User Tools

Site Tools


Local Security -- SetUID

Date: Wed Oct 24 2018

SetUID is generally used to allow normal users to run programs as if they were administrators but without them having to become administrators.

The book highlights how the ping command is often SetUID root. Let's examine whether it's so on our virtual machines:

$ which ping
$ ls -l /usr/bin/ping
-rwxr-xr-x. 1 root root 63224 Feb  7  2018 ping
$ stat /usr/bin/ping

Compare that to:

$ which mount
$ ls -l /usr/bin/mount
-rwsr-xr-x. 1 root root 50152 Jul 16 07:56 /usr/bin/mount
$ stat /usr/bin/mount

For the stat command, we can see that the octal mode for the ownership of the file. For:

  • /usr/bin/ping: 0755
  • /usr/bin/mount: 4755


  • Use the find command to locate any files that have SetUID set to 4000.
  • Note the owners of those files.
  • Note the locations of those files.
  • What's different about files with SetUID on and files with SetGID on?
$ sudo find / -perm -4000 -ls
$ sudo find / -perm -4000 | xargs stat -c '%A %a %n'

Question: why is /usr/bin/ping highlighted when using ls -l?

Use getcap to see file capabilities. Read about capabilites in its manpage.

$ man getcap
$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p
$ man 7 capabilities
linux/setuid.txt · Last modified: 2019/01/21 11:22 by seanburns