Ubuntu: Unable to enter superuser using su



Question:

Whenever I try to run

su  Password:  

Then it shows error

setgid: Operation not permitted  

This problem arose after I changed permissions using chown

Output of ls -lsa /bin/su is:

40 -rwxrwxr-x 1 jheel root 40128 May 17 2017 /bin/su  


Solution:1

The correct permissions of /bin/su should be: -rwsr-xr-x

-rwsr-xr-x 1 root root 40128 May 17  2017 /bin/su*  

In order to fix this specific issue you should:

  1. Change file owner to be root:root
  2. Change file permission to be -rwsr-xr-x

This can be done using:

sudo chown root:root /bin/su  sudo chmod 4755 /bin/su  
  • The first command, which change the owner of the file to be root.
  • The next command will change the permission to allow read/execution by any user, and will set the s bit to the /bin/su command.

Q: Why performing chown on /bin/su also removed the set-user-id / set-group-id bits?

A: By design execution of chown might remove the set-user-id / set-group-id bits. When those bits are set, execution of such file, will result of running the file as the owner of the binary file, instead of the owner of the process which execute the file. Changing the file owner (or group) without removing the set-user-id bit, will result with a file which will be execute as different user then planned originally, which might result in a security hole.

Some references:

chown POSIX standard

Unless chown is invoked by a process with appropriate privileges, the set-user-ID and set-group-ID bits of a regular file shall be  

cleared upon successful completion; the set-user-ID and set-group-ID bits of other file types may be cleared.

Ubuntu chown man page suggest running info coreutils 'chown invocation' in order to get the full documentation of chown

13.1 ‘chown’: Change file owner and group  =========================================    ‘chown’ changes the user and/or group ownership of each given FILE to  NEW-OWNER or to the user and group of an existing reference file.  Synopsis:    ....       The ‘chown’ command sometimes clears the set-user-ID or set-group-ID  permission bits.  This behavior depends on the policy and functionality  of the underlying ‘chown’ system call, which may make system-dependent  file mode modifications outside the control of the ‘chown’ command.  For  example, the ‘chown’ command might not affect those bits when invoked by  a user with appropriate privileges, or when the bits signify some  function other than executable permission (e.g., mandatory locking).  When in doubt, check the underlying system behavior.  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »