Trouble understanding setuid/setgid

Question

I've been trying to wrap my head around how setuid/setgid work... I came up with this contrived example:

Users:

• userA belongs to group A
• userB belongs to group B

File a.txt is owned by userA with permissions rw-rw---- (660). I thought if userA created this file, test.sh:

#!/bin/sh
cat a.txt

and ran either chmod g+s test.sh or chmod u+s test.sh that upon execution by userB, it would cat a.txt. Instead, I get Permission Denied . Just to be clear, the file permissions for test.sh end up looking like this: rwsr-xr-x or rwxr-sr-x . I thought the whole point of setuid/setgid was that when other users executed the file, they would assume the user id or group id of the file (test.sh in this case). Am I doing something wrong, or is my understanding off?

I've been running my test on RedHat in case that matters. I've also tried playing with umask , attempting to run the setuid/setgid after running umask 0002 . Didn't help...

Answer 1

WARNING: Setuid and setgid shell scripts are a security hole. There are lots of ways for someone to cause a setuid/setgid to do things that you (the author) didn't intend.

A common trick is to monkey with the environment variables. For example, someone could do this:

ln -s cat /bin/rm
export PATH=.:${PATH}

then use your setuid script to delete the a.txt file.

---

Fortunately, the setuid and setgid bits are ignored for shell scripts on many modern Linux systems; see https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts . Some of the answers give workarounds ...