SUID Concept with Demonstration in Red Hat Linux

SUID stands for Set User ID. This means that if the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application.

That means in case you have an application whose owner is ' root ' and it has its SUID bit set, then when you run this application as a normal user (a user who is not root, and does not have any root credentials), that application would still run as root. Since the SUID bit tells Linux that the the User ID root is set for thisapplication and whenever this application executes it must execute as if root was executing it (since root owns this file).

Let me demonstrate SUID with an example:

If you try to execute a command "useradd" as a normal user, you will get an error as shown below:

$/usr/sbin/useradd user1
-bash: /usr/sbin/useradd: Permission Denied

Now in this case, check the permissions on "useradd" command itself:

$ll /usr/sbin/useradd
-rwxr--r-- 1 root root 74512 Jan 17 2007 /usr/sbin/useradd

The permission set shows that a normal user who is not the owner of the file and belongs to Others category does not have an

execute permission to the "useradd" command.

Now as a root user perform the following operations:

#chmod o+x /usr/sbin/useradd
#ll /usr/sbin/useradd
-rwxr--r-x 1 root root 74512 Jan 17 2007 /usr/sbin/useradd

Now, as a normal user, execute the useradd command again:

$/usr/sbin/useradd user1
useradd: unable to lock password file

Even if others have an execute permission to the "useradd" command, you still get an error "unable to lock password file".

Infact giving write access to others on "/etc/passwd" file will not help and you will get the same error when you try to

execute theuseradd command as ordinary user.

Now what to do????????????

The solution is to set the SUID bit on the "useradd" command as a root user as shown below:

#chmod u+s /usr/sbin/useradd
#ll /usr/sbin/useradd
-rwsr--r-x 1 root root 74512 Jan 17 2007 /usr/sbin/useradd

You will now see a "s" (alphabetically small "s") in place of the execute permission for the owner (i.e. root). This would signify a presence of SUID permission on that command.

Had there been a "S" (alphabetically capital "S") in place of small "s", it would mean that the execute permission is missing from owner's permission for the file.

Now since the SUID bit is set on the "useradd" command, you can now go on to create a user from a normal user's login as shown below:

$/usr/sbin/useradd user1
/usr/sbin/nscd: Only root is allowed to use this option

$grep user1 /etc/passwd
user1:x:508:508::/hime/user1:/bin/bash

Here you might get a warning "/usr/sbin/nscd: Only root is allowed to use this option" after executing the "useradd" command as a normal user, but you need not worry because your user is already created in the system which is shown by the output of grep command on "/etc/passwd" file.

The benefit of setting SUID bit on "useradd" command is that now when you try to execute "useradd" command, the command runs with root's permission and can edit files owned by root.

Note: You need not put Write permission or SUID permission on the files "useradd" command accesses. Only putting SUID on "useradd" command will do the trick.

Catch: Is it possible to include the "useradd" command in a script and then put the SUID for owner and Execute permission for owner and others on the script instead of putting the same permissions on the "useradd" command as we did in the above mentioned steps?

Let's Try:
Remove the SUID bit from the "useradd" command preserving the Execute permission:

#chmod u-s /usr/sbin/useradd
#ll /usr/sbin/useradd
-rwxr--r-x 1 root root 74512 Jan 17 2007 /usr/sbin/useradd

Also write the following script:

#vi /tmp/test
/usr/sbin/useradd user2
grep user2 /etc/passwd

Save the script and put SUID and Execute Permission for User and Others respectively on the script "test" as shown below:

#chmod u+sx,o+x /tmp/test
#ll /tmp/test
-rwsr--r-x 1 root root 46 Jan 17 2007 /tmp/test

Now when you execute the script "/tmp/test" as a normal user, will the "useradd" command inside the script execute?

The answer is "No", as when you try to execute the script, it is "bash shell" which runs the script, and not the normal user.

So the below mentioned command will again give an error as shown below:

$/tmp/test
useradd: unable to lock password file


Warning: The above mentioned example is only to provide information about the working of SUID. Please do not try this on your Production/Support Servers or any other Linux Machines in your Office because it will open a potential Security Loophole using which your Linux Systems could be compromised in many ways.