Why aren't owner permissions applied when executing a script with suid set?

Question

I have a bash file that I want to run with owner permissions when executed by a group user. So I set the file permissions with:

sudo -u owner_user chmod 4750 bash_script

The file then has the permissions:

-rwsr-x---.  1 owner_user group 6559 Mar 15  09:52 bash_script

The file contains the line:

cp other_folder/source_file other_folder/destination_file

When I run the file as a user that is member of the group but different from the file owner owner_user, I get the following error message:

cp:  cannot create regular file ´other_folder/destination_file´: Permission denied

The permissions of the files are:

-rw-r--r--. 1 owner_user group 4331 Mar 13  11:51 other_folder/destination_file
-rw-r--r--. 1 owner_user group 4331 Mar 13  11:51 other_folder/source_file

When I run bash_script from owner_user with the command

sudo -u owner_user ./bash_script

I do not get the cp error message above.

I would expect owner_user's permissions on other_folder/destination_file to be applied when bash_script is run regardless of who executes it, since suid is set on bash_script. This doesn't seem to be the case though. Anyone who knows why?

Answer 1

Linux ignores the setuid bit (SUID) and the setgid bit (SGID) on all interpreted executables.

Please read this highly upvoted answer on our sister site Unix & Linux SE: Allow setuid on shell scripts. The most important fragments are [emphasis added]:

Linux ignores the setuid¹ bit on all interpreted executables (i.e. executables starting with a #! line). The comp.unix.questions FAQ explains the security problems with setuid shell scripts. These problems are of two kinds: shebang-related and shell-related; […]

If you don't care about security and want to allow setuid scripts, under Linux, you'll need to patch the kernel. […]

[…]

• Setuid shebang is insecure but usually ignored.
• If you run a program with privileges (either through sudo or setuid), write native code or perl, or start the program with a wrapper that sanitizes the environment (such as sudo with the env_reset option).

¹ _{This discussion applies equally if you substitute “setgid” for “setuid”; they are both ignored by the Linux kernel on scripts}

If you find this information useful and you want to upvote this answer here on Super User, then please consider upvoting the linked answer in the first place.

Here you will find some ideas and links: Can I make a script always execute as root?