Linux Security Journey — SUID Bit (Set UID bit)

Beside the ordinary permissions that a file/directory can have in Linux (read, write & execute) we can also assign specific permissions bits that have a special meaning: suid, sgid and sticky bit. I am going to focus on “suid bit” (if you want to read my writeup about “sticky bit” you can use the following link — https://medium.com/@boutnaru/linux-security-sticky-bit-ccb0aaf3c019).

Have you ever asked yourself what the “s” in the output of “ls -l” stands for? As you can see in the screenshot below taken from an Ubuntu 22.04 VM regarding the “passwd” executable.

If we have a file with a “suid bit” it will be executed using the permissions of the owner of the file. It is important to understand that it sets the “euid” but not “ruid” — As you can see in the screenshot below. Information about “euid”, “ruid”, “fsuid” and more are going to be covered as part of the description about “struct cred” (https://elixir.bootlin.com/linux/latest/source/include/linux/cred.h#L110) in the future.

For now all you need to know is that “euid” (Effective UID) is used for most of the permissions checks and “ruid” (Real UID) is the uid (User Identifier) of the user that started the executable.

Due to that even though “passwd” runs using root it does not allow changing a password that is not the one that started it (despite root that can change any user’s password).

See you in my next writeup ;-)

You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).