TimeLinux1

Thursday, September 30, 2010

Linux HowTo: suid, sgid, sticky bits and others


Directory Permissions:
-If you have only read permission and no exec permission on a directory, you can neither view nor access the contents of that directory.
-If you have only exec permission and no read permission on a directory, you cannot view the contents of the directory but only access them.

suid and sgid:
-Normally, programs run with the invokers permissions, not the owners.
-But with suid and sgid, the programs run with the owners permissions, not the invokers.
-suid and sgid have an 's' bit in place of the 'x' bit in the permission list.
-such programs are called suid programs or sgid programs.
-octal value of suid = 4, sgid =2 and suid+sgid =6. 
-eg: chmod 6755 afile, chmod 4755 afile, chmod 2755 afile.
-if the file is executable, suid or sgid are represented by lowercase 's' in ls -l output. if it is not an executable, suid/sgid is uppercase 'S'.

sticky bit:

-sticky bit - prevents 'world' users to delete files from a dir even if they have write permissions on the parent dir.
-sticky bit is represented as 't' or 'T' for world users. t = exec but no delete. T = neither exec nor delete (just like suid,sgid s or S).
-sticky bit is represented by octal 1.
-eg: MS-KK-Laptop:~ Kali$ chmod 1544 ab/bb/bbc
-r-xr--r-T 1 Kali staff 8 Apr 9 22:15 ab/bb/bbc
MS-KK-Laptop:~ Kali$ chmod 1545 ab/bb/bbc
-r-xr--r-t 1 Kali staff 8 Apr 9 22:15 ab/bb/bbc

Note:

-file permissions (rwx) and access modes (sStT) hold good for non-root users.
-in other words, root users can delete files even if they dont have the permissions / access modes set so for the file.
-to prevent such accidents, the 'immutable flag' is used.
-immutable flag prevents even root from deleting files until the flag is unset.
-to set the immutable flag, chattr -+i cmd is used.
-to view the immutable flag, lsattr cmd is used.
-eg:  # chattr +i afile                                        [ sets immutable flag for afile, even root cant delete it ]
        # lsattr afile                                             [ shows immutable flag permi ]
# chattr -i afile                                                 [ unsets immutable flag ]
-man capabilities for more on immutable flag.

-umask - permissions that a user does not want to grant automatically to newly created files / dirs.
-umask is like the octal-negative of file permissions. eg: umask 022 => default permi will be 755.
Posted by Unknown at 6:45 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)