Setuid
Setuid ( set user ID , sometimes suid ) is an advanced UNIX file rights for files or folders of the Unix - operating system . Executable programs for which this bit is set, in addition to the rights of the user who executes the file, are also executed with the rights of the user who owns the file (i.e. with the rights of the owner of the file, the "owner") ). On most systems, this only works for binary executable files, not interpreted scripts.
This approach enables unprivileged users and processes controlled access to privileged resources.
In the case of FreeBSD , Setuid ensures that files in directories belong to the owner of the directory and not to the user who created them.
Set the SUID bit
With classic Unix commands like chmod
, the bit can be called with a call like
chmod u+s datei
can be set, where file stands for at least one file or directory.
The right shows a ls
z. B. something like this:
-rwsrwxrwx user group datei
- If there is an "S" instead of the "s" then there must also be a
chmod u+x datei
- are executed.
Modern graphical file managers also offer options for graphically activating / deactivating the bit using a checkbox .
Advantages and disadvantages
The advantage of this approach is its simplicity. In kernel little functionality must exist to implement a wide range of access controls by external programs. In many cases it is sufficient to separate functionality into "privileged" and "non-privileged" and leave the access control to the setuid programs. Programs can also be restricted in their rights if the program is assigned to a restricted user.
The clear disadvantage is that these setuid programs, which belong to a higher-level user such as root , pose a security risk due to their privileges . A bug in one of these programs can easily compromise the whole system . They are therefore often the target of local attacks. Therefore, mechanisms that do not require a setuid are generally preferred .
Classic setuid programs
Unix programs for which the setuid bit must be set for correct function are, for example, su
as well as sudo
which start the process to be started under a different user environment with the root rights available to them. Also mount
and its counterpart umount
usually require root rights. Under Linux , however, normal users are also allowed to mount and unmount drives that are marked in the file /etc/fstab
with the user option .
In all of these cases, the utility programs must be able to perform actions with root rights. The decision as to whether this should be allowed or not, however, must be made by a privileged instance. It is mostly made using configuration files that normal users cannot edit.
See also
- Unix file rights
- Access Control List
- Further extended file rights: Setgid , Sticky Bit