Explanation for newbies: setuid is a special permission bit that makes an executable run with the permissions of its owner rather than the user executing it. This is often used to let a user run a specific program as root without having sudo access.

If this sounds like a security nightmare, that’s because it is.

In linux, setuid is slowly being phased out by Capabilities. An example of this is the ping command which used to need setuid in order to create raw sockets, but now just needs the cap_net_raw capability. More info: https://unix.stackexchange.com/questions/382771/why-does-ping-need-setuid-permission. Nevertheless, many linux distros still ship with setuid executables, for example passwd from the shadow-utils package.

  • TootSweet@lemmy.worldEnglish
    23·
    2 days ago

    Last time I was tempted to use suid, it was in order to allow an application I’d written to listen on 80 and 443. Fortunately I found the capabilities way of doing that (setcap 'cap_net_bind_service=+ep' executable) and that was the first I ever heard of capabilities. I consider myself pretty Linux-savvy, but it was pretty recently that I learned about capabilities.

    • qqq@lemmy.world
      4·
      1 day ago

      Another potential option here is https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html

      ip_unprivileged_port_start - INTEGER

    This is a per-namespace sysctl. It defines the first unprivileged port in the network namespace. Privileged ports require root or CAP_NET_BIND_SERVICE in order to bind to them. To disable all privileged ports, set this to 0. They must not overlap with the ip_local_port_range.

    Default: 1024

      This is also per namespace so you could use it in combination with network namespaces if you really wanted to keep privileged ports.

  • Bappity@lemmy.worldEnglish
    14·
    2 days ago

    fork bomb still being possible out of the box in a couple of characters is funny to me

    • surewhynotlem@lemmy.world
      17·
      2 days ago

      That’s the thing about Linux. The developers generally assume you want to do the thing you’re doing. So they don’t stop you.

      • Shanmugha@lemmy.world
        1·
        13 hours ago

        And I am eternally grateful for that. Why, yes, if I am playing with something I don’t understand - what was the last time a fire gently asked anyone “Do you really want to get a burn?”