Please explain setuid bit clearly!

Linux and Unix-Like Linux
1

Dear all,

I am newbie with linux, i dont understand any code. I have googled a long time. Please help me explain about setuid bit on linux (Centos 6)

Here:
1/ I chmod u+s for /sbin/iptables but normal user still cannot perform command (ex: /sbin/iptables -L)

2/Someone says : setuid only set on binaries not scripts. But i dont know a way to determine this.

With file /sbin/iptables, it is a script or bin ?
with file /bin/ping, it is a script or bin ( because this file has setuid)

Thanks all,

Sorry for my English.

2

Every thing in Linux is considered as file.

you can run following command to know the type of the file.

$ file /sbin/iptables
/sbin/iptables: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$file /bin/ping
/bin/ping: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped

the above result says that they are binary files and all information about those binaries are given.

lets take example of a script.

$file update.sh
update.sh: Bourne-Again shell script text executable

this meand update.sh is a borne shell script.

lets take simple text file.

$file setup.conf
subversion.conf: ASCII text

some other format.

$file ldap.tar
ldap.tar: POSIX tar archive (GNU)

I think now you must have understood the file concept and how to know the file type.

Note- In Linux file extension does not matter and it may not give a exact picture of file type.

1 Like
3

Thanks Vishal,

But i want to know why setuid bit not working with /sbin/iptables though this file is binaries

As i said i have chmod u+s /sbin/iptables however normal user still cannot perform this command. You can explain me more clearly!!

4

It is possible that iptables is refusing to run because the user executing the process doesn't match the owner of the binary. A process can check both the user's real ID, and the effective user ID (set as a result of the state of the SUID bit on the binary). Some programmes exit if both user IDs don't match.

I cannot say for sure about iptables, but if you can successfully set the bit, then that'd be my guess.

1 Like
5

Hi Agama,

Thanks for your reply! But i always think:

ex:

  • user with id =500
  • /sbin/iptables with owner = root
  • chmod /sbin/iptables with permission: chmod u+s
  • when user with id =500 run /sbin/iptables, program iptable will do user's ID= ruid = euid = root >> perform program (iptables -L) will success.

As your means is: user's ID= euid=root but differ ruid(root) of program iptables so normal user cannot perform command (iptables -L).

Sorry for my English. Hope you understand my english.

thanks all,

6

The euid in this case would be root (0) and the uid would be the users real id (500). Some programmes check this and if they are not the equal they stop.

I just found a system with iptables installed and tried it. Without the suid bit on, it does fail with an error, but it was successful when I flipped suid on, so I don't think it is doing what I suggested.

Something that I noticed when I set the permissions is that iptables is actually a sim link that points to iptables-multi. Is this the case in your environment? If so, did you try setting the suid bit on iptables-multi as it doesn't make sense to set it on the simlink (chmod shouldn't allow it anyway).

Not sure what else to suggest.

7

Why not try sudo?

1 Like