 |
|
Mode Description - Sticky Bit
Linux Tips by Burleson Consulting |
Used for shared directories to prevent users from
renaming or deleting each others’ files. The only users who can rename or
delete files in directories with the sticky bit set are the file owner, the
directory owner, or the super-user (root). The sticky bit is represented by the
letter t in the last position of the other permissions display.
SUID
Set user ID, used on executable files to allow the
executable to be run as the file owner of the executable rather than as the user
logged into the system.
SUID can also be used on a directory to change the
ownership of files created in or moved to that directory to be owned by the
directory owner rather than the user who created it.
SGID
Set group ID, used on executable files to allow the file
to be run as if logged into the group (like SUID but uses file group
permissions).
SGID can also be used on a directory so that every file
created in that directory will have the directory group owner rather than the
group owner of the user creating the file.
Table 6.3: Special permission mode settings and their
descriptions
The following example displays the SUID permission mode
that is set on the passwd command, indicated by the letter s in the last
position of the user permission display. Users would like to be able to change
their own passwords instead of having to ask the System Administrator to do it
for them. Since changing a password involves updating the /etc/passwd file
which is owned by root and protected from modification by any other user, the
passwd command must be executed as the root user.
The which command will be used to find the full path
name for the passwd command, then the attributes of the passwd command will be
listed, showing the SUID permission(s).
The SUID Special Permission Mode
$ which passwd
/usr/bin/passwd
$ ls -l /usr/bin/passwd
-r-s--x--x 1 root root 17700 Jun 25 2004
/usr/bin/passwd
Here we see not only that the SUID permissions are set
up on the passwd command but also that the command is owned by the root user.
These two factors tell us that the passwd command will run with the permissions
of root regardless of who executes it.
These special modes can be very helpful on multi-user
systems. To set or unset the sticky bit use the the t option with the chmod
command. When setting the sticky bit we do not have to specify if it is for
user, group or other. In the following example we will make a directory called
public which anyone can write to but we'll use the sticky bit to make sure only
the file owners can remove their own files.
$ mkdir public
$ chmod 777 public
$ chmod +t public
$ ls -l
total 4
drwxrwxrwt 2 tclark authors 4096 Sep 14 10:45
public
We see that the last character of the permissions string
has a t indicating the sticky bit has been set. We could also prepend the
number 1 to the chmod command using the number to achieve the same results. The
following chmod command will accomplish the same thing as the two chmod commands
in the last example:
$ chmod 1777 public
$ ls -l
total 4
drwxrwxrwt 2 tclark authors 4096 Sep 14 10:45
public
Now let's say we instead want to make a directory which
other users can copy files but which we want the files to instantly become owned
by our username and group. This is where the SUID and SGID options come in.
$ mkdir drop_box
$ chmod 777 drop_box
$ chmod u+s,g+s drop_box
$ ls -l
total 4
drwsrwsrwx 2 tclark authors 4096 Sep 14 10:55
drop_box
Now anyone can move files to this directory but upon
creation in drop_box they will become owned by tclark and the group authors.
This example also illustrates how you can change multiple levels of permissions
with a single command by separating them with a comma. Just like with the other
permissions this could have been simplified into one command using the SUID and
SGID numeric values (4 and 2 respectively.) Since we are changing both in this
case we use 6 as the first value for the chmod command.
$ chmod 6777 drop_box/
$ ls -l
total 4
drwsrwsrwx 2 oracle users 4096 Sep 14 10:55
drop_box
ACLs – Access Control Lists
Under certain circumstances you may find that
controlling permissions on an owner/group level are not sufficient. Perhaps you
want to grant just one other user the ability to read a file or maybe you need
to share write permissions with several other groups instead of just one.
Some versions and configurations support ACLs or Access
Control Lists to allow this finer granularity of access control to files and
directories. With ACLs you can assign very specific permissions to other users
who you don't even share a group with.
Typically a file will not have an ACL. If an ACL has
been added to a file you will see a + after the permissions string in an ls –l
listing.
ACLs are very powerful but since they are not typically
necessary and support for them is sporatic we will not delve into them in this
book. If you want to get more information about ACLs a good place to start
would be the man pages for acl, the setfacl command and the getfacl command.
Next we'll look at how users can change their active
group association.
Logging on to another Group
Every Linux user can be assigned to multiple groups so
they can obtain access to whatever files and directories they need to perform
their work. Users can determine the groups to which they have access by using
the id command.
When a user logs on to the system, however, they are
assigned to their primary group as specified by the Systems Administrator when
the user ID was created. Since Linux only allows a user to be logged into one
group at a time, there is a command that allows users to change their current
group whenever they need to assume the permissions of another group.
The newgrp command allows users to change their current
group to any group they have been addded to. The newgrp command accepts a
single parameter consisting of the group name into which the user wished to log.
The following example shows the use of the id command to
determine the group into which the user is already logged in to as well as all
of the groups to which that user has been granted access. In the example, the
current user id (uid) is tclark and the current group (gid) is also tclark. The
eligible groups are tclark and authors.
Determining a User’s Current Group and Accessible Groups
Using the id Command
$ id
uid=503(tclark) gid=504(tclark)
groups=504(tclark),506(authors)
The next example shows how to switch from the current
group of tclark to the authors group.
Logging into a Different Group Using the newgrp Command
$ id
uid=503(tclark) gid=504(tclark)
groups=504(tclark),506(authors)
$ newgrp authors
$ id
uid=503(tclark) gid=506(authors)
groups=504(tclark),506(authors)
This is an excerpt from "Easy
Linux Commands" by Linux guru Jon Emmons. You can purchase it for only
$19.95 (30%-off) at
this link.
