This is the second video of the 6 courses about the SETUID and SETGID bit [INAUDIBLE]. A user can set the SETUID bit on the executable file or a script using the change mode comments. If the this bit is set, the executable file will not be existed as the user will launch it, it will be executive as the user owns it. So, a very good example is the password coming on Linux. This come and need to be able to change the user list and much find some very important file so it cannot be run using the user want to change his password is password. So the SETUID bit is set on this command. And each time a user start this command, the command run has a root hand has had the possibility to to to change the usual list and the passwords lists. Let's do some experiment on Linux. We are in the user slash bin folder, I know the this folder contained the password comments on the Linux box so I can use the less common to to get some information. This executable, here we see the password is shown in there and it's very special color, so the red background. We also look here we saw that it's not an X, it's s to indicate that the set user SETUID bit is set on this file and this is why the the name is shown in red too. If I execute this command in they will ask me to winter my current password and I will be able to change the password but I cannot sue use the command to look at the the process that are run on my computer right now. So the command is PS I used some option to be able to display how the process of all the user on the system. I execute that as well just because as a normal user will not be able to see the process that is not mine. We saw that we see that, yes the password is running but the password is not running as the user. My user is teeny SGDP is running as a root, the other line is just my grip that get out get printed here and running as HTTP. So, we saw that the program is running as root, even if the user that started it is teen HTTP. I will try to stop this password, i don't want to change my password. So I try with a control C, it will work normally. But because the password program is now running as root simple user [INAUDIBLE] HTTP is cannot send a signal to it. So control C is sending a signal to program but I cannot do that. I will just enter a bad password and this way I will be able to to get out of this the next also have another bit very similar to the SETUID bit called the set GID bit for set group Heidi. The same way they can be set using the that change won't come in and when this bit is set when the executable with the launch, it will run as the the the user will launch it. But the premier group of this user for the time the run will be the group of the owner of the file. And even if the user is not a member of this group, they will have for the extinction of this program the same right as any member of this group. This is a very useful feature in many situations, imagine the system on a computer that needs to manage data file or some database. And we don't want all the user using the system to have full access to this today's data file in order to protect them against corruption or bad use. We can use tthe SETUID bit this way the application that I need to talk to not to talk but to access and two months fighters that are filed will gain the right to do it by being a member of this group. So, the user will be able to use this command and this command would be responsible to validate the information the user provided. And if they they think that their request is valid they will be able to change our access the data file because they will have the permission of the group for the time of the execution. When the programmers create a program that will run with superpower, they need to do it very carefully and think about many things. It must answer that the user cannot use it in a malicious way, cannot use the superpower this program has in a week. It must also answer the user cannot launch another program with the same superpower. When a program use its superpower to access important data, the user cannot normally access. It must protect this important data and do not like them. When the program use its superpower to change file or database, the user cannot normally change, you must answer the change respect their rules. Say the rules but it's the rules of the system this program is part of. So, it must probably have to verify if the user is alone to do the operation they want to do things like that. When a program uses superpower to change permission, they cannot normally change it might also ensure the change respect the rules of their systems. When the coding program with superpowers according to be very very careful about element we already saw in this learning path first data league. So with the the user of the program is able to code the program to leak data that the program can access because of the superpower but the the user should not normally access. It's clearly a security issue under aspect the programmer need to be very careful about is the use of the under invaluable. For example, if the user that start that launched the program with some superpower change the pad, he can treat the program to execute some malicious skill, it would otherwise not execute. Usually program that used a SETUID or [INAUDIBLE] bits will reset the path variable underground my variable before starting any other comments to make sure the problem does not exist. Another aspect that has to be very very carefully handed is the final evaluation. If a program because of the superpower can access file that shall not be accessed by the user launches, they need to be certain that when the user provided a file. File name for input file for example it's not provide the name of a file that he is not allowed or don't have the permission to access because otherwise the attacker could using the tool provide the name for an input file that is not how to to read. But the program would be able to read it and maybe we'll after that leak some part of this file in the an error message. For example because the file is not valued things like that. Or we'll be able to use input file from another user, it's called be grave security issue. The program with superpower must also take care to download shirt object or executable or script program that that is provided by the user. Because this way the user could use the superpower in a way is not intended to be used. We'll now complete this video with a small note about the the LD library path environment variable. This environment variable is used to find the DLL or the shirt object, the an executable need to to run. It's cool trade some security issue because if you start program with the SETUID or the SETGID bit, all with other very special capability. We don't want this program to load shirt object that you reserve of the program provided. So, it's very important to don't use the LD library path value to users set before launching the program only next. When the program is loaded, the loader will check if they SETUID bit is SETGID bit is set or some capability is set on this this executable. If yes, the LD library path value will be simply clear by the loader before loading the executable other variable that house so change the widowed or do its job will be also care. I will not list how the the detail here, it could also change from Linux distribution to other distributions. So, the best way to know how the lawyer is doing this security job is to check the man page of the LD that has. So that is the program that loads other program and Linux, some other environment variable are also very important to take in account when we load program that have a superpower and the lower orders take account of some of them. Just some note here, but the temporary file folder is very important to change to imagine the temporary file folder can be changed by the user before launching a program with superpower. The program with the super user could trick the program to save the temporary file on a special folder and will be able after that to get this temporary file and most probably extract importing data from this file. Same thing if the program is able to use network resource that the user code had changed the way he relocate the network resource and can trigger the program to use other server that the server I really want to use. So yes, the LD that has to take care of some kind of variable but not house. If a program that have superpower to trick like that, it's always better to make sure the variable that could lead to some security issues like that is reset by the program that have this superpower before before using them. This is the end of this video, the next video is about the capability future of Linux.
