"Set User ID bit" demostration

The "set user id"-bit (or setuid-bit) is a potentially dangerous permission type. Wrong usage of setuid can result in unauthorized access to your system.

What it means

When a setuid bit is set to an executable, the script will be executed as if it was executed by the owner of the file. So for example this script has a setuid bit set:

$ ls -l myscript.sh
-rwsr-xr-x 1 root wheel 200 Nov 5 10:47 myscript.sh

This script may be executable by anybody. When executed by the user "robert" for example, it will inherit permissions as if it was executed by root.

Imagine that this script contains the command "reboot"; in that case anybody would be able to reboot the machine.

How you can set it

Very easy:

# chmod 4755 myscript.sh

# chmod u+s myscript.sh

What you can do with it

Here is a small demonstration, first showing that a user can't write to /etc/passwd.

$ echo "foo bar" >> /etc/passwd
-bash: /etc/passwd: Permission denied

Now set the setuid bit:
# chmod u+s /bin/echo

With the setuid bit on, the user is able to write to /etc/passwd:
$ echo "foo bar" >> /etc/passwd

See the dangerous situation we have just created? Undo it by executing # chmod u-s /bin/echo.

How to detect (and resolve) it

# find / -perm -4000

Please notice that there are many files on a system that have setuid bits, like:

  • /bin/mount - because a user needs to be able to mount a cdrom or floppy.
  • /bin/ping
  • /usr/bin/crontab