How does the 'passwd' command gain root user permissions?

linux security permissions root
12,488

Solution 1

The passwd program has the setuid bit set, which you can see with ls -l:

-rwsr-xr-x 1 root root 39104 2009-12-06 05:35 /usr/bin/passwd

It's the s (the fourth character of the line).

All programs that have this permission bit set run as the owner of that program. In this example, the user is root (third word of the line).

These setuid programs need to make sure that they don't damage anything, since every user of the system can run them with effective root privileges. That's why you can only change your own password. Linux and other similar operating systems are still secure because the authors of these setuid programs take a lot of care.

See for example suexec.c from the Apache Web Server, which is a popular setuid program. There are unusually many comments in that source code.

Solution 2

As an addendum to Roland Illig's answer, it's entirely possible to write a program that, when given root permissions, corrupts system files and/or compromises your system in various ways.

The problem is that just writing it doesn't mean it automatically gets to run as root -- it needs to have its owner set to root, and then the setuid bit that Roland refers to has to be set -- and only root has the right to do that.

In short: Yes, every binary with the setuid bit set is at least potentially a security risk. Exploiting a flaw in a setuid-enabled binary to gain root privileges is the most common source of so-called Privilege Escalation attacks and they tend to be a big deal when they happen. Because of this, there are relatively few pieces of software that use setuid and the ones that exist tend to be under high scrutiny.

Share:
12,488

Related videos on Youtube

Shadur
Author by

Shadur

Just a guy with some linux experience.

Updated on September 18, 2022

Comments

  • Shadur
    Shadur over 1 year

    How does Linux know that it has to give euid 0 (uid of root) to only certain process like passwd, setuid, etc.

    If a process can gain root permissions, will it not lead to potential security breaches in the Linux platform?

    For example, if I write a program that can can gain root user permissions like passwd, I may corrupt important system files like /etc/passwd, /etc/groups.

    How does Linux manage to still be secure?

    • Admin
      Admin over 10 years
      Flag this question and ask for moderator attention to migrate it to the other SE site.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How did this exploit allow write access to root owned files?
Get root access for copying files to /usr/share/...?
Command to create a file owned by another user
I cannot su - into my root account from a normal user
How to make a non-root user to use chown for any user group files?
How to grant access permission on network interface?
Permission denied as root
Root Can't Delete Folder It Owns
Linux Group Permissions not being enforced correctly.
Creating files and directories with a certain owner (user/group) while sudoing