SUID, STICKY and CHATTR
( Advanced permissions )
There are some very special and advanced file permissions: the SUID/SGID Flag, the Sticky Bit and Change Attribute. In this Tip I will give a brief description.
The "SUID flag" ( Allow user ID access ) This mode gives normal users permission to execute files they normally would not be allowed to.
( Advanced permissions )
There are some very special and advanced file permissions: the SUID/SGID Flag, the Sticky Bit and Change Attribute. In this Tip I will give a brief description.
The "SUID flag" ( Allow user ID access ) This mode gives normal users permission to execute files they normally would not be allowed to.
| CODE |
| # chmod u+s testfile |
If you use chmod with numbers the number for SUID is 4000.
An example what "ls -l" will show:
| QUOTE |
| -rwsr-xr-x 1 root root 0 Sep 20 20:40 testfile* |
The "SGID flag" ( Allow group ID access ). Same as SUID but then for groups
| CODE |
| # chmod g+s testfile |
If you use chmod with numbers the number for SGID is 2000.
An example what "ls -l" will show:
| QUOTE |
| -rwxr-sr-x 1 root root 0 Sep 20 20:40 testfile* |
NOTE: There are security issues with the SUID and SGID flags so only use it when absolutely needed.
The "Sticky Bit" ( Only the user that created the file, in the directory with the Sticky Bit, can delete it ):
| CODE |
| # chmod +t testdirectory |
If you use chmod with numbers the number for the Stick Bit is 1000.
An example what "ls -l" will show:
| QUOTE |
| drwxr-xr-t 2 root root 4096 Sep 20 20:44 testdirectory/ |
A quote from the chmod man page:
| QUOTE |
| STICKY FILES On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files. Other kernels may use the sticky bit on files for system-defined purposes. On some systems, only the superuser can set the sticky bit on files. STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable. |
And finally "chattr" ( Change file attribute ) has many options, one of them is "i", the immutable flag, meaning nobody, even root, can make changes to a file:
| CODE |
| # chattr +i testfile |
In this case "ls -l" will show nothing special:
| QUOTE |
| -rwxr-xr-x 1 root root 0 Sep 20 20:40 testfile* |
But related to the chattr command is "lsattr" it lists attributes set for a file:
| CODE |
| # lsattr testfile |
An example of what "lsattr" will show:
| QUOTE |
| ----i-------- testfile |
To remove the immutable flag simply do "chattr -i"
See "man chattr" for more options of the chattr command.
There you go, this all makes part of the complex file permissions system that keeps a Linux box safe and secure.
No comments:
Post a Comment