Misplaced Pages

setuid

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

The Unix and Linux access rights flags setuid and setgid (short for set user identity and set group identity ) allow users to run an executable with the file system permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

#817182

50-480: The flags setuid and setgid are needed for tasks that require different privileges than what the user is normally granted, such as the ability to alter system files or databases to change their login password. Some of the tasks that require additional privileges may not immediately be obvious, though, such as the ping command, which must send and listen for control packets on a network interface. The setuid and setgid bits are normally represented as

100-430: A Sequence Number that is only reset at boot time. The Echo Reply is returned as: An ICMP packet transported with IPv6 looks like this. Most Linux systems use a unique Identifier for every ping process, and Sequence Number is an increasing number within that process. Windows uses a fixed Identifier , which varies between Windows versions, and a Sequence Number that is only reset at boot time. The Echo Reply

150-441: A standard deviation of 0.748 ms. In cases of no response from the target host, most implementations display either nothing or periodically print notifications about timing out. Possible ping results indicating a problem include the following: In case of error, the target host or an intermediate router sends back an ICMP error message, for example host unreachable or TTL exceeded in transit . In addition, these messages include

200-413: A file to be created with execute permissions. In these environments, newly created files will always have execute permission disabled for all users. The mask is generally only applied to functions that create a new file; however, there are exceptions. For example, when using UNIX and GNU versions of chmod to set the permissions of a file, and symbolic notation is used, and no user is specified, then

250-404: A manner similar to setgid , in which case it forces all files and sub-directories created in a directory to be owned by that directory's owner - a simple form of inheritance. This is generally not needed on most systems derived from BSD , since by default directories are treated as if their setgid bit is always set, regardless of the actual value. As is stated in open(2) , "When a new file

300-417: A read-only umask or an append only attribute. Developers design and implement programs that use this bit on executables carefully in order to avoid security vulnerabilities including buffer overruns and path injection . Successful buffer-overrun attacks on vulnerable applications allow the attacker to execute arbitrary code under the rights of the process exploited. In the event that a vulnerable process uses

350-524: A recursive mode restricted to directories, so modifying an existing directory tree must be done manually, with a command such as find /path/to/directory -type d -exec chmod g+s '{}' '\' . The setuid and setgid flags have different effects, depending on whether they are applied to a file, to a directory or binary executable or non-binary executable file. The setuid and setgid flags have an effect only on binary executable files and not on scripts (e.g., Bash, Perl, Python). When

400-466: A single request wakes up that host just enough to allow its Echo Reply service to reply instantly if that service was enabled. The host does not need to wake up all devices completely and may return to low-power mode after a short delay. Such configuration may be used to avoid a host to enter in hibernation state, with much longer wake-up delay, after some time passed in low power active mode. A packet including IP and ICMP headers must not be greater than

450-399: A statistical summary of the results, typically including the minimum, maximum, the mean round-trip times, and standard deviation of the mean. The command-line options of the ping utility and its output vary between the numerous implementations. Options may include the size of the payload, count of tests, limits for the number of network hops ( TTL ) that probes traverse, interval between

500-566: Is 'root' and the SUID permission is set (the '4') - so the file is executed as 'root'. The reason an executable would be run as 'root' is so that it can modify specific files that the user would not normally be allowed to, without giving the user full root access. A default use of this can be seen with the /usr/bin/passwd binary file. /usr/bin/passwd needs to modify /etc/passwd and /etc/shadow which store account information and password hashes for all users, and these can only be modified by

550-431: Is a command that determines the settings of a mask that controls how file permissions are set for newly created files. It may also affect how the file permissions are changed explicitly. umask is also a function that sets the mask, or it may refer to the mask itself, which is formally known as the file mode creation mask . The mask is a grouping of bits , each of which restricts how its corresponding permission

SECTION 10

#1732876394818

600-400: Is able to change its settings using a function call. When the process is a shell , the mask is set with the umask command. When a shell or process launches a new process, the child process inherits the mask from its parent process. Generally, the mask only affects file permissions during the creation of new files and has no effect when file permissions are changed in existing files; however,

