Re: suid
On Fri, Apr 16, 2004 at 11:02:56PM +0100, Mario Ohnewald wrote:
> Everybody knows that files with a suid bit set can be dangerous.
Everybody knows that almost everything is dangerous.
> Well, i was asking myself today why exactly linux uses the suid bit files?!
> Could someone please explain that to me?
It's fairly simple, a file is setuid so that the user that invokes
the binary can gain the permissions of the binaries owner.
This is necessary in a lot of common cases.
For example to change a password a user (typically) must update
the entry in the file /etc/shadow, problem is that users cannot
view or edit this file themselves. This means that the passwd program
must be setuid(root) or setgid(shadow) to modify it on the users
behalf, after carefully sanitizing the inputs.
>
> Example:
> ~$ ls -lah /var/spool/cron/crontabs/user
> -rw------- 1 root user 408 Apr 16
>
> Ok, the suid is set for the crontab binary because you have to edit the root
> owned file.
> But why is it owned by root in the first place?
So that other users may not view it, in much the same way as the
/etc/shadow example I presented above.
Besides there aren't *too* many setuid/setgid files included in
Debian, sure less would be great, but it's not the case that there
are hundreds.
Please see the following URL for a partially accurate listing
and compare it against the other operating systems listed:
http://shellcode.org/Setuid/debian.html
(I have pending lists to updload covering HPUX, Tru64 and
NetBSD).
Steve
--
Reply to:
- References:
- suid
- From: Mario Ohnewald <mario.ohnewald@gmx.de>