Linux: setuid programs without read permission

I have noticed that in ~~all Linux systems~~ArchLinux*, certain setuid programs come with rather unusual permissions:

-r-sr-xr-x  root  root  /bin/su*
---s--x--x  root  root  /usr/bin/sudo*

The question is, why is the sudo binary set to be only readable to root? What's the point of that? Why can't it be like su?

Edit: After reinstalling sudo, it doesn't have read/write either.

(* I could've sworn I have seen the same in Debian. Apparently not.)

user1686

Posted 2009-11-07T12:13:10.753

Reputation: 283 655

Answers

The first question that sprang to my mind is Why does sudo have write permission for root?

Broadly, suid programs are pretty dangerous and you should grant them as few privileges as possible. You can't get much more restrictive than only execute permission!

If you can read a file, you can disassemble it. And if you can disassemble it you can look for security flaws and make it that little bit easier to discover attack vectors.

sudo is a little more vulnerable to attack than su as you don't always need to supply a password to have privileged access to some resources (depending on how it's set up). This may warrant tighter security.

Stephen Darlington

Posted 2009-11-07T12:13:10.753

Reputation: 488

And if you can compile it on your own? Won't that make it even easier? – user1686 – 2009-11-09T14:17:45.697

1It's just an extra hurdle that a would-be attacked would have to jump. It's not enough on its own but as an extra layer of protection it might be worth it. – Stephen Darlington – 2009-11-09T15:05:30.813

On my machine, Ubuntu 9.04, there is no difference in the permissions.

-rwsr-xr-x 2 root root /usr/bin/sudo
-rwsr-xr-x 1 root root /bin/su

On your machine, it might have been made not readable in an attempt to keep people from using it? Might it have gotten edited somehow? There is no reason for the permissions on the 2 files to be different. On Ubuntu, the root account is locked - you can't login as root anyways (unless you take actions to enable it obviously).

Maybe there are OS differences here. What OS are you using in your example?

DaveParillo

Posted 2009-11-07T12:13:10.753

Reputation: 13 402

Checked it again, and it seems to only happen in Arch Linux. (In fact, after reinstalling the sudo package, its binary only has execute and setuid permissions (0411), no read at all.) – user1686 – 2009-11-09T13:05:39.070

The Makefile from original source package from http://sudo.ws/ does install sudo as 4111 too.

– user1686 – 2009-11-09T13:11:23.560

The sudo FAQ says the permissions on sudo (should be) "something like chmod 4111 /usr/local/bin/sudo". I'm having trouble finding the equivalent information fo su. Is it possible that the difference is merely historic as the two binaries have two different groups of developers? – DaveParillo – 2009-11-09T17:03:58.597

I question your premise. Why should sudo be like su?

su only grants privs if you (a) already have them or (b) authenticate to get them.

sudo grants privs based on a rulebase; it can be told, for example, to grant root privs to 'joe' any time joe asks, with no password needed. "man sudoers" - its quite powerful.

So sudo has the capability to do things su can't do.

One could stomp on the sudo executable in such a way as to make it always grant root to anyone who asked - ignoring the sudoers file and just using an internal "hardwiring" of sorts.

So it makes sense to protect it MORE than we need to protect su; it makes sense to make it very hard to read or write to the sudo executable itself.

pbr

Posted 2009-11-07T12:13:10.753

Reputation: 1 285

The question was about read permission, not write. – user1686 – 2009-11-11T18:00:27.820

Step one of creating a "stomp" is reading the executable so you can learn how it works, and where you can stomp.

Thus I've ammended my answer. – pbr – 2009-11-12T15:29:00.763