Painless Docker - 2nd Edition

setuid/setgid Binaries

In Linux, every file and program has permissions that determine which users can read, write, or execute them. Normally, when you run a program, it operates with your user permissions. However, there are times when a program needs to perform actions that require higher permissions than those of a regular user. This is where setuid (Set User ID) and setgid (Set Group ID) come into play.

In simple terms, setuid and setgid are special settings that allow regular users to temporarily execute specific programs with elevated permissions. These settings utilize a specific bit in the file's permissions to grant temporary elevated privileges. With setuid, the user's privileges are elevated to those of the file's owner, while setgid elevates them to the group level.

Here's a common example using the passwd command, which typically has the setuid bit set:

ls -l /usr/bin/passwd

The output will be something like:

-rwsr-xr-x 1 root root 59976 Nov 24  2022 /usr/bin/passwd

Notice the "s" in the permissions part (-rwsr-xr-x). This "s" indicates that the setuid bit is set. The passwd command allows a user to change their password. The password file it modifies is usually owned by the root user and is not writable by regular users. Setting the setuid bit on the passwd executable allows the program to run with root privileges, enabling it to update the password file. The setgid