Privilege elevation
Set-UID mechanism
It is used to change the UID of a process running a program stored on a Set-UID file.
If a program file is owned by UID X and the set-UID bit of its ACL is set, then it will be executed in a process with UID X.
Independently of the UID of the subject that executed the program.
Used to allow normal users to execute privileged tasks encapsulated in administration programs.
Change the user’s password (
passwd)Change to super-user mode (
su,sudo)Mount devices (
mount)
Effective UID / Real UID
Real UID is the UID of the process creator.
App launcher.
Effective UID is the UID of the process.
The one that matters for defining the rights of the process.
UID change
Ordinary application.
eUID = rUID = UID of process that executed exec
eUID cannot be changed (unless = 0)
Set-UID application.
eUID = UID of executed application file, rUID = initial process UID
eUID can revert to rUID
rUID cannot change.
Set-UID/Set-GID decision flowchart
exec ( path, …)
Does the file referred by the path have Set-UID?
Yes.
ID = path owner.
Change the process effective UID to ID.
No.
Do nothing.
Does the file referred by path have Set-GID?
Yes
ID = path GID.
Change the process from GID to ID only.
No.
Do nothing.
sudo mechanism
Administration by root is not advised.
One “identity”, many people.
Who did what?
Preferable approach.
Administration role (uid = 0), many users assume it.
Sudoers.
Defined by a configuration file used by sudo.
sudo is a Set-UID application with UID = 0.
Logging can take place on each command run with sudo.
Last updated