I know that enabling setuid on scripts has security issues and so is inactive by default, but expect that it works for executables.
I created and executable which shows uid as an output following instructions described in this post: Allow setuid on shell scripts
But it returns same uid (1000) both before and after runningsudo chmod +s ./setuid-test
. I think this means that setuid does not have any effects on my executable, why and how to solve?
The source code:
#include <stdio.h>
#include <unistd.h>
int main(int argc, char** argv) {
printf("%d", geteuid());
return 0;
}
Built and run with
$ gcc -o setuid-test setuid-test.c
$ ./setuid-test
1000
$ sudo chown nobody ./setuid-test; sudo chmod +s ./setuid-test
$ ./setuid-test
1000
When running ls -la
, this is what I get:
me@me:~$ ls -la setuid-test
-rwsrwsr-x 1 nobody me 8572 Aug 19 16:39 setuid-test
Best Answer
Most filesystems designed for Unix/Linux can be mounted with a
nosuid
attribute, which will prevent setuid or setgid binaries located on those filesystems from altering the effective uid or gid of a process. It's often used when mounting "untrusted" filesystems, those that are under the control of a non-administrator.In your case, the filesystem you're using is type ecryptfs, which according to askubuntu: Error when running binary with root setuid under encrypted home directory enforces nosuid (and nodev) automatically, starting with the versions from a few years ago.
Here is a description of the reason for the change, from https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3409 :