Permissions (special)

From Netsoc Wiki
Jump to: navigation, search


This is a bit of an advanced topic, you're unlikey to need the information below too often.

Special permissions have different effects on regular files, executables and directories. Their effect also varies from Unix to Unix and even from filesystem to filesystem.

Set User ID - SUID

  • Regular files - no effect
  • Executables - run program with effective user ID (EUID) set to the owner
  • Directories - no effect

Some interpreters (such as bash and perl) will automatically drop the extra privileges provided by the SUID and SGID bits as a security measure. Normally a executable with a EUID of the owner will be able to access file as though it was the owner.

Set Group ID - SGID

  • Regular files - enables mandatory locking. Maybe
  • Executables - run program with effective group ID (EGID) set to the group
  • Directories - all files created in this directory will have the same group as this directory. All directories created will also have the SGID bit set.

Note that the effect of the SGID bit on directories some Unix systems (e.g BSD) occurs by default - without any setting of SGID. Also this behavior may not happen at all, even with the SGID bit set (it does work on Matrix).

Sticky Bit

  • Regular files - Disable caching
  • Executables - Kept program text in memory (forced caching) on older Unixes
  • Directories - Users may only remove or rename entries that they own, unless they own the directory

The effect on regular files is used for swap devices for thin clients over NFS. The effect on executables is generally nothing but Your Mileage May Vary. The effect on directories is seen on /tmp.

Viewing Special Permissions

To view special permissions just use ls -l

$ ls -l
drwxr-s---    1 bbrazil  council         512 Jun 15 21:36 propagate_council
drwxrwxrwt    1    root     root         512 May 15 10:45 tmp
-rwsr-xr-x    1 bbrazil  bbrazil         253 Dec 27 16:27 run_me_suid
-rwsr-sr-x    1 bbrazil  bbrazil         253 Dec 27 16:27 run_me_suid_and_sgid
-rw-r-Sr--    1 bbrazil  bbrazil        1264 Dec 27 16:27 mandatory_locking
-rw------T    1 bbrazil  bbrazil        1264 Dec 27 16:27 no_cache

The execute bits for user, group and other correspond to SUID, SGID and Sticky respectively. A 's' or 't'(for sticky) indicates the appropriate bit is set, and also executable. 'S' or 'T' indicates the appropriate bit is set, but executable is not set.

For example(modes are in brackets):

  • propagate_council (2750 - SGID) any new files created in this directory will have group 'council'
  • tmp (1777 - Sticky) is accessible by everyone, but only the owner of an entry can remove it
  • run_me_suid (4755 - SUID) is an executable which anyone can run, but it will run as though it was run by UID 'bbrazil'
  • run_me_suid_and_sgid (6755 - SUID and SGID) is as above but also runs with group 'bbrazil'
  • mandatory_locking (2644 - SGID) is a regular file
  • no_cache (1600 - Sticky) is a file only I can look at or change, and for which caching is disabled

As you might have guessed from above the numeric values are: 1 - Sticky, 2 - SGID and 4 - SUID. These are put in front of the standard permissions. If zero the number is optional (0755 is the same as 755).

Setting Special Permissions

As with basic permissions chmod is used.

chmod 4755  file	#Make file SUID and world-executable
chmod u+s   file	#Add SUID
chmod ug+s  file	#Add SUID and SGID
chmod o+s   file	#Add Sticky bit (using 's')
chmod o-t   file	#Remove Sticky bit (using 't')

chmod 0644  file	#No special permissions. Just standard rw-r--r--
chmod 644   file	#Same as above

The use of 'a' to select user, group and other is not encouraged as results may vary.

See Also