# Privilege Escalation

## SUID

Every process has a **UID** (user ID) and **GID** (group ID). Sometimes the processes need root privilege to do something useful, for example, `/usr/bin/passwd` needs root privilege to modify the `/etc/shadow` file.

This **"privilege escalation"** (privesc) process is done by the **SUID** bit:

![The SUID bit of /usr/bin/passwd](https://223316867-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVtlSxURaW2QQu6RU5%2Fuploads%2FEYMK5gjOH6QySbhjxivA%2Fimage.png?alt=media\&token=31c9210a-8423-4393-8d97-e69d93741b28)

When a non-root user runs `/usr/bin/passwd`, the binary **"borrows"** root privilege from the system. When all the work is done, the binary **"returns"** this root privilege back to the system. In other word, the SUID grants the binary a **"limited root privilege"** that only works within the process. Outside the scope of this binary, the user is still a non-root user.

## Three Special Permissions

Beyond the `rwx` permissions, Linux also has three special permission bits:

1. **SUID:** execute with the **eUID** (effective UID) of the file owner rather than the

   parent process.
2. **SGID:** execute with the **eGID** (effective GID) of the file owner rather than the

   parent process.
3. **Sticky:** used for shared directories to limit **file removal** to file owners.

What is effective UID/GID? Read on.