SetUID – Fix SetUID Bit Not Working in Ubuntu

setuid

I suppose an executable file with SetUID bit set should be running as its owner but I cannot really reproduce it. I tried the following.

$ cat prepare.sh
cp /bin/bash .
chown root.root bash
chmod 4770 bash # Verified
$ sudo sh prepare.sh
$ ./bash
$ id -u
1000
$ exit
$

$ cat test.c
#include<stdio.h>
#include<unistd.h>
int main(){
    printf("%d,%d\n", getuid(), geteuid());
    return 0;
}
$ gcc -o test test.c
$ chmod 4770 test # Verified
$ sudo chown root.root test
$ ./test
1000,1000
$ # Why???

However

$ su
# ./bash
# id -u
0
# ./test
0,0
# exit
# exit
$

Note: The mount point has no nosuid nor noexec set.
Can anyone explain why it's failing to work on Ubuntu 16.04 LTS?

Best Answer

For the compiled executable, from man 2 chown:

When the owner or group  of  an  executable  file  are  changed  by  an
unprivileged user the S_ISUID and S_ISGID mode bits are cleared.  POSIX
does not specify whether this also should happen  when  root  does  the
chown();  the Linux behavior depends on the kernel version.

Reversing the chown and chmod order works for me:

$ sudo chmod 4770 foo
$ sudo chown root:root foo
$ stat foo
  File: 'foo'
  Size: 8712        Blocks: 24         IO Block: 4096   regular file
Device: 801h/2049d  Inode: 967977      Links: 1
Access: (0770/-rwxrwx---)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-04-18 15:15:15.074425000 +0900
Modify: 2017-04-18 15:15:15.074425000 +0900
Change: 2017-04-18 15:15:33.683725000 +0900
 Birth: -
$ sudo chmod 4777 foo
$ ./foo
1000,0

Related Solutions

Linux Bash Setuid – Setuid Bit Seems to Have No Effect on Bash

The explanation is kind of annoying: bash itself is the reason. strace is our friend (must be SUID root itself for this to work):

getuid()                                = 1000
getgid()                                = 1001
geteuid()                               = 0
getegid()                               = 1001
setuid(1000)                            = 0
setgid(1001)                            = 0

bash detects that it has been started SUID root (UID!=EUID) and uses its root power to throw this power away, resetting EUID to UID. And later even FSUID, just to be sure...:

getuid()                                = 1000
setfsuid(1000)                          = 1000
getgid()                                = 1001
setfsgid(1001)                          = 1001

In the end: no chance. You have to start bash with UID root (i.e. sudo).

Edit 1

The man page says this:

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

But this does not work for me. -p isn't even mentioned among the startup options. I also tried --posix; didn't work either.

Permissions – Purpose of setuid with No Executable Bit

Now, I believe with setuid any user could execute the script.

Not quite. To make the script executable by every user, you just need to set a+rx permissions:

chmod a+rx script

setuid means that the script is always executed with the owner's permissions, that is, if you have the following binary:

martin@dogmeat ~ % touch dangerous
martin@dogmeat ~ % sudo chown root:root dangerous 
martin@dogmeat ~ % sudo chmod a+rx,u+s dangerous 
martin@dogmeat ~ % ll dangerous 
-rwsrwxr-x 1 root root 0 Sep 30 17:23 dangerous*

This binary will always run as root, regardless of the user that is executing it. Obviously this is dangerous and you have to be extremely careful with setuid, especially when you are writing setuid applications. Also, you shouldn't be using setuid on scripts at all because it's inherently unsafe on Linux.

Now, I understand the S denotes setuid with no executable bit. That is, no one can execute this file.

So my question is, what practical purposes do the setting of S bit have? I am trying to understand from an example perspective for setting this bit.

I don't think that there is a practical purpose, IMO it's just a possible combination of the permission bits.

Best Answer

Related Solutions

Linux Bash Setuid – Setuid Bit Seems to Have No Effect on Bash

Permissions – Purpose of setuid with No Executable Bit

Related Question