Back to Contents

Privilage elevation in Processes

  • When setuid permission is given to an file, it runs with the permissions of its owner rather than the user that runs it. e.g. /usr/bin/passwd, this program runs with the root permissions irrepective of the user that ran it.

This is a security threat as some users may find a way to retain permissions even when the program has finished.


  • Process IDs in LINUX:

    1. Real UID : ID of the user that started the program
    2. Effective UID : ID that determines the effective access rights of the program.
    3. Saved : Used to swap IDs, gaining and loosing privilages.
  • Changing IDs:

    1. To acquire privilege, assign privileged UID to effective ID
    2. To drop privilege temporarily, remove privileged UID from effective ID and store it in saved ID Can restore it later from saved ID
    3. To drop privilege permanently, remove privileged UID from both effective and saved ID
  • A process can change uid if it is privilaged to do it:

    • process has special SETUID capability
    • setuid(getuid()) will fail if euid is not {0, ruid, suid}
  • A process with capability cap_setuid+ep can elevate its privilages to root level by changing its effective uid.

  • A process created by root with setuid bit permission on, will run as root irrespective of the user that calls it.

  • setuid(uid)/setgid(gid)

    • sets euid of caller
    • if euid of caller is root or program is set-user-id-root, then ruid and saved-set-user-id are also set
    • Thus a privilaged program dropping privilages for a task and regaining privilages should not use setuid while dropping privilages because all system ids will be set to euid and there will be no way to gain back the privilages. They should use seteuid.
    • An unprivilaged progam can only set its euid to euid, ruid or saved id
  • seteuid(euid)/seteguid(eguid)

    • sets the euid of caller.
    • unprivilaged programs can only set it to euid, ruid or saved-set-user-id
  • setfsuid(fsuid)/setfsguid(fsguid):

    • Changes the value of caller's filesystem ID. Kernel uses filesystem id to determine access to files om file system. It overshadows euid.

    • Whenever euid is changed fsuid is also changed

    • fsuid (setfsuid()/setfsguid()) can be changed to any number if caller is superuser, otherwise it can only be set to euid, ruid, or saved uid.

  • setreuid(ruid, euid)/setreguid(rguid, reuid)

    • chnages euid and ruid of the process.
    • a value of -1 leaves that id unchanges
    • unprivilaged users may only set ruid to either previous ruid or euid
    • if ruid or euid is set to a value not equal to previous ruid, the new svaed-set-user-id is set to new euid.
  • Capabilities

    • Capabilities are the root privilages broken down so that they can be assigne dto individual processes in parts rather then givinng them full access.
    • some examples are :
      • CAP_SETUID : Capability to change uid
      • CAP_SYSLOG : Capability configure linux syslog print behaviour.
    • All capabilities are defimed in /usr/inlcude/linux/capability.h
  • Credentials:

    • Creditianls are basically process ids
    • Each process has a unique non-negative identifier
    • PIDs are used in a range of system calls to identify the process affected by the call
    • A process also has
      • Process Group ID
      • Process Session ID
      • Effective User ID (EUID)
      • Effective Group ID (EGID)
      • Real User ID (RUID)
      • Real Group ID (RGID)
      • Saved user id
      • Saved group id
      • Filesystem UID (FSUID)
      • Filesystem GID (FSGID) etc..
  • A process can get root privilages :

    • If the owner of an executible is root and SETUID permission bit is set, then the process will run as root irrespective of the caller user.
    • If the executible has capability CAP_SETUID, it can elevate its privilages to root level.
    • If a privilaged process sets the UID of concerned process to 0
  • Attacks can be mounted to :

    • Compromise a root process which sets the EUID of rogue process to 0
    • Compromise a root process such that it makes root the owner of rogue process and sets the SETUID permission bit
    • Compromise a process with capability CAP_SETPCAP and CAP_SETUID to gain CAP_SETUID in rogue process
    • Compromise a root process to gain CAP_SETUID capability in rogue process.
    • A rougue process can call a root process like passwd and retain the root privilages.
  • Example of Attacks


Back to Contents