Linux Permissions & SUID/SGID/Sticky Bit

Linux Permissions

3 sets of permissions exist. Read/Write/Execute and the owner of the file in Linux can modify these permissions as well as the root user. No other user can do it. We can change the permissions using "chmod"

eg: chmod 777 super.txt

This command will give read/write/execute to super.txt

• r (read) has a value of 4

• w (write) has a value of 2

• x (execute) has a value of 1

chmod UserGroupOthers file User - Permissions given/existing on current user Group - Permissions given to the group current user is in Others - Permissions to third party users

Each permission has a numeric value assigned to it. Therefore, 7 means 4+2+1 => read+write+execute. Simple. That means 777 would mean RWX to user, group and others. So, any user, any user in the current group and any user outside the group can read or write or execute the file.

By default files have rw-r_-r_ permissions, i.e., 644. SSH keys have 600 permissions.

ls -la

Also,

chmod WhoWhatWhich file

Who - represents identities: u,g,o,a (user, group, other, all) What - represents actions: +, -, = (add, remove, set exact) Which - represents access levels: r, w, x (read, write, execute)

chmod ug+rw super.bash This command means that User and Group are to be added (given) with RW (read/write) permissions for the file super.bash

SUID (notation: s)

Refer: https://www.redhat.com/sysadmin/suid-sgid-sticky-bit#:~:text=Commonly%20noted%20as%20SUID%2C%20the,use%20an%20uppercase%20S%20here.

Commonly noted as SUID, the special permission for the user access level has a single function: A file with SUID always executes as the user who owns the file, regardless of the user passing the command. If the file owner doesn't have execute permissions, then use an uppercase S here.

eg: let's say a file /usr/bin/vim.basic is owned by root.

Now, I'll try to edit sudoers file using newuser's account and see what happens su newuser /usr/bin/vim.basic /etc/sudoers

However, let's say if there was an SUID bit set on this file, I expect that the script will be run as root no matter which user is executing it, right? SUID bit on the script has now been set by root user

chmod u+s /usr/bin/vim.basic su newuser /usr/bin/vim.basic /etc/sudoers

As you can see newuser has now successfully opened and edited vim.basic file and added one entry in it that will allow newuser to run all commands as root.

newuser ALL=(root) NOPASSWD: ALL

And just like this, when we will run sudo bash it will give us a root prompt!

SGID (notation: s)

Commonly noted as SGID, this special permission has a couple of functions:

• If set on a file, it allows the file to be executed as the group that owns the file (similar to SUID)

• If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner

• This permission set is noted by a lowercase s where the x would normally indicate execute privileges for the group. It is also especially useful for directories that are often used in collaborative efforts between members of a group. Any member of the group can access any new file. This applies to the execution of files, as well. SGID is very powerful when utilized properly.

• chmod g+s my_articles

drwxrws---. 2 tcarrigan tcarrigan  69 Apr  7 11:31 my_articles

Sticky Bit (notation: t)

The last special permission has been dubbed the "sticky bit." This permission does not affect individual files. However, at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory. A common example of this is the /tmp directory:

chmod o+t <path>

Setting permissions

chmod X### file | directory

This is: chmod <notation><permissions> /<path>

X (notation) can be:

• Start at 0

• SUID = 4

• SGID = 2

• Sticky = 1

Thus, setting SUID bit on a file and giving it 777 permission would look like:

chmod 4777 /home/kali/super.sh

FIND THEM!

To find SUID binaries in a system: find / -perm -u=s -type f 2>/dev/null

Explanation of the command: 1) 2> => part means “redirect file channel number 2” - which maps to stderr, standard error file channel, which is where programs often write their errors to 2) /dev/null =>is a special character device that just allows writing anything to it ; when reading it, it does not return anything So 2>/dev/null tells your shell to redirect standard error from your running program to /dev/null, effectively ignoring it. 3) find=> The find command in UNIX is a command line utility for walking a file hierarchy. Syntax: find [where to start searching from] [expression determines what to find] [-options] [what to find] 4) perm => Specifies which permissions to sought for. Here, -u=s means user part has "s" or SUID bit set 5) type => Types to sought for. F means files. Others are:

-type c
       File is of type c:

       b      block (buffered) special

       c      character (unbuffered) special

       d      directory

       p      named pipe (FIFO)

       f      regular file

       l      symbolic link; this is never true if the -L option or the  -follow  option  is  in  effect,
              unless the symbolic link is broken.  If you want to search for symbolic links when -L is in
              effect, use -xtype.

       s      socket

       D      door (Solaris)

Now that we have found SUID bit on /bin/nmap lets see how we can exploit it on the next page.