2

Assume you are user x, so running id gives

uid=1001(x) gid=1001(x) groups=1001(x)

And there is also a user y with

uid=1002(y) gid=1002(y) groups=1002(y)

Now as root we create a file readme in user's x home directory like this:

# cd /home/x
# touch readme
# echo "hello" > readme
# chown root:y readme
# chmod 640 readme

And we make a copy of less

# cd /home/x
# cp /usr/bin/less .
# chown y:x less
# chmod 6110 less

I would expect user x to be able to read readme by running ./less readme because of the setuid and setgid, but I get a "permission denied" error. Why?

This is my logic, but probably something is wrong.

chmod 6110 gives only execution rights to the owner (y) and members of the group (x). Since user x belongs to group x, he can execute less. Then the setuid makes the effective UID to be the same as y, and the setgid makes the effective GID the same as the group of the owner, again y. And since readme's group is y, less should have read permission.

Iyán
  • 68
  • 5

1 Answers1

2

The error lies here:

the setgid makes the effective GID the same as the group of the owner, again y.

The setgid bit causes the effective gid to be that of the owner group of the binary, which is x here (chmod y:x less).

less ends up running with an effective uid corresponding to y’s, and an effective gid corresponding to x’s. Since readme is owned by root:y, it can’t be read.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164