Paranoid Penguin - Linux Filesystem Security, Part II

 in
We covered the fundamentals of permissions last month. Now it's time to learn some useful bits to make cooperation among users convenient and secure.
setuid and setgid

Now we come to two of the most dangerous permissions bits in the world of UNIX and Linux, setuid and setgid. If set on an executable binary file, the setuid bit causes that program to run as its owner, no matter who executes it. Similarly, when set on an executable, the setgid bit causes that program to run as a member of the group that owns it, again regardless of who executes it.

When I say run as, I mean the program runs with the same privileges as. For example, suppose biff writes and compiles a C program, killpms, that behaves the same as the command rm /extreme_casseroles/pineapple_mushroom_surprise.txt. Suppose further that biff sets the setuid bit on killpms, with the command chmod +s ./killpms and also makes it group-executable. A long listing of killpms might look like this:

-rwsr-xr--  1 biff drummers   22 2004-08-11 23:01 killpms

If crash runs this program, he finally can succeed in his quest to delete the Pineapple-Mushroom Surprise recipe: killpms runs as though biff had executed it. When killpms attempts to delete pineapple_mushroom_surprise.txt, it succeeds because the file has user-write permissions and killpms is acting as its user/owner, biff.

If you want a program to run setuid, that program must be group-executable or other-executable for what I hope are obvious reasons. In addition, the Linux kernel ignores the setuid and setgid bits on shell scripts. These bits work only on binary (compiled) executables.

setgid works the same way but with group permissions. If you set the setgid bit on an executable file with the command chmod g+s filename, and if the file also is other-executable (-r-xr-sr-x), when that program is executed it runs with the group ID of the file rather than of the user who executed it.

In the above example, if we change killpms' other permissions to r-x (chmod o+x killpms) and make it setgid (chmod g+s killpms), no matter who executes killpms, killpms exercises the permissions of the drummers group, because drummers is the group owner of killpms.

setgid and Directories

What about directories? Well, setuid has no effect on directories, but setgid does, and it's a little non-intuitive. Normally, when you create a file, it's automatically owned by your user ID and your (primary) group ID. For example, if biff creates a file, the file has a user owner of biff and a group owner of drummers, assuming that drummers is biff's primary group, as listed in /etc/passwd.

Setting a directory's setgid bit, however, causes any file created in that directory to inherit the directory's group owner. This is useful if users on your system tend to belong to secondary groups and routinely create files that need to be shared with other members of those groups. For example, if the user animal is listed in /etc/group as being a secondary member of drummers but is listed in /etc/passwd has having a primary group of muppets, then animal has no trouble creating files in the extreme_casseroles/ directory, whose permissions are set to drwxrwx--T. However, by default, animal's files belong to the group muppets, not to drummers, so unless animal manually reassigns his files' group ownership (chgrp drummers newfile) or resets their other permissions (chmod o+rw newfile), other members of drummers cannot read or write animal's recipes.

If, on the other hand, biff or root sets the setgid bit on extreme_casseroles/ (chmod g+s extreme_casseroles), when animal creates a new file therein, the file has a group owner of drummers, exactly like extreme_casseroles/ itself. All other permissions still apply; if the directory in question isn't group-writable to begin with, the setgid bit has no effect, because group members are not able to create files inside it.

Now we've covered all possible permissions: read, write, execute, sticky bit, setuid and setgid. If you understand all six of these, you're probably in the minority of Linux users. But wait, there's more!

Numeric Modes

So far we've been using mnemonics to represent permissions—r for read, w for write and so on. Needless to say, as with everything else, your system actually uses numbers to represent permissions. The chmod command recognizes both mnemonic permission modifiers (u+rwx,go-w) and numeric modes.

A numeric mode consists of four digits: as you read left to right, these represent special permissions, user permissions, group permissions and other permissions. Recall that other is short for other users not covered by user permissions or group permissions. For example, 0700 translates to no special permissions set, all user permissions set, no group permissions set and no other permissions set.

Each permission has a numeric value, and the permissions in each digit place are additive: the digit represents the sum of all permission bits you want to set. If, for example, user permissions are set to 7, this represents 4 (the value for read) plus 2 (the value for write) plus 1 (the value for execute).

As I just mentioned, the basic numeric values are 4 for read, 2 for write and 1 for execute. (I remember these by mentally repeating the phrase, read-write-execute, 4-2-1.) Why no 3, you might wonder? Because this way, no two combination of permissions have the same sum.

Special permissions are as follows: 4 stands for setuid, 2 stands for setgid and 1 stands for sticky bit. For example, the numeric mode 3000 translates to setgid set, sticky bit set and no other permissions set, which is, actually, a useless set of permissions.

Here's one more example of a numeric mode. If I issue the command chmod 0644 mycoolfile, I am setting the permissions of mycoolfile, as shown in Figure 1.

Figure 1. Permissions for mycoolfile

For a more complete discussion of numeric modes, see the info page for coreutils, node Numeric Modes. That is, enter the command info coreutils numeric.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Comment

Trupti's picture

Helpful post. Every bit is covered here.Thank you.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix