0

I understand that setUID bit works with the EUID and RUID in Linux to give non-provisioned users temporary root access to executables that require it. However, my main concern is that let's say a process is malicious on a computer. Even if the process has a low-privileged User-ID (like "nobody" on Macs), if all they can do to execute code is work with files that have the setUID bit to get a temporary root EUID, wouldn't that defeat the whole purpose of having privileged processes, as that process now technically has root access to the computer? Or am I missing something? Thanks!

Justin Tjoa
  • 47
  • 1
  • 6

1 Answers1

1

Just because an executable has privileged access doesn't mean the person who executes it can cause it to do arbitrary actions.

Programs that are intended to be run under setuid must be written very carefully to avoid being used in unintended privilege-escalating ways. If they have security flaws, yes, it will create exactly the problem you describe, and you must be very careful before applying the setuid flag to executables.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • 1
    In addition, a process may choose to temporarily or permanently drop those elevated permissions when it no longer needs them to limit the damage if there were a security problem. – bk2204 Jul 20 '20 at 23:22
  • `sudo` can be configured to allow certain users to run specific commands as other users or root, without giving them access to anything else. This is generally safer than writing a custom setuid binary since many of the escalation techniques are already mitigated. – that other guy Jul 20 '20 at 23:26
  • Agreed in general, but commands that were not designed to be run in a privilege-escalated context can often have features that allow them to be abused (vim is a particularly famous case of this; granting a user sudo privileges to vim is the same as granting them sudo privileges to everything. But the same is true of `find` and `dd`.) A security advantage of writing custom setuid binaries is that they can be more carefully considered and audited rather than granting sudo to general-purpose tools. – Rob Napier Jul 21 '20 at 13:54
  • setuid and sudo also solve different problems. sudo allows a general user to gain access to administrative tools. setuid allows an application access to something it needs, without giving the caller any additional privileges. For example, the `ps` command requires elevated privileges to function (at least on some platforms), but you wouldn't want to need `sudo` privileges in order to use it. – Rob Napier Jul 21 '20 at 13:58