Privilege Escalation

SUID

Every process has a UID (user ID) and GID (group ID). Sometimes the processes need root privilege to do something useful, for example, /usr/bin/passwd needs root privilege to modify the /etc/shadow file.

This "privilege escalation" (privesc) process is done by the SUID bit:

The SUID bit of /usr/bin/passwd

When a non-root user runs /usr/bin/passwd, the binary "borrows" root privilege from the system. When all the work is done, the binary "returns" this root privilege back to the system. In other word, the SUID grants the binary a "limited root privilege" that only works within the process. Outside the scope of this binary, the user is still a non-root user.

Three Special Permissions

Beyond the rwx permissions, Linux also has three special permission bits:

1. SUID: execute with the eUID (effective UID) of the file owner rather than the

   parent process.

2. SGID: execute with the eGID (effective GID) of the file owner rather than the

   parent process.

3. Sticky: used for shared directories to limit file removal to file owners.

What is effective UID/GID? Read on.