Linux-file-permissions-advance
Linux

Advance Linux file permissions

0 1328

In this tutorial we will learn about Advance linux file permissions like set user id (SUID) set group id (GUID) and sticky bit permissions on linux directory. You will also learn how to use commands like chmod u+t, chmod g+s, chmod u+s etc

What is sticky bit permission?

This is and extra special security feature in linux which protects critical directory and contents from deletion by other users who don’t own directory and its content.(even if they have full permissions). Only user who owns directory and contents within directory and root can delete these contents and that particular

directory.

How to know that sticky bit permission is on folder/directory?

if you see “t” or “T” at last 9th position of rwxrwxrwx permissions that means sticky bit permission is set.
for example you see rwxrwxxrwt or rwxrwxrwT . Lowercase “t” means other user (not owner and group users) have execute permissions on files . Uppercase “T” means other
users do not have execute permissions on files in that folder.
See below example

[root@shahid ~]# mkdir Stickyfolder
[root@shahid ~]# ls -ld Stickyfolder
drwxr-xr-x. 2 root root 6 Feb 27 09:10 Stickyfolder
[root@shahid ~]# chmod o+t Stickyfolder
[root@shahid ~]# ls -ld Stickyfolder
drwxr-xr-t. 2 root root 6 Feb 27 09:10 Stickyfolder
[root@shahid ~]#

You can also use Octal permisions to set sticky bit. Value of stick bit is binary 1 and its in first to permissions triplets

let remove the Sticky Bit permission first with command chmod o-t foldername

[root@shahid ~]# ls -ld Stickyfolder
drwxr-xr-t. 2 root root 6 Feb 27 09:10 Stickyfolder
[root@shahid ~]# chmod o-t Stickyfolder
[root@shahid ~]# ls -ld Stickyfolder/
drwxr-xr-x. 2 root root 6 Feb 27 09:10 Stickyfolder/
[root@shahid ~]#

Now let’s use octal permission to set sticky bit permisisons on folder

[root@shahid ~]# chmod 1777 Stickyfolder/
[root@shahid ~]# ls -ld Stickyfolder
drwxrwxrwt. 2 root root 6 Feb 27 09:10 Stickyfolder
[root@shahid ~]#

We will remove execute permission from other and should see “S” as last character

Now let’s switch to normal user who does not own contents in directory and try to delete it

[shahid@shahid ~]$ ls -l Stickyfolder/
total 8
-rw-r--r--. 1 root root 115 Feb 27 09:25 shahid.sh
-rw-r--r--. 1 root root  46 Feb 27 09:27 test.sh
[shahid@shahid ~]$ pwd
/home/shahid
[shahid@shahid ~]$

[shahid@shahid ~]$ rm -rf Stickyfolder/
rm: cannot remove âStickyfolder/shahid.shâ: Operation not permitted
rm: cannot remove âStickyfolder/test.shâ: Operation not permitted
[shahid@shahid ~]$

I does not allow user ‘shahid’ to delete contents of stickyfolder though user has full permission.

 Task :

Try ls -ld /tmp   and post result in comment :)

setgid bit on directory

If setgid is set on directory then all files in this directory will belong to group owner of that directory ,even if the user who does not below to that group will create a file , file will have group ownership of that directory. In other words files that were created in this directory belong to the group to which the directory belongs, not to the group to which user belongs and who is creating these files.
If setgid is set on directory then you will see “s” or “S” instead of x in group permission. For example if directory dir1 has permissions rwxrwsrwx or rwxrwSrwx

then “s” means group also has execute permissions(x) and “S” no group execute permissions.

Below example shows that we we added group1 and then assigned folder groupid to group1

[root@shahid shahid]# groupadd group1
[root@shahid shahid]# chown root:group1 groupid
[root@shahid shahid]# chmod 2777 groupid
[root@shahid shahid]# ls -ld groupid/
drwxrwsrwx. 2 root group1 21 Feb 27 11:31 groupid/
[root@shahid shahid]# touch groupid/test.txt
[root@shahid shahid]# ls -ld groupid/test.txt
-rw-r--r--. 1 root group1 0 Feb 27 11:31 groupid/test.txt

root user has created file test.txt but still group ownerships are of group1

Feb2516-19usd-sitewide300X250

Now lets use symbolic way of removing and then assigning back setgid to folder groupid

