Wednesday, October 22, 2014

advanced file permissions sticky bit , setuid, setgid

sticky bit on directory

You can set the sticky bit on a directory to prevent users from removing files that
they do not own as a user owner. The sticky bit is displayed at the same location as the x permission for others. The sticky bit is represented by a t (meaning x is also there) or a T (when there is no x for others).

root@Linux:~# mkdir /project55
root@Linux:~# ls -ld /project55
drwxr-xr-x 2 root root 4096 Feb 7 17:38 /project55
root@Linux:~# chmod +t /project55/
root@Linux:~# ls -ld /project55
drwxr-xr-t 2 root root 4096 Feb 7 17:38 /project55
root@Linux:~#

The sticky bit can also be set with octal permissions, it is binary 1 in the first of four triplets.

root@Linux:~# chmod 1775 /project55/
root@Linux:~# ls -ld /project55
drwxrwxr-t 2 root root 4096 Feb 7 17:38 /project55
root@Linux:~#

You will typically find the sticky bit on the /tmp directory.

root@barry:~# ls -ld /tmp
drwxrwxrwt 6 root root 4096 2009-06-04 19:02 /tmp
setgid bit on directory

setgid can be used on directories to make sure that all files inside the directory are owned by the group owner of the directory. The setgid bit is displayed at the same location as the x permission for group owner. The setgid bit is represented by an s (meaning x is also there) or a S (when there is no x for the group owner). As this example shows, even though root does not belong to the group proj55, the files created by root in /project55 will belong to proj55 since the setgid is set.

root@Linux:~# groupadd proj55
root@Linux:~# chown root:proj55 /project55/
root@Linux:~# chmod 2775 /project55/
root@Linux:~# touch /project55/fromroot.txt
root@Linux:~# ls -ld /project55/
drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/
root@Linux:~# ls -l /project55/
total 4
-rw-r--r-- 1 root proj55 0 Feb 7 17:45 fromroot.txt
root@Linux:~#

You can use the find command to find all setgid directories.
paul@laika:~$ find / -type d -perm -2000 2> /dev/null
/var/log/mysql
/var/log/news
/var/local
...
setgid and setuid on regular files

These two permissions cause an executable file to be executed with the permissions of the file owner instead of the executing owner. This means that if any user executes a program that belongs to the root user, and the setuid bit is set on that program, then the program runs as root. This can be dangerous, but sometimes this is good for security.

Take the example of passwords; they are stored in /etc/shadow which is only readable by root. (The root user never needs permissions anyway.)

root@Linux:~# ls -l /etc/shadow
-r-------- 1 root root 1260 Jan 21 07:49 /etc/shadow

Changing your password requires an update of this file, so how can normal non-root
users do this? Let's take a look at the permissions on the /usr/bin/passwd.

root@Linux:~# ls -l /usr/bin/passwd
-r-s--x--x 1 root root 21200 Jun 17 2005 /usr/bin/passwd

When running the passwd program, you are executing it with root credentials.
You can use the find command to find all setuid programs.

paul@laika:~$ find /usr/bin -type f -perm -04000
/usr/bin/arping
/usr/bin/kgrantpty
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/fping6
/usr/bin/passwd
/usr/bin/gpasswd
...
In most cases, setting the setuid bit on executables is sufficient. Setting the setgid bit will result in these programs to run with the credentials of their group owner.


No comments:

Post a Comment