650-420: Is configured to accept wakeup requests. If the host is already active and configured to allow replies to incoming ICMP Echo Request packets, the returned reply should include the same payload. This may be used to detect that the remote host was effectively woken up, by repeating a new request after some delay to allow the host to resume its network services. If the host was just sleeping in low power active state,

700-413: Is created it is given the group of the directory which contains it." Permissions of a file can be checked in octal form and/or alphabetic form with the command line tool stat 4701 on an executable file owned by 'root' and the group 'root' A user named 'thompson' attempts to execute the file. The executable permission for all users is set (the '1') so 'thompson' can execute the file. The file owner

750-488: Is present, the leftmost (high-order) digit addresses three additional attributes, the setuid bit , the setgid bit and the sticky bit . When umask is invoked using symbolic notation, it will modify or set the flags as specified by the maskExpression with the syntax: Note that this syntax does not work when using the C shell due to the different behaviour of its built-in umask command. Multiple maskExpressions are separated by commas. A space terminates

800-402: Is returned as: The payload of the packet is generally filled with ASCII characters, as the output of the tcpdump utility shows in the last 32 bytes of the following example (after the eight-byte ICMP header starting with 0x0800 ): The payload may include a timestamp indicating the time of transmission and a sequence number, which are not found in this example. This allows ping to compute

850-411: Is set for newly created files. The bits in the mask may be changed by invoking the umask command. In Unix-like systems, each file has a set of attributes that control who can read, write or execute it. When a program creates a file, the file permissions are restricted by the mask. If the mask has a bit set to "1", then the corresponding initial file permission will be disabled . A bit set to "0" in

900-455: Is set. However, if 'thoughts' is a file, then 'wozniak' can edit it. Sticky bit has the final decision. If sticky bit and SGID had not been set, the user 'wozniak' could rename, move, or delete the file named 'thoughts' because the directory named 'blog' allows read and write by group, and wozniak belongs to the group, and the default 0002 umask allows new files to be edited by group. Sticky bit and SGID could be combined with something such as

950-422: Is the output of running ping on Linux for sending five probes (1-second interval by default, configurable via -i option) to the target host www.example.com : The output lists each probe message and the results obtained. Finally, it lists the statistics of the entire test. In this example, the shortest round-trip time was 9.674 ms, the average was 10.968 ms, and the maximum value was 11.726 ms. The measurement had

1000-598: Is used with Unix-like operating systems, and the umask function is defined in the POSIX.1 specification. The mask, the umask command and the umask function were not part of the original implementation of UNIX . The operating system evolved in a relatively small computer-center environment, where security was not an issue. It eventually grew to serve hundreds of users from different organizations. At first, developers made creation modes for key files more restrictive, especially for cases of actual security breaches, but this

1050-480: The chroot system call is not available to non- root users on Unix. See limitations of chroot for more details. Setting the setgid permission on a directory causes files and subdirectories created within to inherit its group ownership, rather than the primary group of the file-creating process. Created subdirectories also inherit the setgid bit. The policy is only applied during creation and, thus, only prospectively. Directories and files existing when

SECTION 20

#1732876394818

1100-401: The chmod command will check the mask when the mode options are specified using symbolic mode and a reference to a class of users is not specified. The mask is stored as a group of bits. It may be represented as binary , octal or symbolic notation. The umask command allows the mask to be set as octal (e.g. 0754 ) or symbolic (e.g. u=,g=w,o=wx ) notation. The umask command

1150-498: The setgid bit is applied are unaffected, as are directories and files moved into the directory on which the bit is set. Thus is granted a capacity to work with files amongst a group of users without explicitly setting permissions, but limited by the security model expectation that existing files permissions do not implicitly change. The setuid permission set on a directory is ignored on most UNIX and Linux systems. However FreeBSD can be configured to interpret setuid in

1200-448: The setuid bit to run as root , the code will execute with root privileges, in effect giving the attacker root access to the system on which the vulnerable process is running. Of particular importance in the case of a setuid process is the environment of the process. If the environment is not properly sanitized by a privileged process, its behavior can be changed by the unprivileged process that started it. For example, GNU libc

