permission question 5

[shal0m]

Hi guys,

maybe this simple explanation to you guys but I'm quite new with this one.

usually directory permission something like this :
-rwxr-x---

but now I found permission like :
-rwsr-S--t

can you please explain, I searched in google they mentioned about SUID, SGID, and sticky bits which I dont understand.

Thanks guys,

 

[mrjazz]

The sticky bit is set on directories (the /tmp file system is a typical example for that). Only the owner of a file in a directory with sticky bit set or the owner of the directory itself can rename, delete or move files in that directory - if the sticky bit is not set for a directory everybody with appropriate permissions for that directory can do the above operations.

The s-bits are set when you want other users (setuid attribute) to execute a file they don't own. The executed process will run under the privileges of the file owner (possible security hole!!!).

The group s-bit (setgid attribute) is the same as the setuid attribute on group level.

 

[PHV]

man chmod

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[shal0m]

so what's the diff between

rwx, rws and rwt ?

 

[p5wizard]

[tt]rwx------
1st group: permissions bits for the owner of the file/dir
---rwx---
2nd group: permissions bits for users in the same group as the group owner of the file/dir
------rwx
3rd group: permissions bits for all other users

set user id
(first group)
rws means [rwx plus set-user-id]
rwS means [rw- (no execute) plus set-user-id] (does not make sense to me)

set group id
(second group)
rws means [rwx plus set-group-id]
rwS means [rw- (no execute) plus set-group-id] (same here)

sticky bit
(third group)
rwxt or rwt (special behaviour for world-writable dirs)
rw-t or rwT (doesn't really make sense: if 'others' can't cd into a dir, then no use in making special arrangements for them)[/tt]


HTH,

p5wizard

 

[shal0m]

Hi p5wizard,

Thanks for your explanation,
I understand about first 3 bit about owner, group and others.

but the thing I dont understand is
rws means [rwx plus set-user-id]

what plus set-user-id for? any example you can give me?
I always put rwx and never worry about set-user-id.

and also
rwt (special behaviour for world-writable dirs)

what special behaviour that we are talking about? can you please give example?

thank you very much,

 

[PHV]

AGAIN: man chmod

 

[Annihilannic]

setuid can be set on an executable to force it to run with a particular user ID. Try ls -l /usr/bin | grep ^...s and you may find that a number of utilities on your system have the setuid bit set to run as root or lp or uucp or similar.

Think of it as a less secure way of implementing a sudo rule. Generally it is only done for very well tested utilities that have limited potential impact to a system, but require elevated privileges to run.

The sticky bit is well described on the man chmod page, which PHV suggested you should read earlier.

Annihilannic.

 

[Edcrosbys]

--p5wizard--
sticky bit
(third group)
rwxt or rwt (special behaviour for world-writable dirs)
rw-t or rwT (doesn't really make sense: if 'others' can't cd into a dir, then no use in making special arrangements for them)
------------
The upper and lowercase T (sticky bit) makes sense because even if others can't access a directory (x) or not, sticky bit will still effect those in the group. So the T or t will let you know if the world (others) can acccess the directory.

Sticky bit is recommended for /tmp directory. Typically a user with write permissions to a directory can delete files within that directory. By setting the sticky bit, you make it where only the file owners (and root) can remove the files.

I along with the others HIGHLY recommend reading man chmod, or at least a good good for unix file permissions.

 

[p5wizard]

> sticky bit will still effect those in the group

Of course! Now why didn't I think of that...


HTH,

p5wizard

 

[Edcrosbys]

Something I just learned (yes, an old dog can learn) is that SGID on a directory forces the group ownership of the files in the directory (regardless of primary group of user creating file).



/hr with group of hr and sgid
if ann with primary group of ann and secondary of hr writes a file, hr will be the group id. Allowing others in hr to have access. Especially useful if ann is both in hr and managers (or some other silly structure).

 

[shal0m]

guys,

after reading chmod, I still can get the difference between s and x.

here's from the man chmod:

 In a directory which has the set-group-ID bit set (reflected
     as either -----s--- or -----l--- in the output of 'ls -ld'),
     files and subdirectories are created with  the  group-ID  of
     the parent directory-not that of current process.

           It is not  possible  to  permit  group  execution  and
           enable  a  file  to be locked on execution at the same

Please give example about this (s bit) and when we are using it.

also about t and l, would be greatly appreciated.

 

[Annihilannic]

Here's an example of the effect of setting the sgid bit:

$ mkdir testdir
$ ls -ld testdir
drwxr-xr-x   2 user1   users           96 Nov 27 11:11 testdir
$ cd testdir
$ touch testfile1
$ ls -l
total 0
-rw-r--r--   1 user1   users            0 Nov 27 11:13 testfile1
$ cd ..
$ su
Password:
# chgrp lp testdir
# chmod g+s testdir
# ls -ld testdir
drwxr-sr-x   2 user1   lp              96 Nov 27 11:11 testdir
# exit
$ cd testdir
$ touch testfile2
$ ls -l
total 0
-rw-r--r--   1 user1   users            0 Nov 27 11:13 testfile1
-rw-r--r--   1 user1   lp               0 Nov 27 11:13 testfile2
$

As you can see when the second file was created its group ownership was assigned to the "lp" group.

It is useful for ensuring that files in certain directories belong to a certain group, but for this to be useful you would generally need to set a umask in the shell that creates these files that gives that group specific permissions for the file (.e.g umask 007 which would mean files are created with -rw-rw-r--).

Here is an example demonstrating the effect of the sticky bit:

$ mkdir opendir stickydir
$ chmod a+rwx opendir
$ chmod a+rwxt stickydir
$ ls -ld opendir stickydir
drwxrwxrwx   2 user1   users           96 Nov 27 11:24 opendir
drwxrwxrwt   2 user1   users           96 Nov 27 11:24 stickydir
$ touch opendir/testfile stickydir/testfile
$ su user2
Password:
$ rm opendir/testfile
opendir/testfile: 644  mode ? (y/n) y
$ rm stickydir/testfile
stickydir/testfile: 644  mode ? (y/n) y
rm: stickydir/testfile not removed.  Not owner
$

Annihilannic.

 

[shal0m]

Wow.. Thank you very much sir.

question :
about umask 007 as the result is -rw-rw-r-- which means 664, I thought the umask should be 002.

so 666- 002 = 664.

and about the stickybit t, is the difference only about delete the file and the user can also execute it right?

 

[Annihilannic]

That's correct, the umask should have been 002 in my example.

Beware though, you shouldn't ruly on subraction ("666 - 002 = 664") for umask calculations because it doesn't always work, consider 005 for example, 666 - 005 = 661, however the resultant file created with this umask will be 662.

The sticky bit only applies to the directory, so operations such as moving/renaming and removing files in that directory. The operations you can perform on the file itself (i.e. read, write, execute) are defined by the permissions on the file, not the directory.

Annihilannic.