Reputation: 554
Purpose of the saved user ID
Running a program with the setuid() bit set is the same thing as running it as the owner of that program. After execution programs usually exit, so why do we have to switch back to the real user ID?
Also, the wikipedia article states that:
The saved user ID (suid) is used when a program running with elevated privileges needs to do some unprivileged work temporarily.
Why is that though? Why would a privileged process lower its privileges, I can't wrap my head around this.
Upvotes: 3
Views: 1204
Answers (3)
Reputation:
Why would a privileged process lower its privileges, I can't wrap my head around this.
Several reasons:
First and foremost: so that the process knows what user launched it! Otherwise, it'd have no way of knowing -- there is no system call to explicitly get the UID of another process. (There is procfs, but that's nonstandard and unreliable.)
As others have mentioned, for safety. Dropping privileges limits the damage that can be done by a malfunctioning setuid-root program. (For instance, a web server will typically
bindto a socket on port 80 while running as root, then set its UID/GID to a service user before serving any content.)So that files created by the setuid-root process are created as owned by the user that launched the process, not by root.
In some situations, root can have less capabilities than non-root user IDs. One example is on NFS -- UID 0 is typically mapped to "nobody" on NFS servers, so processes running as root do not have the ability to read or modify all files on an NFS share.
Upvotes: 4
Reputation: 223767
Expanding on the purpose of the saved user ID, it also allows a process that was running with elevated privileges and subsequently dropped them to go back to the elevated privileges if needed.
Suppose a user with ID 1001 runs a setuid-root program. At program startup, the various user IDs are set as follows:
- real UID: 1001
- effective UID: 0
- saved UID: 0
Setting the saved user ID to the effective user ID at startup allows the user to go back to this user ID whenever it is needed.
At this point the program has root priviliges. The program can then do the following:
// perform privileged commands
seteuid(1001); // drop privileges, euid is now 1001
// perform unprivileged commands
seteuid(0); // raise privileges, euid is now 0, allowed because saved UID is 0
// perform more privileged commands
seteuid(1001); // drop privileges, euid is now 1001
// perform more unprivileged commands
Upvotes: 8
Reputation: 59997
It is best to do as much as possible with lower privileges. That way the OS protects you from doing stupid things.
Do as little as possible as root. Many people have logged in as root and really messed things up.
Upvotes: 3
Related Questions
- Difference between Real User ID, Effective User ID and Saved User ID
- Why we should have an ID column in the table of users?
- What is the "customer's user ID"?
- What's the purpose of each of the different UIDs a process can have?
- what is UID in linux?
- Purpose of issetugid?
- Change user id in linux
- User id and Group id in Linux
- How does Set-user-id bit work on Linux?
- Is set-user-id bit set?