Determining if a Client Can Run Setuid Programs

A setuid program is one whose binary file has the UNIX setuid mode bit turned on. While a setuid program runs, the user who initialized it assumes the local identity (UNIX UID) of the binary file's owner, and so is granted the permissions in the local file system that pertain to the owner. Most commonly, the issuer's assumed identity (often referred to as effective UID) is the local superuser root.

AFS does not recognize effective UID: if a setuid program accesses AFS files and directories, it uses the current AFS identity of the user who initialized the program, not of the program's owner. Nevertheless, it can be useful to store setuid programs in AFS for use on more than one client machine. AFS enables a client machine's administrator to determine and change whether the local Cache Manager allows setuid programs to run or not.

By default, the Cache Manager ignores all setuid permissions in AFS, but this can be changed by a client machine's administrator. Each cell's setuid status is set independently of other cells. To change a cell's setuid status with respect to the local machine, become the local superuser root and issue the fs setcell command. To determine a cell's current setuid status, use the fs getcellstatus command.

Warning

Enabling support for the UNIX setuid bit for AFS programs is not secure with the current AFS protocol. Enabling this capability is not recommended except in very restricted environments on trusted networks.

When you issue the fs setcell command, you directly alter a cell's setuid status as recorded in kernel memory, so rebooting the machine is not necessary. However, nondefault settings do not persist across reboots of the machine unless you add the appropriate fs setcell command to the machine's AFS initialization file.

Only members of the system:administrators group can turn on the setuid mode bit on an AFS file or directory. When the setuid mode bit is turned on, the UNIX ls -l command displays the third user mode bit as an s instead of an x, but for an AFS file or directory, the s appears only if setuid permission is enabled for the cell in which the file resides.

To determine a cell's setuid status

  1. Issue the fs getcellstatus command to check the setuid status of each desired cell.

       % fs getcellstatus <cell name>
    

    where

    getce

    Is the shortest acceptable abbreviation of getcellstatus.

    cell name

    Names each cell for which to report setuid status. Provide the complete Internet domain name or a shortened form that distinguishes it from the other cells listed in the local /usr/vice/etc/CellServDB file.

The output reports the setuid status of each cell:

  • the string no setuid allowed indicates that the Cache Manager does not allow programs from the cell to run with setuid permission

  • setuid allowed indicates that the Cache Manager allows programs from the cell to run with setuid permission

To change a cell's setuid status

  1. Become the local superuser root on the machine, if you are not already, by issuing the su command.

       % su root
       Password: <root_password>
    
  2. Issue the fs setcell command to change the setuid status of the cell.

       # fs setcell <cell name>+ [-suid] [-nosuid]
    

    where

    setce

    Is the shortest acceptable abbreviation of setcell.

    cell name

    Names each cell for which to change setuid status as specified by the -suid or -nosuid flag. Provide each cell's complete Internet domain name or a shortened form that distinguishes it from the other cells listed in the local /usr/vice/etc/CellServDB file.

    -suid

    Enables programs from each specified cell to execute with setuid permission. Provide this flag or the -nosuid flag, or omit both to disable setuid permission for each cell.

    -nosuid

    Prevents programs from each specified cell from executing with setuid permission. Provide this flag or the -suid flag, or omit both to disable setuid permission for each cell.