Removing setgid

[root@shahid shahid]# ls -ld groupid/
drwxrwsrwx. 2 root group1 21 Feb 27 11:31 groupid/
[root@shahid shahid]# chmod g-s groupid
[root@shahid shahid]# ls -ld groupid
drwxrwxrwx. 2 root group1 21 Feb 27 11:31 groupid
[root@shahid shahid]#

Adding setgid

[root@shahid shahid]# ls -ld groupid
drwxrwxrwx. 2 root group1 21 Feb 27 11:31 groupid
[root@shahid shahid]# chmod g+s groupid
[root@shahid shahid]# ls -ld groupid/
drwxrwsrwx. 2 root group1 21 Feb 27 11:31 groupid/
[root@shahid shahid]#

To find all setgid directories use below command

[root@shahid shahid]# find / -type d -perm -2000 2> /dev/null
/run/log/journal
/run/log/journal/579cae9b5a4b483cb45bd543e468e0f0
/home/shahid/groupid
[root@shahid shahid]#

What is setid (SUID)?

Like setting getid on folder we can also set UID on executable file and you will see “s” or “S” instead of x in owner permissions

for example rwsrwxrwx or rwSrwxrwx

What does this do? and why we need it?

It gives permisison to user who does not own file to execute file . For example in some cases user (non-root) will run program or file which calls other programs or files which users dont have permission to access or tun. In this case if we assign SUID on that file then user process will take all permission of root user and can run script successfully.

Some times you do not want to give user credentials or want sudo prmissions to execcute few files in some folder . In that case setting SUID is helful

let see below example. /usr/bin/passwd has SUID set on it by default. That means user can change their own password

root@shahid ~]# ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 30  2014 /usr/bin/passwd

Normal user in linux can change their own password due to SUID set on passwd file

[root@shahid bin]# su - shahid
Last login: Sat Feb 27 11:52:41 GMT 2016 on pts/1
[shahid@shahid ~]$ passwd
Changing password for user shahid.
Changing password for shahid.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

We will remove SUID permissions on passwd and see what happens

[root@shahid ~]# chmod u-s /usr/bin/passwd
[root@shahid ~]# ll /usr/bin/passwd
-rwxr-xr-x. 1 root root 27832 Jan 30  2014 /usr/bin/passwd
[root@shahid ~]# su - shahid
Last login: Sat Feb 27 12:00:52 GMT 2016 on pts/1
[shahid@shahid ~]$ passwd
Changing password for user shahid.
Changing password for shahid.
(current) UNIX password:
New password:
Retype new password:
passwd: Authentication token manipulation error
[shahid@shahid ~]$

User  failed to update its own password . This is because  when you execute command passwd with SUID set on it , it tries to update /etc/passwd plus also tries to access /etc/shadow. As it fails to access them passwd update fails. I hope this example will have helped you understand concept.

You can set SUID by two ways

symbolica way: to add chmod u+s file1 or chomd u+S file 1 or to remove chomd u-s file1 or chmod u+S file1

octal way : to add chmod 4755 file1 and to remove chmod 0755 file1

see below example

[root@shahid bin]# ll passwd
-rwsr-xr-x. 1 root root 27832 Jan 30  2014 passwd
[root@shahid bin]# chmod 0755 passwd
[root@shahid bin]# ll passwd
-rwxr-xr-x. 1 root root 27832 Jan 30  2014 passwd
[root@shahid bin]# chmod 4755 passwd
[root@shahid bin]# ll passwd
-rwsr-xr-x. 1 root root 27832 Jan 30  2014 passwd
[root@shahid bin]#

I hope this article has helpd to understand SUID, GUID and sticky bit permissions in Linux, we have learned how to assign these permissions using commands like chmod u+t, chmod g+s, chmod u+s etc. If you have any question please feel free to contact me or comment below. To get updates regarding new tutorial feel free to subscribe to our newsletter

SUBSCRIBE OUR NEWSLETTER
Join us by subscribing to our newsletter and learn IT subjects for free
We hate spam. Your email address will not be sold or shared with anyone else.

Leave a reply

You must be logged in to post a comment.