Linux SUID (Set User ID) Explained — chmod 4755 and Security

What Is SUID (Set User ID)?

When the SUID bit is set on an executable file, the process runs with the file owner's user ID instead of the user who launched it. This allows normal users to perform actions that require elevated privileges.

How SUID Works

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 ... /usr/bin/passwd

The s in the owner execute position indicates SUID. When any user runs passwd, it executes with root privileges because:

• The file is owned by root
• The SUID bit is set
• The user has execute permission

This is necessary because passwd needs to write to /etc/shadow, which is only writable by root.

Setting SUID

# Using symbolic notation
chmod u+s executable

# Using octal notation (prefix with 4)
chmod 4755 executable

# Verify
ls -l executable
# -rwsr-xr-x ...

SUID Display

• s (lowercase): SUID + owner execute permission
• S (uppercase): SUID WITHOUT owner execute permission (unusual, usually a mistake)

Common SUID Binaries

# Find all SUID binaries on the system
find / -perm -4000 -type f 2>/dev/null

# Common SUID programs:
# /usr/bin/passwd    - Change password
# /usr/bin/sudo      - Execute as another user
# /usr/bin/su        - Switch user
# /usr/bin/ping      - Send ICMP packets (needs raw sockets)
# /usr/bin/mount     - Mount filesystems

Security Risks

SUID binaries are a prime target for privilege escalation attacks:

1. Buffer overflows in SUID programs can give attackers root access
2. Path manipulation can trick SUID programs into running malicious code
3. SUID shell scripts are especially dangerous (race conditions)

Best Practices

• Never set SUID on shell scripts
• Regularly audit SUID binaries: find / -perm -4000 -type f
• SUID is ignored on scripts with shebangs on most modern systems
• Use capabilities (setcap) instead of SUID when possible