SetUID Programs: passwd, sudo, …

Problem: Change My Password

  • /etc/passwd: Unix user database

    /etc/passwd structure
    $ grep jfasch /etc/passwd
    jfasch:x:1000:1000:Joerg Faschingbauer:/home/jfasch:/bin/bash
    /etc/passwd permissions
    $ ls -l /etc/passwd
    -rw-r--r--. 1 root root 2691 Nov  2 10:01 /etc/passwd

    ⟶ not writeable

  • Column 1 - "x" - means “Encrypted password is in /etc/shadow” ⟶ no need to write /etc/passwd, alas

    /etc/shadow permissions
    $ ls -l /etc/shadow
    ----------. 1 root root 1317 Nov  2 10:01 /etc/shadow

    not even readable!

  • Problem: I cannot change my password

    Only root can do that

  • Solution: ask root to change my password

    Send the output of this command to root, and ask her to enter it into /etc/shadow:

    $ openssl passwd -6 -salt my-cool-salt
    Password: <... enter cleartext password ...>
  • Problem: imagine 100 users doing this per day ⟶ root burnout!

Solution: Set-UID Bit


First off: ugly hack with severe security implications

  • Turns out I (as jfasch) can change my password

    $ passwd
    Changing password for user jfasch.
    Current password:
    New password:
    Retype new password:

    ⟶ Done!

  • How come? ⟶ Set-UID

    $ which passwd
    [jfasch@fedora ~]
    $ ls -l /usr/bin/passwd
    -rwsr-xr-x. 1 root root 32712 Jan 30  2021 /usr/bin/passwd

    ⟶ “s”, a-ha

Set-UID: How Does It Work?

  • Another bit in the “mode” bitmask

  • When that bit (the set-UID bit) is set, the process’s effective user ID becomes that of the owner of the file program

    • In the case of /usr/bin/passwd, this would be root (UID: 0)

    • A program owned by jfasch would run with that user’s privileges, no matter who executed it

Command: chmod

$ chmod 4755 program

… or …

$ chmod u+s program

Set-UID Is Not A Toy!

See SetUID: Live Demo