| Previous | Table of Contents | Next |
When setuid (set-user identification) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who created the process. This permission enables a user to access files and directories that are normally available only to the owner.
The setuid permission is shown as an s in the file permissions. For example, the setuid permission on the passwd command enables a user to change passwords, assuming the permissions of the root ID are the following:
castle% ls -l /usr/bin/passwd -r-sr-sr-x 3 root sys 96796 Jul 15 21:23 /usr/bin/passwd castle%
NOTE: Using setuid permissions with the reserved UIDs (0-99) from a program may not set the effective UID correctly. Instead, use a shell script to avoid using the reserved UIDs with setuid permissions.
You setuid permissions by using the chmod command to assign the octal value 4 as the first number in a series of four octal values. Use the following steps to setuid permissions:
The following example sets setuid permission on the myprog file:
#chmod 4555 myprog -r-sr-xr-x 1 winsor staff 12796 Jul 15 21:23 myprog #
To minimize setuid problems, minimize the number of local setuid programs. If you write a setuid program, use the following guidelines to minimize security problems:
The setgid (set-group identification) permission is similar to setuid, except that the effective group ID for the process is changed to the group owner of the file and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:
castle% ls -l /usr/bin/mail -r-x—s—x 1 bin mail 64376 Jul 15 21:27 /usr/bin/mail castle%
When setgid permission is applied to a directory, files subsequently created in the directory belong to the group the directory belongs to, not to the group the creating process belongs to. Any user who has write permission in the directory can create a file there; however, the file does not belong to the group of the user, but instead belongs to the group of the directory.
You can set setgid permissions by using the chmod command to assign the octal value 2 as the first number in a series of four octal values. Use the following steps to set setgid permissions:
The following example sets setuid permission on the myprog2 file:
#chmod 2551 myprog2 #ls -l myprog2 -r-xr-s—x 1 winsor staff 26876 Jul 15 21:23 myprog2 #
The sticky bit on a directory is a permission bit that protects files within that directory. If the directory has the sticky bit set, only the owner of the file, the owner of the directory, or root can delete the file. The sticky bit prevents a user from deleting other users' files from public directories, such as uucppublic:
castle% ls -l /var/spool/uucppublic drwxrwxrwt 2 uucp uucp 512 Sep 10 18:06 uucppublic castle%
When you set up a public directory on a TMPFS temporary file system, make sure that you set the sticky bit manually.
You can set sticky bit permissions by using the chmod command to assign the octal value 1 as the first number in a series of four octal values. Use the following steps to set the sticky bit on a directory:
The following example sets the sticky bit permission on the pubdir directory:
castle% chmod 1777 pubdir castle% ls -l pubdir drwxrwxrwt 2 winsor staff 512 Jul 15 21:23 pubdir castle%
| Previous | Table of Contents | Next |