for me. -p isn't even mentioned among the startup options. I also tried --posix; didn't work either.

Related Solutions

Linux – Howto prevent chgrp from clearing “setuid bit”

If you want to implement your chgrp -R nobody /whatever while retaining the setuid bit you can use these two find commands

find /whatever ! -type l -perm -04000 -exec chgrp nobody {} + \
                                      -exec chmod u+s {} +
find /whatever ! -type l ! -perm -04000 -exec chgrp nobody {} +

The find ... -perm 04000 option picks up files with the setuid bit set. The first command then applies the chgrp and then a chmod to reinstate the setuid bit that has been knocked off. The second one applies chgrp to all files that do not have a setuid bit.

In any case, you don't want to call chgrp or chmod on symlinks as that would affect their targets instead, hence the ! -type l.

SetUID – Fix SetUID Bit Not Working in Ubuntu

For the compiled executable, from man 2 chown:

When the owner or group  of  an  executable  file  are  changed  by  an
unprivileged user the S_ISUID and S_ISGID mode bits are cleared.  POSIX
does not specify whether this also should happen  when  root  does  the
chown();  the Linux behavior depends on the kernel version.

Reversing the chown and chmod order works for me:

$ sudo chmod 4770 foo
$ sudo chown root:root foo
$ stat foo
  File: 'foo'
  Size: 8712        Blocks: 24         IO Block: 4096   regular file
Device: 801h/2049d  Inode: 967977      Links: 1
Access: (0770/-rwxrwx---)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-04-18 15:15:15.074425000 +0900
Modify: 2017-04-18 15:15:15.074425000 +0900
Change: 2017-04-18 15:15:33.683725000 +0900
 Birth: -
$ sudo chmod 4777 foo
$ ./foo
1000,0

Best Answer

Related Solutions

Linux – Howto prevent chgrp from clearing “setuid bit”

SetUID – Fix SetUID Bit Not Working in Ubuntu

Related Question