Privilege elevation

Set-UID mechanism

It is used to change the UID of a process running a program stored on a Set-UID file.

If a program file is owned by UID X and the set-UID bit of its ACL is set, then it will be executed in a process with UID X.
- Independently of the UID of the subject that executed the program.

Used to allow normal users to execute privileged tasks encapsulated in administration programs.

Change the user’s password (passwd)
Change to super-user mode (su, sudo)
Mount devices (mount)

Effective UID / Real UID

Real UID is the UID of the process creator.
- App launcher.
Effective UID is the UID of the process.
- The one that matters for defining the rights of the process.

UID change

Ordinary application.
- eUID = rUID = UID of process that executed exec
- eUID cannot be changed (unless = 0)
Set-UID application.
- eUID = UID of executed application file, rUID = initial process UID
- eUID can revert to rUID
rUID cannot change.

Set-UID/Set-GID decision flowchart

exec ( path, …)

Does the file referred by the path have Set-UID?
- Yes.
  - ID = path owner.
  - Change the process effective UID to ID.
- No.
  - Do nothing.
Does the file referred by path have Set-GID?
- Yes
  - ID = path GID.
  - Change the process from GID to ID only.
- No.
  - Do nothing.

sudo mechanism

Administration by root is not advised.

One “identity”, many people.
Who did what?

Preferable approach.

Administration role (uid = 0), many users assume it.
- Sudoers.
- Defined by a configuration file used by sudo.

sudo is a Set-UID application with UID = 0.

Logging can take place on each command run with sudo.

PreviousUnix file protection ACLs NextPrivilege reduction

Last updated 6 months ago