Simon Geard wrote:
On Mon, 2005-04-25 at 06:21 -0500, Dan McGhee wrote:Simon, thanks. Great explanation. It really ties together all the stuff that I have been reading at the recommendations of Andrew and Declan--thanks to the two of you also. I had a sense of what you said, but just couldn't quite pull it all together coherently.
In getting to this point in Linux, I've read many times something to the effect, "This needs to be setuid root." And that this means that the "sticky bit" is set. Beyond that I can't find anything. What does "setuid" really mean? What exactly does it do? What does it cause? What does it prevent?
Short version, suid means that an executable with that flag set runs as the user who owns the file, instead of the usual behaviour of running as whoever ran the program. That's important for cases where a program must be run by ordinary users, but needs to do things only root can do.
For example, 'su' must be suid because it runs programs as other users. 'passwd' must be suid, because it changes system files that ordinary users shouldn't be able to touch. And 'mount' and 'umount' are usually suid to allow ordinary users to mount and unmount filesystems.
The security implications of this should be fairly obvious. Any code that gives ordinary users superuser permissions needs to be fairly carefully written to avoid holes that would allow the user to run things you didn't intend. It's often desirable to mount partitions like /home with the 'nosuid' option, since they prevent such programs from being run, even if some intruder has managed to create one.
Note - I've assumed in the examples that the program would be root-owned, since that's the most common need for it. Doesn't have to be the case though - programs owned by any user can be made suid and will be run with the owner's permissions, not those of the runner.
I'm using the Package-User management system, and some of the "glitches" I've run into are the result of packages trying to install some things SUID--of course when one is not installing as root then the install "burps." I didn't know how deeply I'd be getting into install packages with this management system. SUID or -SUID has become an important question for me. As I prepare to install Xorg, I really wanted to get a handle on it.
Thanks again.
Dan -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
