Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 
 

setuid, setgid and sticky bit

Expert Oracle Database Tips by Donald BurlesonMarch 22, 2015

Additional Permissions Settings

There are three advanced options for permissions: the setuid, setgid and sticky bit options.  The sticky bitis not really used much, but on shared directories, it affectively locks files within the directory from being modified by users other than the file creator.

This is how the /tmp directory is typically maintained since multiple users require access to it.  The sticky bit is indicated in ls - l output by a t in the last position of the permissions field.

$ ls -ld /tmp

drwxrwxrwt 9 root root 4096 Jan  9 08:22 /tmp

The setuid and setgid permissions allow controlling the user ID or group ID; a command is run regardless of who executes it.  One example of this is the ping command.  Since this command needs to interface with the network controller in a way only root is allowed to, the setuid bitis set.  It can be seen in the same position where execute is normally indicated.

# ls -l /bin/ping

-rwsr-xr-x 1 root root 35864 Oct 31  2015 /bin/ping

When the ping command is executed by another user, it assumes the permissions of the root user before executing, but output is sent to the original user's session.  Setuid and setgid can be very useful, but due to security concerns, both have been restricted on most modern operating systems including Linux.

Securing Important Files

On a multi-user system, as most Linux systems are, there will be times when access to certain files should be restricted.  Often, shell scripts may have passwords in them or there may be documents or directories that other users should not see.  The best way to secure these files and directories while still maintaining access to them is to use the chmod commandto remove all permissions from group and other users.

$ ls -l test_script.sh

-rwxr-xr-x  1 oracle dba 102 Oct 22 14:53 test_script.sh

$ chmod go-rwx test_script.sh
$ ls -l test_script.sh

-rwx------  1 oracle dba 102 Oct 22 14:53 test_script.sh

This modification assures that this file cannot be viewed, modified or executed by any other user on the system.  Assuming others do not have the specific username and password, this makes it safe to keep secure data like passwords on the system.  This is necessary for some scripts that require passwords.

WARNING: Do not change the permissions on installed software unless you really know what you are doing.  A few improper permission changes on files in the ORACLE_HOME directory could quickly render Oracle unusable.

 

 

 

 

Setting Permissions Beyond the Owner and Group

While the security model used in Linux offers quite a bit of flexibility, there are times when simply managing permissions on an owner/group/other basis is insufficient.  To offer more flexibility, Linux offers access control lists, also referred to as ACLs.

ACLs offer the ability to name, individually, a user or group and grant them specific access to a given file.  The primary commands for using ACLs are setfacl, which sets ACLs for a given file and getfacl, which display a file's ACL.  When a file has an ACL set, a plus (+) appears after the permission portion of the ls -l output.

$ setfacl -m user:oracle:rwx hello.sh
$ ls '??l

total 24
-rwxrwxr--+ 1 jemmons jemmons  30 Sep 29 13:28 hello.sh
-rwxr-xr--  1 jemmons dba     370 Sep 29 13:43 status.sh
-rwxr-xr-x  1 jemmons jemmons  20 Nov  8 08:37 test.sh


$ getfacl hello.sh
# file: hello.sh
# owner: jemmons
# group: jemmons


user::rwx
user:oracle:rwx
group::rw-
mask::rwx
other::r--

To set an ACL on a file, the -m option is used with an ACL entry.  The ACL entry is typically made up of the word user or group indicating what permissions should be added for, the name of the user or group and the permissions they should be granted on this file.  The example above shows a typical ACL setting.

Permissions for multiple users or groups can be added through ACLs.  Permissions for a given user or group can be replaced using the -m option in the same way they were added.  When you want to remove a user or group from the ACL list, the -x option is used with setfacl.

$ setfacl -x user:oracle hello.sh

Since all permissions added through the ACL will be removed, there is no need to specify r, w or x.



Sticky Bits, Setuid and Setgid

Linux has three additional special permissions to the basic permissions described before:

n   Sticky bit  is used on directories to prevent users with write access on the files in the directory from deleting files that they do not own.

n  Setuid  or SUID is set in the owner execution field to allow normal users to execute an application by assuming the identity of the file owner.

n  Setgid  or SGID have the same purpose that setuid does, but is related to the group permissions.

The table below gives explanations and examples for each special permission:

 

Permission type

Explanation and Example

sticky bit

The user can see if the sticky bit is set by doing a ls ?al on the files or directories and it will be known that the file has a t in the privileges instead of the execution bit x.

 

If the directory has the sticky bit set, a file can be deleted only by the file owner, the directory owner, or by a privileged user.

 

-rwxrwxrwt execute and sticky bit are set on this example.

-rwxrwxr-T:  Only the sticky bit is set and not execute.

 

Can be set on the file or directory with the command chmod: chmod +t your_file_name.

 

Example:

drwxrwxrwt  18 root root  4096 2015-03-03 15:23 tmp

 

Typical example where the public folder tmp includes files where all users have read and write access on all files. The sticky bit is set to avoid users from deleting other users' files.

 

Setuid

When it is set, the user gets an s or S instead of the execution bit x. An s means that both the setuid bit and the execution bit are set. An S means that only the setuid bit is set.

 

-rws------ : Both the execution and the setuid bit are set.

 

-r-S------ : The setuid bit is set but not the execution bit x.

 

Can be set on the file or directory with the command chmod:chmod u+s your_file_name.

 

Example:

-rwsr-xr-x 1 root root 29104 2015-12-08 10:14 /usr/bin/passwd

 

Typical example where the passwd program can be executed by a normal user so that they can change their own password. Since the normal user will assume the SUID of root, they will be able to update the /etc/passwd file even though this file is owned by root.

 

setgid

The purpose of the setgid is the same as setuid but it is on the group this time.

 

-rwxrws---   :    setgid is set and the execution bit is set.


-rwxr-S---   :    Only the setgid is set, but not the execution bit x.

 

Can be set on the file or directory with the command chmod: chmod g+s your_file_name.

 

Example:

-rwxr-sr-x 1 root crontab 26928 2015-04-08 20:02 /usr/bin/crontab

 

This example shows how normal users can run the crontab command with the effective group privileges of crontab.

Table 2.4:  Special Permissions Explanations and Examples

 

The chmod command can also be used to set or unset with the following values as a prefix to the normal three numeric privileges:

 

Value

Explanation

0

setuid, setgid, sticky bits are unset

1

sticky bit is in place

2

setgid bit is in place

3

setgid and sticky bits are in place

4

setuid bit is in place

5

setuid and sticky bits are in place

6

setuid and setgid bits are on

7

setuid, setgid, sticky bits are activated

Table 2.5:  Values Using Chmod Command for Special Permissions

The syntax will be, for example, to set the uid, gid and the sticky bits:

 

chmod 7750 sqlplus

 

 

 
 
 
Get the Complete Details on
Linux System Management for Oracle DBAs  


The landmark book "Linux for the Oracle DBA: The Definitive Reference" provides comprehensive yet specific knowledge on administering Oracle on Linux.   A must-have reference for every DBA running or planning to run Oracle on a Linux platform.

Buy it for 30% off directly from the publisher.
 


 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

 

 

��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster