SUID (Set User ID)
Bit
SUID stands for Set
User ID. This means that if the SUID bit is set for any application then
your user ID would be set as that of the owner of application/file rather than
the current user, while running that application.
That means in case I have
an application whose owner is ' root ' and it has its SUID bit set, then when I
run this application as a normal user, that application would still run as
root. Since the SUID bit tells Linux that the the User ID root is set for
this application and whenever this application executes it must execute as if
root was executing it (since root owns this file).
SUID Example :
passwd command
When normal user try to change his/her password , passwd command is used , which is owned by root. This passwd command file will try to edit some system config files such as /etc/passwd, /etc/shadow etc. So passwd command is set with SUID to give root user permissions to normal user so that it can update /etc/shadow and other files.
Assign suid
to a File :
# chmod u+s testfile.txt
# chmod u+s testfile.txt
# chmod
4750 testfile.txt
In this example , 4 indicates SUID bitset, 7 for full permissions for owner, 5 for read and execute permissions for group, and no permissions for others
In this example , 4 indicates SUID bitset, 7 for full permissions for owner, 5 for read and execute permissions for group, and no permissions for others
The
concept behind SUID bit is that you as the superuser would be able to allow
certain applications / scripts to be run by the users as if they were the
superuser for the time being. What these application / scripts do when they
execute should be completely known to you. Even though the users would be
allowed to execute these programs as root they would be able to do ONLY THOSE
things that these programs were designed to do. So in case a script was
designed to copy 5 files from one place to another. Then the user who would run
that script would be able to ONLY copy those 5 files from one place to another.
He would not be able to modify that script in any way since he would not
have write access to the script. He would only be having execute rights for
that script.
Where
is SUID used?
2) Where you don't want to give credentials of a particular user, but want to run some programs as the owner.
3) Where you don't want to use SUDO command, but want to give execute permission for a file/script etc.
SGID
(Set Group ID) Bit:
SGID bit is very useful when you have to give access of a directory to a set of
users in a group. When SGID bit is enabled on a directory any file/directory
created under it by any user have the same group permissions as of the parent
directory.
For
example, you have created a group named “info” and you have added three user Tom,
Dick, and Harry in group “info”. Now you want that every file created by any of
these three users under directory “/info” can be accessible by any of these
users.
Create a directory
name info
#mkdir info
Change the directory
permission
#chmod 750 info
Set SGID to the group
#chmod 2750 info
Or
#chmod g+s info
How can I check if a file is set with SGID bit or not?
Use ls –l to check if the x in group permissions field is replaced by s or S
Now any file created under directory “/info ” can
be accessed by all the three users.
1) When implementing Linux group disk quota.
Sticky Bit
It is mainly used on folders in order
to avoid deletion of a folder and its content by other users though they having
write permissions on the folder contents. If Sticky bit is enabled on a folder,
the folder contents are deleted by only owner who created them and the root
user. No one else can delete other users data in this folder(Where sticky bit
is set). This is a security measure to avoid deletion of critical folders and
their content(sub-folders and files), though other users have full permissions.
How can I setup Sticky Bit
for a Folder?
chmod o+t /opt/dump/
or
chmod +t /opt/dump/
Let me explain above command, We are setting Sticky Bit(+t) to folder /opt/dump by using chmod command.
Numerical way:
chmod 1757 /opt/dump/
Here in 1757, 1 indicates Sticky Bit set, 7 for full permissions for owner, 5 for read and execute permissions for group, and full permissions for others.
|
Permissions
|
Meaning
|
|
--S------
|
SUID is set, but
user (owner) execute is not set.
|
|
--s------
|
SUID and user
execute are both set.
|
|
-----S---
|
SGID is set, but
group execute is not set.
|
|
-----s---
|
SGID and group
execute are both set.
|
|
--------T
|
Sticky bit is set,
bot other execute is not set.
|
|
--------t
|
Sticky bit and
other execute are both set.
|
No comments:
Post a Comment