0

well i just wanted to understand the setuid mechanism.so i wrote a C program (prog1) that triggers a bash (i used system("/bin/sh") when executed & i set the setuid-bit for the executable (as root),So normally when its executed by another user,but not root,it sets the effective id of the running process to 0 (root id) but the real uid remains as it is (in my case 1000 for user test).

Now i wrote another executable (prog2) & i gave the execution permission only for root -rwx------ .

I logged in as user 'test' & i executed 'prog1' so a bash has been introduced as intended,i executed the command 'id' & got the following result which was also intended : 

uid=1000(test) gid=1001(test) euid=0(root)groups=1001(test),27(sudo)

as it shows the real uid is 1000 and effective uid id 0(root) that's exactly what setuid-bit does ....now i wanted to execute prog2 (only root can execute) & i was surprised that the execution succeeded & i could even read /etc/shadow ...is that not a security issue ??? ...i mean normally a root only read/write/execute program can never be read/written/executed by another user ?? ...so please can you give me some useful information about that ?!

afr0ck
  • 65
  • 6

1 Answers1

1

Under linux, the fsuid is consulted when checking file system permissions. If not set explicitly otherwise, this fsuid matches the euid of the process.

Indeed, almost every permission is checked against the effective user id (that's the reason why it's called effective). The real user id is used for example to check if a signal may be sent (so you can kill suid processes you started). Many shells also do something like seteuid(getuid()); for enhanced security.

Ctx
  • 18,090
  • 24
  • 36
  • 51