SUID question

**charmdream** · 08-19-2011

If SUID is set: the application always runs as the owner of the application, no matter who runs the application.

I tried a simple script, seems it's not working as I expected. Could someone tell me if I did wrong?

I created a script file test_suid.sh, with just one command inside:
touch test

And changed the owner of the file test_suid.sh to be "wwwrun".
And set SUID bit on. (chmod u+s test_suid.sh)

But when I ran it, the "test" file created still belong to my username, but not "wwwrun".

Can someone explain why? Is there other "trick"? or my understanding is not right?

Thanks

**hazel** · 08-20-2011

Originally Posted by charmdream

If SUID is set: the application always runs as the owner of the application, no matter who runs the application.

I tried a simple script, seems it's not working as I expected. Could someone tell me if I did wrong?

I created a script file test_suid.sh, with just one command inside:
touch test

And changed the owner of the file test_suid.sh to be "wwwrun".
And set SUID bit on. (chmod u+s test_suid.sh)

But when I ran it, the "test" file created still belong to my username, but not "wwwrun".

Can someone explain why? Is there other "trick"? or my understanding is not right?

Thanks

Well, there's your UID and your EUID. The EUID is your "effective UID" and may be different from your real UID. I'm not sure but I think setting suid changes only the EUID. It's like using su as against su -. Try putting the commands

Code:

echo $UID
echo $EUID

into your script and see what happens.

**charmdream** · 08-22-2011

Thanks for your reply.

I tried to add echo of $UID and $EUID in the script.
And both showed same value as my user, NOT the id of the file's owner user.

It seems the SUID had no effect and didn't change anything.

Is there any other settings regarding this?

Thanks again

Originally Posted by hazel

Well, there's your UID and your EUID. The EUID is your "effective UID" and may be different from your real UID. I'm not sure but I think setting suid changes only the EUID. It's like using su as against su -. Try putting the commands

Code:

echo $UID
echo $EUID

into your script and see what happens.

**atreyu** · 08-23-2011

I'm pretty sure that the kernel as of (a long time ago...) does not allow scripts to run with the setuid bit. You'll have to convert your script to a C prog and setuid that guy - at least that was my solution when I ran into this.

**charmdream** · 08-23-2011

So you mean SUID/SGID is not supported in shell level?

Thanks

Originally Posted by atreyu

I'm pretty sure that the kernel as of (a long time ago...) does not allow scripts to run with the setuid bit. You'll have to convert your script to a C prog and setuid that guy - at least that was my solution when I ran into this.

**hazel** · 08-24-2011

Originally Posted by charmdream

So you mean SUID/SGID is not supported in shell level?

Thanks

Ah yes! I'd forgetton that wrinkle. The reason SUID/SGID is not supported for scripts is to prevent "script kiddies" from writing malicious software that could run with root permissions.
Writing C programs is much more difficult than writing bash scripts, so less likely to be abused. It's for the same reason that the exec bit is not honoured for files on floppy disks.

**charmdream** · 08-24-2011

I got it. No wonder I couldn't make it work.

Thanks for the information.

Originally Posted by hazel

Ah yes! I'd forgetton that wrinkle. The reason SUID/SGID is not supported for scripts is to prevent "script kiddies" from writing malicious software that could run with root permissions.
Writing C programs is much more difficult than writing bash scripts, so less likely to be abused. It's for the same reason that the exec bit is not honoured for files on floppy disks.

Thread Tools

Display

SUID question

Posting Permissions