Additional Permissions Settings
There are three advanced options for permissions: the setuid,
setgid and sticky bit options. The sticky bitis not really used much, but on shared directories, it
affectively locks files within the directory from being modified
by users other than the file creator.
This is how the /tmp directory is typically maintained since
multiple users require access to it. The sticky bit is indicated
in ls - l output by a t in the last position of the permissions
$ ls -ld
drwxrwxrwt 9 root root 4096 Jan 9 08:22 /tmp
The setuid and setgid permissions allow controlling the user ID
or group ID; a command is run regardless of who executes it. One
example of this is the ping command. Since this command needs to
interface with the network controller in a way only root is
allowed to, the setuid bitis
set. It can be seen in the same position where execute is
# ls -l
-rwsr-xr-x 1 root root 35864
Oct 31 2015 /bin/ping
When the ping command is executed by another user, it assumes
the permissions of the root user before executing, but output is
sent to the original user's session. Setuid and setgid can be
very useful, but due to security concerns, both have been
restricted on most modern operating systems including Linux.
Securing Important Files
On a multi-user system, as most Linux systems are, there will
be times when access to certain files should be restricted.
Often, shell scripts may have passwords in them or there may be
documents or directories that other users should not see. The
best way to secure these files and directories while still
maintaining access to them is to use the chmod commandto remove all permissions from group and other users.
$ ls -l
-rwxr-xr-x 1 oracle dba 102
Oct 22 14:53 test_script.sh
$ ls -l test_script.sh
-rwx------ 1 oracle
dba 102 Oct 22 14:53 test_script.sh
This modification assures that this file cannot be viewed,
modified or executed by any other user on the system. Assuming
others do not have the specific username and password, this makes
it safe to keep secure data like passwords on the system. This is
necessary for some scripts that require passwords.
WARNING: Do not
change the permissions on installed software unless you
really know what you are doing. A few improper permission
changes on files in the ORACLE_HOME directory could
quickly render Oracle unusable.
Setting Permissions Beyond the Owner and Group
While the security model used in Linux offers quite a bit of
flexibility, there are times when simply managing permissions on
an owner/group/other basis is insufficient. To offer more
flexibility, Linux offers access control lists, also referred to
ACLs offer the ability to name, individually, a user or group
and grant them specific access to a given file. The primary
commands for using ACLs are setfacl, which sets ACLs for a given
file and getfacl, which display a file's ACL. When a file has an
ACL set, a plus (+) appears after the permission portion of the ls
-m user:oracle:rwx hello.sh
$ ls '??l
-rwxrwxr--+ 1 jemmons jemmons 30 Sep 29 13:28 hello.sh
-rwxr-xr-- 1 jemmons dba 370 Sep 29 13:43 status.sh
-rwxr-xr-x 1 jemmons jemmons 20 Nov 8 08:37 test.sh
$ getfacl hello.sh
# file: hello.sh
# owner: jemmons
# group: jemmons
To set an ACL on a file, the -m option is used with an ACL
entry. The ACL entry is typically made up of the word user or
group indicating what permissions
should be added for, the name of the user or group and the
permissions they should be granted on this file. The example
above shows a typical ACL setting.
Permissions for multiple users or groups can be added through
ACLs. Permissions for a given user or group can be replaced using
the -m option in the same way they were added. When you want to
remove a user or group from the ACL list, the -x option is used
-x user:oracle hello.sh
Since all permissions added through the ACL will be removed,
there is no need to specify r, w or x.
Sticky Bits, Setuid and Setgid
Linux has three
additional special permissions to the basic permissions described
is used on directories to
prevent users with write access on the files in the directory from
deleting files that they do not own.
is set in the
owner execution field to allow normal users to execute an
application by assuming the identity of the file owner.
have the same
purpose that setuid
does, but is related to the group permissions.
The table below gives explanations and examples
for each special permission:
Explanation and Example
can see if the sticky bit is set by doing a ls ?al
on the files or directories and it will be known that the
file has a t
in the privileges instead of the execution bit x.
If the directory has the sticky bit
set, a file can be deleted only by the file owner, the
directory owner, or by a privileged user.
-rwxrwxrwt execute and sticky
bit are set on this example.
is set and not execute.
Can be set on the file or directory with
chmod: chmod +t your_file_name.
18 root root
4096 2015-03-03 15:23 tmp
example where the public folder tmp
includes files where all users have read and write access on all files.
The sticky bit is set to avoid users from deleting other users' files.
is set, the user gets an
instead of the execution
An s means that
both the setuid
bit and the execution bit are set. An
S means that only the setuid
bit is set.
and the setuid
bit are set.
bit is set but not the execution
set on the file or directory with the command
chmod:chmod u+s your_file_name.
-rwsr-xr-x 1 root root 29104 2015-12-08 10:14
example where the
program can be executed by a normal user so that they can
change their own password. Since the normal user will assume
the SUID of root, they will be able to update the
file even though this file is owned by root.
purpose of the setgid is the same as setuid
but it is on the group this time.
is set and the execution
bit is set.
Only the setgid is set, but not the execution bit x.
set on the file or directory with the command
chmod: chmod g+s your_file_name.
root crontab 26928 2015-04-08 20:02 /usr/bin/crontab
example shows how normal users can run the
with the effective group privileges of
Explanations and Examples
command can also be used to set or unset with the following values
as a prefix to the normal three numeric privileges:
sticky bit is in place
bit is in place
setgid and sticky bits are in place
setuid bit is in place
setuid and sticky bits are in place
and setgid bits are on
Values Using Chmod Command for Special Permissions
The syntax will be, for example, to set the
gid and the
Get the Complete Details on
Linux System Management for Oracle DBAs
The landmark book
"Linux for the Oracle DBA: The
provides comprehensive yet specific
knowledge on administering Oracle on Linux. A
must-have reference for every DBA running or planning to run
Oracle on a Linux platform.
for 30% off directly from the publisher.
Burleson is the American Team
documentation was created as a support and Oracle training reference for use by our
DBA performance tuning consulting professionals.
Feel free to ask questions on our
considering using the services of an Oracle support expert should
independently investigate their credentials and experience, and not rely on
advertisements and self-proclaimed expertise. All legitimate Oracle experts
Oracle technology is changing and we
strive to update our BC Oracle support information. If you find an error
or have a suggestion for improving our content, we would appreciate your
and include the URL for the page.
Copyright © 1996 - 2020
All rights reserved by
is the registered trademark of Oracle Corporation.