Recreating Pre-2007 (Pre-3.1.7) SETUID Permission Bit Behavior

A fix for a potential security risk dealing with the use of the SETUID and SETGID permission bits on shell scripts was included in AIX 3.1.7 (which corresponds to update level 2007). Prior to 3.1.7, when a shell script was executed whose permissions included the SETUID bit (set user-id), the shell script ran with the permissions of the shell script's owner. Similarly, if the SETGID bit (set group-id) was set, the shell script ran with the permissions of the shell script's group. Beginning with AIX 3.1.7, the SETUID and SETGID permission bits is no longer supported for shell scripts. This change does NOT affect compiled programs.

Here is an example.

• Create a shell script named shell.sh that contains the following 2 lines. These lines should begin in the left most column.

   
      #!/bin/ksh 
      id 
  

• Set the shell script's file owner to root, and the permissions to rwsr-xr-x (SETUID bit on). Execute the following commands:

   
      chown root shell.sh 
      chmod 4755 shell.sh 
  

  Prior to AIX 3.1.7, if an ordinary user named 'joeuser' ran shell.sh, the output would be:

   
      uid=200(joeuser) gid=200(staff) euid=0(root) 
  

  The 'euid=0(root)' indicates that the user was 'effectively' root while the shell script executed.

  For AIX 3.1.7 and later, the output is:

   
      uid=200(joeuser) gid=200(staff) 
  

  The SETUID bit no longer has any meaning for shell scripts.

If your application requires the previous SETUID behavior, you can call the shell script from a small compiled program that has the SETUID bit set in its permissions.

• Create a C program similar to the following named execsh.c. Note the full path name in the execvp call. This is a good idea for security reasons.

   
      main(int argc, char *argv[]) 
      { 
      execvp("/path/shell.sh", argv);  /* execute the shell script */ 
      exit(1); 
      } 
  

• Compile and link execsh.c using the following command:

   
      cc -o execsh execsh.c 
  

• Set the owner of the execsh to root and the SETUID bit on. Execute the following commands:

   
      chown root execsh 
      chmod 4755 execsh 
  

  The SETUID behavior has not changed for compiled programs, so execsh will 'effectively' become root when it is executed, and will pass these credentials to shell.sh.

To have a non-root user execute a program with root permissions, use the following:

1. Using your favorite editor, create a file and name it umksysb.c

   Put the following text in the file you just created.

    
       main () 
      { 
         setuid(0); 
         setgid(0); 
         system("/bin/mksysb -i /dev/rmt0"); 
       } 
   

2. Compile this program by executing the following command:

    
       cc umksysb.c -o umksysb 
   

3. Change the permissions by executing the following command:

    
       chmod 4755 umksysb 
   

ACL (access control lists) can be used to specify particular users that can access these files. This can be used with other commands as well.

Another example of a non-root user executing a program with root permissions is shown in the following steps.

1. Using your favorite editor, open the following file:

    
       myshutdown.c 
   

   Put the following text in the file myshutdown.c:

    
       main() 
      { 
         setuid(0); 
         setgid(0); 
         system("/usr/sbin/shutdown -Fr"); 
      } 
   

2. Compile this program by executing the following command:

    
       cc myshutdown.c -o myshutdown 
   

3. Change the permissions by executing the following command:

    
       chmod 4755 myshutdown 
   

NOTE: Making a program suid root only assigns uid 0 to the program. Additional code may be required to acquire root's environment using the setpcred and setpenv subroutines.