File system group recording

[trisco]

I have a peculiar situation occurring after creating a file and the group id that is recorded. Situation is:
Dir1: /usr/aaa/bbb rwxr-xr-x dpadmin:sysadms
Dir2: /usr/aaa/bbb/ccc rwxr-xr-x dpadmin:sysadms
A userid of 'dpadmin' having a primary group of 'dpprod' and not belonging to group sysadms, touches a file in each directory above. The group varies within the touched file. The owner:group results are:
Dir1: dpadmin:dpprod
Dir2: dpadmin:sysadms
Can anyone provide clues as to why the file in Dir2 contains the group of sysadms and not dpprod?
I am running AIX 4.3.3 at ML level 6.

 

[ElgisRamon]

Are you sure your [tt]dir2[/tt] doesn't have the SGID bit?


I hope it works...
Unix was made by and for smart people.

 

[trisco]

Yes, you hit the nail on the head, the SGID is on. I'm sorry that I missed it. Dir2 looks like this:
rwxr-sr-x
...Can you briefly describe why this may be causing my situation? I want to understand it before I attempt to remove it and possibly create other undesirable situations.
Thanks.

 

[aixqueen]

http://techsupport.services.ibm.com...mode=9&documents=590605219514824&database=aix

http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf2/setgid.htm

http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixbman/baseadmn/manage_protected.htm

setgid
If the effective user ID of the process is the root user, the process's real,
effective, and saved group IDs are set to the value of the GID parameter.
Otherwise, the process effective group ID is reset if the GID parameter is
equal to either the current real or saved group IDs, or one of its
supplementary group IDs. Supplementary group IDs of the calling process
are not changed.
setegid
The process effective group ID is reset if one of the following conditions is
met:
The EGID parameter is equal to either the current real or saved group
IDs.
The EGID parameter is equal to one of its supplementary group IDs.
The effective user ID of the process is the root user.

How Permissions Work
setuid
If the effective user ID of the process is the root user, the process's real,
effective, and saved user IDs are set to the value of the UID parameter.
Otherwise, the process effective user ID is reset if the UID
parameter specifies either the current real or saved user IDs.

Most programs execute with the user and group access rights of
the user who invoked them. Program owners can associate the
access rights of the user who invoked them by making the program
a setuid or setgid program; that is, a program with the setuid or
setgid bit set in its permissions field. When that program is executed
by a process, the process acquires the access rights of the owner of
the program. A setuid program executes with the access rights of
its owner, while a setgid program has the access
rights of its group and both bits can be set according
to the permission mechanism. Beginning with AIX
4.2, the SETUID and SETGID permission bits are no longer
supported for shell scripts. This change does NOT affect
compiled programs.
--------------------------------------------------
In order to add or remove permissions you can use the chmod command with the
number (i.e as in chmod 644) or

You can add permissions to user, group, or other with the
chmod g+{rwx} filename

For example chmod g+r myfile adds read privileges for the group to myfile

Subtract permisions to user, group, or other with the
chmod g-{rwx} filename
For example chmod o-x filename removes execute from others

In case you are interested, the following chart shows how we
get the numbers for permissions just by adding up the numbers.


4000 Sets user ID on execution.
2000 Sets group ID on execution.
1000 Sets the link permission to directories or sets the save-text attribute
0400 Allow read by owner
0200 Allow write by owner
0100 Allow execute (search in directory) by owner
0700 Allow read, write and execute search by owner
0040 Allow read by group
0020 Allow write by group
0010 Allow execute, search in directory by group
0070 Allow read, write, and execute by group
0004 Allow read by others
0002 Allow write by others
0001 Allow execute or search by others
0007 Allow read, write, and execute by others.

So chmod 664 is 0400 + 0200 + 0040+ 0020 + 0004
rw rw r (this is what it is)

One more interesting option is the Examples below:
r-s r-x --- would be 4550
r-s r-s r-x would be 6555
r-x r-s r-x would be 2555
rwx --s --- would be 2710
rwx rwx rwt would be 1777

==========================

Command Source Dir Source File Target Dir
cd x N/A N/A
ls r N/A N/A
ls -l r,x N/A N/A
mkdir x,w (parent) N/A N/A
rmdir x,w (parent) N/A N/A
cat,pg
,more x r N/A
mv x,w NONE x,w
cp x r x,w
touch x,w* N/A NONE
rm,del x,w NONE N/A

 

[trisco]

Aixqueen, I do appreciate the detail that you go to. It is very helpful.
How can I turn off, or remove, the setuid on the dir2? I can't see that the chmod command will allow me to specify the removal of this bit. If it does, what's the syntax of the command?

Also, is the 'touch' program a setuid/setgid program? The permission bits in /usr/bin/touch do not indicate it.

 

[aixqueen]

Subtract permisions to user, group, or other with the
chmod g-{rwx} filename
For example chmod o-x filename removes execute from others

in this case chmod g-s directory name should work for you.


because the directory has the bit set.....you get the setgid...the s on the directory
tells it to run things that way....

A lot of database directory/files have it set that way for either owner...setuid or setgid so that it always keeps files and runs things as that user.........

try the chmod g-s dir2 and see if it changes it back....If it was a requirement for
your database to have the directory set that way, be careful......

 

[trisco]

Your information resolved my issue. After removing the s bit for the group on the directories, we get the results that we want to see. As far as we know, there are no databases connected with these directories.

Thanks again for your splendid reply.

Trisco