Frequently Asked Question

What is the setuid bit, and why is it both essential and dangerous?

The setuid bit (octal 4000, shown as s in the owner's execute slot in ls -l) tells the kernel: when this executable is run, the resulting process should take on the file owner's effective UID rather than the invoker's. The textbook example is /usr/bin/passwd, which is owned by root and setuid: an ordinary user runs it but the process briefly has root power so it can update the user's hash in /etc/shadow. Without setuid, very few useful privileged operations could be delegated to non-root users.

That same mechanism is also the single largest historical source of Linux privilege-escalation bugs. A buffer overflow or argument-handling slip in any setuid-root binary becomes a local root exploit, because the attacker's code inherits root credentials. Modern distributions have ruthlessly trimmed the set of setuid binaries (often down to a handful: passwd, sudo, su, mount, ping historically), and many have replaced setuid with file capabilities for programs that need only one specific privilege. Audit find / -perm -4000 -type f occasionally and ask whether each entry really needs that bit.