Re: Setuid and setgid programs owned by root
From: Stephan Neuhaus (neuhaus_at_cs.uni-sb.de)
Date: Wed, 15 Oct 2003 11:38:45 +0200
Sherman H. wrote:
> What are the security risks for the setuid and setgid programs owned by
> root? Is that true that whoever runs these programs can gain root access
Yes and no. Briefly: Setuid program files are turned into processes
whose effective user ID as that of the owner of the file. Normally, the
effective user ID of a process is the effective user ID of its parent
Therefore, the file /bin/ls might belong to root, but when you execute
it, the process runs with your privileges, not root's. If you run
/bin/su, however, which is suid root, the process created from the su
binary runs with root privileges. (This is not the whole story, but it
is accurate enough.)
Since access to the root privileges is mediated through the program,
ordinary users can in theory only access those services that the program
allows them to access. Well-written suid root programs allow users to do
tasks for which they would ordinarily need a person with the root
password, such as changing their password. Therefore, well-written suid
root programs can be a good thing. However, if the suid program has a
security-related bug, that could lead to a compromise of your machine.
It has happened in the past, for example with sendmail. That happens
more often than one would like.
> Please advise?
Use as few of them as possible. Disable any suid or sgid programs that
you don't need by turning off the suid/sgid bits (chmod u-s or chmod
g-s). The book "Unix and Internet Security"(title?) by Simson and
Garfinkel has a list of common suid programs and good advice on how to
handle suid programs that you don't recognize.
-- Stephan Neuhaus University of the Saarland, Department of Computer Science Experimental Software Security at the Chair of Software Engineering Web: http://www.st.cs.uni-sb.de/~neuhaus