1250-432: The setuid or setgid attributes are set on an executable file, then any users able to execute the file will automatically execute the file with the privileges of the file's owner (commonly root ) and/or the file's group, depending upon the flags set. This allows the system designer to permit trusted programs to be run which a user would otherwise not be allowed to execute. These may not always be obvious. For example,

1300-400: The umask command is invoked with an octal argument, it will directly set the bits of the mask to that argument: If fewer than 4 digits are entered, leading zeros are assumed. An error will result if the argument is not a valid octal number or if it has more than 4 digits. The three rightmost octal digits address the "owner", "group" and "other" user classes respectively. If a fourth digit

1350-452: The maskExpression (s). The permissions are applied to different user classes: The operator specifies how the permission modes of the mask should be adjusted. The permission-symbols indicate which file permission settings are to be allowed or prohibited by the mask. For example: Prohibit w rite permission from being set for the u ser. The rest of the flags in the mask are unchanged. Example of multiple changes: This would set

1400-425: The maximum transmission unit of the network, or risk being fragmented . To conduct a denial-of-service attack , an attacker may send ping requests as fast as possible, possibly overwhelming the victim with ICMP echo requests. This technique is called a ping flood . Ping requests to multiple addresses, ping sweeps , may be used to obtain a list of all hosts on a network. Umask In computing, umask

1450-490: The ping command may need access to networking privileges that a normal user cannot access; therefore it may be given the setuid flag to ensure that a user who needs to ping another system can do so, even if their account does not have the required privilege for sending packets. For security purposes, the invoking user is usually prohibited by the system from altering the new process in any way, such as by using ptrace , LD_LIBRARY_PATH or sending signals to it, to exploit

1500-399: The [probably] first UNIX manual to describe its function, the manual says, the actual mode... of the newly-created file is the logical and of the given mode and the complement of the argument. Only the low-order 9 bits of the mask (the protection bits) participate. In other words, the mask shows [indicates] the bits to be turned off when files are created. Many operating systems do not allow

1550-448: The command is: (The items within the brackets are optional.) If the umask command is invoked without any arguments, it will display the current mask. The output will be in either octal or symbolic notation, depending on the OS. In most shells , but not the C shell , the -S argument (i.e. umask -S ) will instruct umask to display using symbolic notation. For example: If

setuid - Misplaced Pages Continue

1600-429: The directory named 'videogames'. A user named 'wozniak', who is also part of the group 'engineers', attempts to delete the file named 'tekken' but he cannot, since he is not the owner. Without sticky bit, 'wozniak' could have deleted the file, because the directory named 'videogames' allows read and write by 'engineers'. A default use of this can be seen at the /tmp folder. 3171 on a directory named 'blog' owned by

1650-505: The first eight bytes of the original message (in this case header of the ICMP echo request, including the quench value), so the ping utility can match responses to originating queries. An ICMP packet transported with IPv4 looks like this. Most Linux systems use a unique Identifier for every ping process, and Sequence Number is an increasing number within that process. Windows uses a fixed Identifier , which varies between Windows versions, and

1700-411: The group 'engineers' and the user 'root' A user named 'torvalds' who belongs primarily to the group 'torvalds' but secondarily to the group 'engineers' creates a file or directory named 'thoughts' inside the directory 'blog'. A user named 'wozniak' who also belongs to the group 'engineers' cannot delete, rename, or move the file or directory named 'thoughts', because he is not the owner and the sticky bit

1750-439: The mask is applied to the requested permissions before they are applied to the file. For example: Each process has its own mask, which is applied whenever the process creates a new file. When a shell, or any other process, spawns a new process, the child process inherits the mask from its parent process. When the process is a shell , the mask is changed by the umask command. As with other processes, any process launched from

1800-426: The mask means that the corresponding permission will be determined by the program and the file system . In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away its corresponding permission. Permissions may be changed later by users and programs using chmod . Each program (technically called a process ) has its own mask and

1850-425: The mask so that it would: Here are more examples of using the umask command to change the mask: Example showing effect of umask : The mask is applied whenever a file is created. If the mask has a bit set to "1", that means the corresponding file permission will always be disabled when files are subsequently created. A bit set to "0" in the mask means that the corresponding permission will be determined by

