Su Must Be Suid To Work Properly !!exclusive!!

Notice the permissions. Only root can read and write to this file (members of the shadow group may also read it depending on the distro).

Here is where the failure occurs. The system call used to change a user ID is setuid() . The kernel implements strict checks on this call. The manual page for setuid states (simplified): su must be suid to work properly

It must read /etc/shadow to verify the password you entered, a file restricted to the root user for security. Notice the permissions

: To mitigate these risks, systems can implement additional security measures, such as: The system call used to change a user ID is setuid()

However, a common question arises among junior system administrators and curious Linux users: Why does the su binary need the SUID (Set User ID) bit set? Why can't it just run as a normal program?

The logic applied to su is identical to that of sudo . sudo must also be SUID root.

The SUID bit solves this paradox. By setting the SUID bit on su , the process starts its life as root (EUID 0).