Understanding 'setuid'

Dan McGhee farmerdan at i-rule.net
Mon Apr 25 18:13:39 PDT 2005


Andrew Benton wrote:

> Dan McGhee wrote:
>
>> In getting to this point in Linux, I've read many times something to 
>> the effect, "This needs to be setuid root."  And that this means that 
>> the "sticky bit" is set.  Beyond that I can't find anything.  What 
>> does "setuid" really mean?  What exactly does it do?  What does it 
>> cause?  What does it prevent?
>>
>> Would someone please point me in the direction of some good 
>> documentation on the subject or present their ideas here?
>>
> Read man setuid
>
Thanks, Andrew.  But I asked for "good" documentation <G>.  Sorry, I had 
to say that.

I did read that and "seteuid," "geteuid," "setreuid," and "setresuid."  
All of these deal with reading and setting  the REAL uid, EFFECTIVE uid 
and SAVED uid of a process.  I'm guessing here, please let me know how 
close I am,  that these values are passed to a process by a parent 
process.  I don't know how they are related.  The books I have here at 
home "Linux Power Tools" and "Unix Power Tools" both stop at saying that 
a parent forks or spawns a child process and passes the parent 
environment to the child.  Any changes in the child's environment will 
not effect the parent.

Let me digress for a second.  In the discussion of SUID and GUID, "Linux 
Power Tools," p. 105, says, "...when you run a program, that program 
runs with the permisssions of the user who launched the program.  With 
the SUID...bit set, though, the program runs with the permissions 
associated with the program file's owner....  This feature is used by a 
handful of key system programs to enable users to do things that they 
otherwise wouldn't be able to do, such as access a CD-R drive's device 
files."

 >From reading the man pages, I'm guessing again, that 'setuid' is 
somehow in the environment and it reads (?) the fact that SUID is set.  
My real world and recent experience was that I could not 'su' to root 
from my own account until I ran 'chmod u+s su.'  So this tells me that 
NOBODY could invoke 'su' UNLESS SUID was set.  I don't understand how 
this fits together.

Do I have incomplete knowlege, a misconception or an almost complete 
non-understanding of how setuid and SUID fit together.

Thanks again,

Dan





More information about the blfs-support mailing list