Setuid

from Wikipedia, the free encyclopedia

Setuid ( set user ID , sometimes suid ) is an advanced UNIX file rights for files or folders of the Unix - operating system . Executable programs for which this bit is set, in addition to the rights of the user who executes the file, are also executed with the rights of the user who owns the file (i.e. with the rights of the owner of the file, the "owner") ). On most systems, this only works for binary executable files, not interpreted scripts.

This approach enables unprivileged users and processes controlled access to privileged resources.

In the case of FreeBSD , Setuid ensures that files in directories belong to the owner of the directory and not to the user who created them.

Set the SUID bit

In a graphical file management (here Konqueror) the bit can be set with a mouse click.

With classic Unix commands like chmod, the bit can be called with a call like

chmod u+s datei

can be set, where file stands for at least one file or directory.

The right shows a lsz. B. something like this:

-rwsrwxrwx user group datei
If there is an "S" instead of the "s" then there must also be a
chmod u+x datei
are executed.

Modern graphical file managers also offer options for graphically activating / deactivating the bit using a checkbox .

Advantages and disadvantages

The advantage of this approach is its simplicity. In kernel little functionality must exist to implement a wide range of access controls by external programs. In many cases it is sufficient to separate functionality into "privileged" and "non-privileged" and leave the access control to the setuid programs. Programs can also be restricted in their rights if the program is assigned to a restricted user.

The clear disadvantage is that these setuid programs, which belong to a higher-level user such as root , pose a security risk due to their privileges . A bug in one of these programs can easily compromise the whole system . They are therefore often the target of local attacks. Therefore, mechanisms that do not require a setuid are generally preferred .

Classic setuid programs

Unix programs for which the setuid bit must be set for correct function are, for example, suas well as sudowhich start the process to be started under a different user environment with the root rights available to them. Also mountand its counterpart umountusually require root rights. Under Linux , however, normal users are also allowed to mount and unmount drives that are marked in the file /etc/fstabwith the user option .

In all of these cases, the utility programs must be able to perform actions with root rights. The decision as to whether this should be allowed or not, however, must be made by a privileged instance. It is mostly made using configuration files that normal users cannot edit.

See also