When you execute a program, you create a process. Four identifiers are assigned to this process upon its creation. These are its real uid, real gid, effective uid, and effective gid.
File access for a process is determined by its effective uid and effective gid. This means that the process has the same access to a file as the owner of this file, if its effective uid is the same as the uid of the file. When the effective uid is different than the uid of the file, but the effective gid of the process is the same as the gid of the file, the process has the same access as the group associated to the file. Finally, when the effective ID of the process is different from the effective uid of a file, and the effective gid of the process is different from the effective gid of the file, the process has the same access to the file as others (users besides the owner and members of the group).
Unless the set user ID (suid) permission and/or the set group ID (sgid) permission of an executable file are set, the process created is assigned your uid and gid as its real and effective uid and real and effective gid, respectively In this case, the process has exactly the same permissions that you do. For instance, for the process to execute a program, you must have execute permission for the file containing this program.
When the suid permission of an executable file is set, a process created from the program has its effective uid set to that of the owner of the file, instead of your own uid. This means that the file access privileges of the process are determined by the permissions of the owner of the file. For instance, if the suid permission is set, a process can create a file when the owner of the file has execute permission and write permission for the directory where the file will be created.
The suid permission is used in several important user programs that need to read or write files owned by root. For instance, when you run the passwd command to change your password, you have the same permissions as root. This allows you to read and write to the files /etc/passwd and /etc/shadow when you change passwords, although ordinarily you do not have access privileges.
You can use chmod to set the suid permission of a file that you own. For instance,
$ chmod u+s displaysal
sets the suid permission of displaysal. This is a hypothetical program owned by the departmental secretary that a user can run to display his or her salary, using the file salary, which contains salary information for all members of Department X. The salary file has its permissions set so that only its owner and the departmental secretary (as well as the superuser) can read or write it. The ls -l line for this file is given here:
-rws--x--- 1 ptc 471 2561 Oct 6 02:32 displaysal
A user who is a member of the group 471 can run the displaysal program. All members of Department X are assigned to group 471. Because displaysal has its suid permission set, the permissions of the process created are those of ptc, the owner of the program. So the process can read the file salary and can display the salary information for the person who runs the program.
You also can use chmod to remove the suid permission of a file. The command
$ chmod u-s displaysal
removes the suid permission from displaysal.
If the set group ID permission of an executable file is set, any process created by that executable file has the same group access permissions as the group associated with the executable file. To set the sgid of the file displaysal, use the following command:
$ chmod g+s displaysal
Assuming the suid for this file is not set, the ls -l line for this file is this:
-rwx--s--- 1 ptc 471 2561 Oct 6 02:32 displaysal
The effective uid of a process created by running displaysal is the uid of the user running the program, but the effective gid will be 471, the gid associated with displaysal.
You can set suid and sgid permissions by supplying chmod with a string of four octal digits. The leftmost digit changes the suid or sgid permissions; the other three digits change the read, write, and execute permissions, as previously described.
If the first digit is 6, both the suid and sgid permissions are set. If it is 4, the suid permission is set and the sgid permission is not set. If the first digit is 2, the suid permission is not set and the sgid permission is set. And if it is 0 (or missing), neither the suid permission nor the sgid permission is set. In the following example, the suid permission is set and the sgid permission is not set:
$ chmod 4744 displaysal $ ls −1 | grep displaysal -rwsr-r-- 1 ptc 471 15 Oct 17 12:12 displaysal
In the next example, the suid permission is not set and the sgid permission is set:
$ chmod 2744 displaysal $ ls −1 | grep displaysal -rwxr-sr-- 1 ptc 471 15 Oct 17 12:12 displaysal
When you are the owner of a suid program, other users have all your privileges when they run this program. Unless care is taken, this can make your resources vulnerable to attack. For instance, suppose you have included a command that allows a shell escape in a suid program. Any user running this program will be able to escape to a shell that has your privileges assigned to it, which lets this user have the same access to your resources as you do. This user could copy, modify, or delete your files or execute any of your programs.
Because of this, and other security problems, you should be extremely careful when writing suid or sgid programs. Guidelines for writing these programs, without opening security gaps, can be found in the references listed at the end of this chapter.