Linux Permissions & SUID/SGID/Sticky Bit
Last updated
Last updated
3 sets of permissions exist. Read/Write/Execute and the owner of the file in Linux can modify these permissions as well as the root user. No other user can do it. We can change the permissions using "chmod"
eg: chmod 777 super.txt
This command will give read/write/execute to super.txt
r (read) has a value of 4
w (write) has a value of 2
x (execute) has a value of 1
chmod UserGroupOthers file
User - Permissions given/existing on current user
Group - Permissions given to the group current user is in
Others - Permissions to third party users
Each permission has a numeric value assigned to it. Therefore, 7 means 4+2+1 => read+write+execute. Simple. That means 777 would mean RWX to user, group and others. So, any user, any user in the current group and any user outside the group can read or write or execute the file.
By default files have rw-r_-r_ permissions, i.e., 644. SSH keys have 600 permissions.
ls -la
Also,
chmod WhoWhatWhich file
Who - represents identities: u,g,o,a (user, group, other, all) What - represents actions: +, -, = (add, remove, set exact) Which - represents access levels: r, w, x (read, write, execute)
chmod ug+rw super.bash
This command means that User and Group are to be added (given) with RW (read/write) permissions for the file super.bash
Commonly noted as SUID, the special permission for the user access level has a single function: A file with SUID always executes as the user who owns the file, regardless of the user passing the command. If the file owner doesn't have execute permissions, then use an uppercase S here.
eg: let's say a file /usr/bin/vim.basic is owned by root.
Now, I'll try to edit sudoers file using newuser's account and see what happens
su newuser
/usr/bin/vim.basic /etc/sudoers
However, let's say if there was an SUID bit set on this file, I expect that the script will be run as root no matter which user is executing it, right? SUID bit on the script has now been set by root user
chmod u+s /usr/bin/vim.basic
su newuser
/usr/bin/vim.basic /etc/sudoers
As you can see newuser has now successfully opened and edited vim.basic file and added one entry in it that will allow newuser to run all commands as root.
newuser ALL=(root) NOPASSWD: ALL
And just like this, when we will run sudo bash it will give us a root prompt!
Commonly noted as SGID, this special permission has a couple of functions:
If set on a file, it allows the file to be executed as the group that owns the file (similar to SUID)
If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner
This permission set is noted by a lowercase s where the x would normally indicate execute privileges for the group. It is also especially useful for directories that are often used in collaborative efforts between members of a group. Any member of the group can access any new file. This applies to the execution of files, as well. SGID is very powerful when utilized properly.
chmod g+s my_articles
The last special permission has been dubbed the "sticky bit." This permission does not affect individual files. However, at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory. A common example of this is the /tmp
directory:
chmod o+t <path>
chmod X### file | directory
This is:
chmod <notation><permissions> /<path>
X (notation) can be:
Start at 0
SUID = 4
SGID = 2
Sticky = 1
Thus, setting SUID bit on a file and giving it 777 permission would look like:
chmod 4777 /home/kali/super.sh
To find SUID binaries in a system:
find / -perm -u=s -type f 2>/dev/null
Explanation of the command:
1) 2> => part means “redirect file channel number 2” - which maps to stderr, standard error file channel, which is where programs often write their errors to
2) /dev/null =>is a special character device that just allows writing anything to it ; when reading it, it does not return anything
So 2>/dev/null tells your shell to redirect standard error from your running program to /dev/null, effectively ignoring it.
3) find=> The find command in UNIX is a command line utility for walking a file hierarchy. Syntax:
find [where to start searching from] [expression determines what to find] [-options] [what to find]
4) perm => Specifies which permissions to sought for. Here, -u=s means user part has "s" or SUID bit set
5) type => Types to sought for. F means files. Others are:
Now that we have found SUID bit on /bin/nmap lets see how we can exploit it on the next page.