Privilege Escalation
Last updated
Last updated
Every process has a UID (user ID) and GID (group ID). Sometimes the processes need root privilege to do something useful, for example, /usr/bin/passwd needs root privilege to modify the /etc/shadow file.
This "privilege escalation" (privesc) process is done by the SUID bit:
When a non-root user runs /usr/bin/passwd, the binary "borrows" root privilege from the system. When all the work is done, the binary "returns" this root privilege back to the system. In other word, the SUID grants the binary a "limited root privilege" that only works within the process. Outside the scope of this binary, the user is still a non-root user.
Beyond the rwx permissions, Linux also has three special permission bits:
SUID: execute with the eUID (effective UID) of the file owner rather than the
parent process.
SGID: execute with the eGID (effective GID) of the file owner rather than the
parent process.
Sticky: used for shared directories to limit file removal to file owners.
What is effective UID/GID? Read on.
