Setting setuid on `mkdir` without making it as executable

Question

I am setting setuid on mkdir without making it as executable.

chmod u+s /usr/bin/mkdir
chmod u-x /usr/bin/mkdir
[root@rhel-85 /]# ls -l /usr/bin/mkdir 
-rwSr-xr-x. 1 root root 84664 Jul  9  2021 /usr/bin/mkdir

Now, when I login as another user "user1"

I am still able to create directory even when the "mkdir" binary is non-executable.

My understanding is that "user1" should not be able to create directory because mkdir is non-executable.

score 2 · Accepted Answer · edited Jan 25 '22 at 07:12

You’ve cleared the executable permission for the file’s owner, but not for members of its group or other users. As a result, the only user denied access by the permissions is root; every other user is granted permission. (root can still execute the binary, because root can execute any binary with any one of its executable bits set.)

The setuid bit doesn’t affect how permissions are granted or denied; it only affects the effective uid of processes when they execute the binary.

See Understanding UNIX permissions and file types and Restrictive "group" permissions but open "world" permissions? for details.

Setting setuid on `mkdir` without making it as executable

1 Answers1