6

Printing the value of getuid() and geteuid() from an executable with SUID-bit (chmod +s) turned-on, seems to result with the original caller ID instead of the owner id if the executable is located within the /tmp directory.

When compiling the exact same code to home directory (and executing chmod +s), this seems to work as expected.

I've searched a lot and could not find any reference to such behavior.

Does anybody know why is this happening?

this source is simple as that:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(){
    printf("%d\n%d\n", getuid(), geteuid());
    return 0;
}
Gilles 'SO- stop being evil'
  • 829,060
david
  • 61
  • 1
    how is /tmp mounted? – Anthon Sep 24 '14 at 18:54
  • 7
    /tmp is likely mounted with the nosuid option. Check the output of mount or look in /etc/fstab to confirm. – doneal24 Sep 24 '14 at 19:37
  • @DougO'Neal Since the nosuid option on /tmp is a default on many distributions, you might want to make an answer out of this comment. – John WH Smith Sep 24 '14 at 21:37
  • @DougO'Neal that's the answer. Thanks a lot. if you post this I will accept it as an answer. BTW, what is 'mounted'? isn't /tmp a normal directory? – david Sep 24 '14 at 22:06

1 Answers1

6

Setuid executables can be disabled in filesystem mount options, the option is called nosuid. This is always done for filesystems that can be mounted by untrusted users (the user mount option in /etc/fstab automatically implies nosuid) or whose content can be modifed arbitrarily by untrusted users, for example on removable media or over the network from machines that aren't fully trusted. It is sometimes done for other filesystems as well.

Many systems use tmpfs for /tmp: a filesystem whose content remain in memory and isn't preserved on a reboot. (A tmpfs filesystem can be faster than relying on the disk cache because it doesn't need to care about data consistency.) Some setups mount it with the nosuid option, because there usually isn't any call for setuid temporary files and this could occasionally be part of an attack vector (setuid files in /tmp are not a security risk per se, but disabling them can limit the damage caused by a few vulnerabilities).

You can check the mount options for a directory by first looking up the mount point that contains it with df:

df /tmp/somefile

Then look up the mount point in the output from mount, or on Linux in /proc/mounts.

mount | awk '$3 == "/tmp"'
Gilles 'SO- stop being evil'
  • 829,060