1900-418: The new directory named 'electronic' inherits 'engineers.' This is the same when making a new file named 'imagine.txt' Without SGID the group ownership of the new directory/file would have been 'torvalds' as that is the primary group of user 'torvalds'. 1770 on a directory named 'videogames' owned by the user 'torvalds' and the group 'engineers'. A user named 'torvalds' creates a file named 'tekken' under

1950-456: The originating host to a destination computer that are echoed back to the source. The name comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water. Ping operates by means of Internet Control Message Protocol (ICMP) packets . Pinging involves sending an ICMP echo request to the target host and waiting for an ICMP echo reply . The program reports errors, packet loss , and

2000-470: The raised privilege, although signals from the terminal will still be accepted. While the setuid feature is very useful in many cases, its improper use can pose a security risk if the setuid attribute is assigned to executable programs that are not carefully designed. Due to potential security issues, many operating systems ignore the setuid attribute when applied to executable shell scripts . The presence of setuid executables explains why

2050-468: The requesting process and the OS when files are subsequently created. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away that corresponding permission for the file. Programmatically, the mask is applied by the OS by first negating (complementing) the mask, and then performing a logical AND with the requested file mode. In

setuid - Misplaced Pages Continue

2100-657: The requests and time to wait for a response. Many systems provide a companion utility ping6, for testing on Internet Protocol version 6 (IPv6) networks, which implement ICMPv6 . The ping utility was written by Mike Muuss in December 1983 during his employment at the Ballistic Research Laboratory , now the US Army Research Laboratory . A remark by David Mills on using ICMP echo packets for IP network diagnosis and measurements prompted Muuss to create

2150-469: The round-trip time in a stateless manner without needing to record the time of transmission of each packet. The payload may also include a magic packet for the Wake-on-LAN protocol, but the minimum payload, in that case, is longer than shown. The Echo Request typically does not receive any reply if the host was sleeping in hibernation state, but the host still wakes up from sleep state if its interface

2200-420: The user 'root'. The owner of the process is not the user running the executable file but the owner of the executable file 2770 on a directory named 'music' owned by the user 'root' and the group 'engineers' A user named 'torvalds' who belongs primarily to the group 'torvalds' but secondarily to the group 'engineers' makes a directory named 'electronic' under the directory named 'music'. The group ownership of

2250-413: The utility to troubleshoot network problems. The author named it after the sound that sonar makes since its methodology is analogous to sonar's echolocation. The backronym Packet InterNet Groper for PING has been used for over 30 years, and although Muuss says that from his point of view, PING was not intended as an acronym, he has acknowledged Mills' expansion of the name. The first released version

2300-465: The values 4 for setuid and 2 for setgid in the high-order octal digit of the file mode. For example, 6711 has both the setuid and setgid bits ( 4 + 2 = 6 ) set, and also the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). Most implementations have a symbolic representation of these bits; in the previous example, this could be u=rwx,go=x,ug+s . Typically, chmod does not have

2350-595: Was public domain software ; all subsequent versions have been licensed under the BSD license . Ping was first included in 4.3BSD . The FreeDOS version was developed by Erick Engelke and is licensed under the GPL . Tim Crawford developed the ReactOS version. It is licensed under the MIT License . Any host must process ICMP echo requests and issue echo replies in return. The following

2400-435: Was at one point vulnerable to an exploit using setuid and an environment variable that allowed executing code from untrusted shared libraries . The setuid bit was invented by Dennis Ritchie and included in su . His employer, then Bell Telephone Laboratories , applied for a patent in 1972; the patent was granted in 1979 as patent number US 4135240   "Protection of data file contents". The patent

2450-435: Was later placed in the public domain . Ping (networking utility) ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software. Ping measures the round-trip time for messages sent from

2500-419: Was not a general solution. The mask and the umask command were introduced around 1978, in the seventh edition of the operating system, so it could allow sites, groups and individuals to choose their own defaults. The mask has since been implemented in most, if not all, of the contemporary implementations of Unix-like operating systems. In a shell, the mask is set by using the umask command. The syntax of

#817182