Friday, November 25, 2011

setuid and setgid and sticky bit on Unix/Linux

setuid and setgid and sticky bit on Unix/Linux

When a file had setuid permission set, a user can executes a file or a program being (effective user id of the owner) owner of the file.
When a file has setgid permission set, a user can executes a file or a program being (effective group id of ) the group owner of the program.


You can use setgid on directories as well. When a user creates files on a setgid directory, the group ownership to set to the group owner of the directory. (Note the owner permission for S and s for execute bit)


1. Working with setuid files.

$ ls -l
-rw-r--r-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

a. myfile does not have setuid set up. To enable setuid

$ chmod u+s myfile
$ ls -l
-rwSr--r-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

$ chmod u+x myfile # Note: adding execute bit to the owner.
$ ls -l
-rwsr--r-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

or
$ chmod 4754 myfile
$ ls -l
-rwsr-xr-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

Note: You can use 4 instead to u+s with chmod command but you have to use other permission as well.


b. To disable,

$ chmod u-s myfile
$ ls -l
-rwxr--r-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

---------------------------------------------

2. Working with setgid (Note the group ownership on execute bit for s and S, why?)

a. To enable setgid,
$ chmod g+s myfile
$ ls -l
-rwxr-Sr-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

$ chmod g+x myfile # Adding execute permission to the group.
$ ls -l
-rwxr-sr-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile


b. To disable,
$ chmod g-s myfile
$ ls -l
-rwxr-xr-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile
$

or use number 2 instead to g+s.

$ chmod 2754 myfile
$ ls -l
-rwxr-sr-- 1 kbhusal kbhusal 13 Nov 25 12:55 myfile

Note: You can use 2 with chmod command to set GID but remember other permissions as well.

---------------------------------------------

3. Working with sticky bit. (Note the execute permission on others for T and t).


Sticky bit is set to the shared directories where public need to have read, write permission such as /tmp, /var/tmp. If you give permissions without sticky bit set on, any user can edit/remove any files created by any user. So, with sticky bit set on the publicly writable directory, user can create file and also execute other files created by other users as well but they can not remove or change it. Only the owner or the root can make changes or delete the file or directories inside sticky bit set directories.

If you encounter any issues with the application failed to load, please make sure that you have proper permission set on /var/tmp and /tmp directories.


# ls -ld /tmp /var/tmp
drwxrwxrwt 19 root root 159288 Dec 1 08:32 /tmp
drwxrwxrwt 12 root sys 1536 Nov 30 19:01 /var/tmp

Note the execute permission for others, you will see t value. If you see upper case T that means execute permission on the directory for others is not enabled. lower case t states that execute permission is placed for the directory.


To set sticky bit

# chmod o+t /tmp
if there is not execute bit set for others then there will be S on execute bit place.

To add execute bit to the directory,
# chmod o+x /tmp
You will see s (lower case now) on others execute permission on the directory.

or

# chmod o=rwxt /tmp

or

# chmod 1777 /tmp

---------------------------------------------

4. setuid/setgid/sticky bit setting together.

# chmod 4755 myfile.sh # always execute the script as the user or owner.
# chmod 2755 /mydir # When created a file, it will inherit the group permission.
# chmod 1777 /tmp # setting sticky bit on the directory.

Note: If you want to apply set uid + gid + sticky bit, you can add the numeric value together. such as,

#chmod 3777 /tmp

here, note the first numeric value of 3 (2+1) which comes off gid + sticky bit set on the directory.

No comments:

Post a Comment