Some thoughts about anti-virus software for Linux

Mario Vukelic mario.vukelic at
Thu Jan 22 17:16:47 UTC 2009

On Thu, 2009-01-22 at 09:37 -0500, Brian McKee wrote:
> If you install software from the repositories, you used root
> privileges to do so.  Therefore, the program you installed now can run
> as root whenever it wants to.

This is not true. Usually the program will run with the privileges of
the user that starts it. The programs that run with root privileges are
very rare, despite all packages being installed by APT (in a standard
Ubuntu system).

Some binaries might be installed with the "setuid bit" set to another
user and will therefore run with this user's privileges. Sometimes this
might be "setuid root", but software from the repos will usually only do
this is if the program is well-behaved, i.e., drops root privileges as
soon as possible.

>   Simple example, there's nothing
> stopping someone from writing a program that runs SUID.  

True, because it is not about the "writing" at all.  The only important
thing is the setuid (or setgid) bit, which is set on the binary and can
be changed by the admin (or is set by the package manager on the admin's
behalf, who has in practice authorized the package manager to do so by
running it with root rights)

> Another
> example, it could simply add a new user to the system with UID 0 (i.e.
> root) and then set up software to run as that user.  

Dunno what this has got to  do with anything (usernames are always just
for humans, only the UID has any real meaning)

>  Once you give it
> root ONCE, it can hang on to it.

Once it is root it can do practically anything, yes.

<snipped the rest because of agreement>

More information about the ubuntu-users mailing list