• zoe @infosec.pubOP
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    1 year ago

    i am just reposting. wait till someone knowledgeable that could chip in on the subject

    • caseyweederman
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Hm. Looks like it lets users temporarily assume privileges of the user or group that owns an executable.
      A common example I’m seeing is passwd, which has a permission set of -rwsr-xr-x root root.
      The position of the s means that “suid” is set, which means that if I run it as user casey, it actually gets run as root. I guess? Or it gets run as me but with root privileges? I wonder who the process owner is. I’m gonna experiment.
      I made a root-owned a+x u+s script that ran ps aux | grep $$ and ran it as my regular user and it said my regular user is the process owner and I have to say, I did not learn anything from that.
      Maybe if I make it touch a root-owned a-w file, then if that file’s last-modified date changes even though I ran it as my regular user…?
      Permission denied. Nope, it turns out I still don’t understand suid.

      • LynneOfFlowers@midwest.social
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I ran into just this problem literally yesterday 😅. It turns out that many Linux distros (not sure which ones exactly but I’m on fedora and it does this) will ignore the suid bit on shell scripts because apparently they’re too easy to exploit for privilege escalation. Sure enough I tried it again with a c program instead of a shell script and the suid bit worked; I was able to write to a file I didn’t have permission for normally. I’m not totally sure exactly which kinds of executables are allowed and which aren’t; it might be binaries only.

        • caseyweederman
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Huh!
          Thanks, that would have had me confused for a good while.
          Same behavior on Debian.