3

My os is Fedora 24 and I tried to test the suid bit functionality.

I wrote below bash as Setuid.bash:

#!/bin/bash
if [ $USER = 'root' ]
then
    echo "Like Root Run"
    echo "Root User Add in " $(date) >> /etc/SetUid
else
    echo "Other User Run"
    echo $USER "User Add in " $(date) >> /etc/SetUid
fi

with -rwsrw-r-x. 1 root root 249 May 21 14:45 /bin/Setuid.bash permission and -rwx------. 1 root root 432 May 21 14:45 /etc/SetUid

Now, when I tried /bin/Setuid.bash as root I got:

Like Root Run

but when run that with Test user I encountered:

Other User Run

bin/Setuid.bash: line 8: /etc/SetUid: Permission denied

I'll appreciate if any one let me know, where is my way wrong?

Hossein Vatani
  • 746

1 Answers1

4

Long time ago, bash (and other shell interpreters) have added built-in security measures against suid (ab)use because it is/was dangerous. Dangers of SUID Shell Scripts

From Why Bash is like that: suid

Bash scripts can’t run with the suid bit set. First of all, Linux doesn’t allow any scripts to be setuid, though some other OS do. Second, bash will detect being run as setuid, and immediately drop the privileges.

This is because shell script security is extremely dependent on the environment, much more so than regular C apps.

Ultimately, nowadays the suid bit is mostly useful for executable binaries. A way of running a script/bash like that is invoking it from a suid compiled binary.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
  • thanks man for the answer, but when I can use this option? – Hossein Vatani May 21 '17 at 12:03
  • added to the answer. – Rui F Ribeiro May 21 '17 at 12:04
  • that is invoking it from a suid compiled binary you meant I should use a binary file to get the correct answer? – Hossein Vatani May 21 '17 at 12:09
  • 2
    Yes, for instance writing in C a wrapper that calls bash http://stackoverflow.com/questions/556194/calling-a-script-from-a-setuid-root-c-program-script-does-not-run-as-root – Rui F Ribeiro May 21 '17 at 12:12
  • You only refer to the Bash shell. No suid applies to any shell script - not just the Bash shell. – fpmurphy May 21 '17 at 13:34
  • @fpmurphy1 The question was about the Bash shell, and I agree with you. Coincidentally, the bash shell binary was one of the first shells dropping setuid privileges, if not the first. – Rui F Ribeiro May 21 '17 at 13:36
  • @RuiFRibeiro. It is the kernel that controls setuid privileges - not a shell. 4.3BSD (Tahoe) was probably the first major OS to disable setuid for shell scripts. – fpmurphy May 21 '17 at 15:40
  • @fpmurphy1 Now that you talk I do remember that FreeBSD kernel indeed does that...however bash does it too. http://hmarco.org/bugs/bash_4.3-setuid-bug.html – Rui F Ribeiro May 21 '17 at 16:17