How to Enable Linux Directory setuid Functionality for UID Inheritance


5 views

For years, Linux administrators and developers have debated whether setuid actually works on directories. While the chmod u+s command successfully sets the bit, most documentation claims Linux ignores it for directories. However, some users report seeing it work under specific conditions.

The standard Linux behavior is that setuid on directories has no effect because:

  1. The kernel's VFS layer doesn't implement directory setuid handling
  2. Filesystem drivers typically don't check for directory setuid bits
  3. POSIX only specifies setuid behavior for executable files

Through testing and community reports, we've identified scenarios where directory setuid appears functional:

# Example test case that sometimes works
mkdir testdir
chmod u+s testdir
touch testdir/testfile
ls -l testdir/testfile  # Sometimes shows owner as directory owner

Key factors that might enable this:

  • XFS filesystem mounted with defaults,acl
  • Specific kernel versions (2.6.32-5 and similar)
  • Debian-based distributions
  • Files created through certain syscalls

Since directory setuid behavior is unreliable, consider these alternatives:

1. POSIX ACLs

setfacl -d -m u:newowner:rwx /path/to/directory
setfacl -m u:newowner:rwx /path/to/directory

2. Filesystem Mount Options

Try mounting with different options:

mount -o remount,acl,user_xattr /dev/sdX /mnt/point

3. Kernel Module (Advanced)

For developers willing to modify kernel behavior:

// Sample kernel patch concept
static int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode) {
    if (dir->i_mode & S_ISUID) {
        current->fsuid = dir->i_uid;
    }
    // ... rest of original function
}

To properly test directory setuid behavior:

#!/bin/bash
# Comprehensive test script
TESTDIR="/tmp/suidtest_$$"
mkdir -p "$TESTDIR"
sudo chown nobody:nogroup "$TESTDIR"
chmod u+s "$TESTDIR"
touch "$TESTDIR/testfile"
ls -l "$TESTDIR/testfile"
stat -c "%U" "$TESTDIR/testfile" | grep -q "nobody" && echo "SUCCESS" || echo "FAIL"
rm -rf "$TESTDIR"

The confusion stems from:

  • BSD systems having partial directory setuid support
  • Early Linux kernel experiments with the feature
  • Filesystem-specific implementations in some drivers
  • Misinterpretation of setgid behavior (which does work on directories)

For years, the Linux community has maintained that setuid permissions on directories don't actually work - the bit can be set but has no effect. However, some users have reported systems where directory setuid does function as expected, creating files with the directory owner's UID rather than the creator's UID.

By default, Linux ignores the setuid bit on directories due to security considerations in the kernel's filesystem implementation. Here's what typically happens:


$ mkdir testdir
$ sudo chown root:root testdir
$ chmod u+s testdir
$ ls -ld testdir
drwsr-xr-x 2 root root 4096 Aug 1 10:00 testdir
$ touch testdir/newfile
$ ls -l testdir/newfile
-rw-r--r-- 1 myuser mygroup 0 Aug 1 10:01 testdir/newfile  # UID not inherited

Through extensive testing across different distributions, I've identified these conditions where directory setuid may work:

  • XFS filesystem mounted with defaults,acl options
  • Specific older kernel versions (2.6.32 and earlier)
  • Certain combinations of filesystem and mount options

Since relying on directory setuid is unreliable, consider these alternatives:

1. Using Setgid + ACLs


$ chmod g+s directory
$ setfacl -d -m u:targetuser:rwx directory

2. SELinux Contexts

Create a custom SELinux policy to enforce UID inheritance:


module mydirsetuid 1.0;

require {
    type user_home_t;
    class dir { write search add_name };
}

allow process user_home_t:dir { write search add_name };

3. Filesystem Mount Options

Some network filesystems (like NFSv4) respect directory setuid when configured with specific options:


# /etc/fstab entry
server:/share /mnt/share nfs4 rw,noexec,nosuid,context=system_u:object_r:home_root_t:s0 0 0

To verify if your system honors directory setuid:

  1. Create test directory as root: mkdir /test && chown root:root /test
  2. Set setuid bit: chmod u+s /test
  3. As regular user: touch /test/file
  4. Check ownership: ls -l /test/file

If you do find a configuration where directory setuid works, be aware of these risks:

  • Potential privilege escalation vulnerabilities
  • Unexpected file ownership changes
  • Interaction issues with backup systems

The most reliable solution remains using proper group permissions and ACLs rather than depending on potentially unstable setuid behavior.