Paranoid Penguin - Linux Filesystem Security, Part II

Now we come to two of the most dangerous permissions bits in the world of UNIX and Linux, setuid and setgid. If set on an executable binary file, the setuid bit causes that program to run as its owner, no matter who executes it. Similarly, when set on an executable, the setgid bit causes that program to run as a member of the group that owns it, again regardless of who executes it.

When I say run as, I mean the program runs with the same privileges as. For example, suppose biff writes and compiles a C program, killpms, that behaves the same as the command rm /extreme_casseroles/pineapple_mushroom_surprise.txt. Suppose further that biff sets the setuid bit on killpms, with the command chmod +s ./killpms and also makes it group-executable. A long listing of killpms might look like this:

-rwsr-xr--  1 biff drummers   22 2004-08-11 23:01 killpms

If crash runs this program, he finally can succeed in his quest to delete the Pineapple-Mushroom Surprise recipe: killpms runs as though biff had executed it. When killpms attempts to delete pineapple_mushroom_surprise.txt, it succeeds because the file has user-write permissions and killpms is acting as its user/owner, biff.

If you want a program to run setuid, that program must be group-executable or other-executable for what I hope are obvious reasons. In addition, the Linux kernel ignores the setuid and setgid bits on shell scripts. These bits work only on binary (compiled) executables.

setgid works the same way but with group permissions. If you set the setgid bit on an executable file with the command chmod g+s filename, and if the file also is other-executable (-r-xr-sr-x), when that program is executed it runs with the group ID of the file rather than of the user who executed it.

In the above example, if we change killpms' other permissions to r-x (chmod o+x killpms) and make it setgid (chmod g+s killpms), no matter who executes killpms, killpms exercises the permissions of the drummers group, because drummers is the group owner of killpms.

What about directories? Well, setuid has no effect on directories, but setgid does, and it's a little non-intuitive. Normally, when you create a file, it's automatically owned by your user ID and your (primary) group ID. For example, if biff creates a file, the file has a user owner of biff and a group owner of drummers, assuming that drummers is biff's primary group, as listed in /etc/passwd.

Setting a directory's setgid bit, however, causes any file created in that directory to inherit the directory's group owner. This is useful if users on your system tend to belong to secondary groups and routinely create files that need to be shared with other members of those groups. For example, if the user animal is listed in /etc/group as being a secondary member of drummers but is listed in /etc/passwd has having a primary group of muppets, then animal has no trouble creating files in the extreme_casseroles/ directory, whose permissions are set to drwxrwx--T. However, by default, animal's files belong to the group muppets, not to drummers, so unless animal manually reassigns his files' group ownership (chgrp drummers newfile) or resets their other permissions (chmod o+rw newfile), other members of drummers cannot read or write animal's recipes.

If, on the other hand, biff or root sets the setgid bit on extreme_casseroles/ (chmod g+s extreme_casseroles), when animal creates a new file therein, the file has a group owner of drummers, exactly like extreme_casseroles/ itself. All other permissions still apply; if the directory in question isn't group-writable to begin with, the setgid bit has no effect, because group members are not able to create files inside it.

Now we've covered all possible permissions: read, write, execute, sticky bit, setuid and setgid. If you understand all six of these, you're probably in the minority of Linux users. But wait, there's more!

So far we've been using mnemonics to represent permissions—r for read, w for write and so on. Needless to say, as with everything else, your system actually uses numbers to represent permissions. The chmod command recognizes both mnemonic permission modifiers (u+rwx,go-w) and numeric modes.

A numeric mode consists of four digits: as you read left to right, these represent special permissions, user permissions, group permissions and other permissions. Recall that other is short for other users not covered by user permissions or group permissions. For example, 0700 translates to no special permissions set, all user permissions set, no group permissions set and no other permissions set.

Each permission has a numeric value, and the permissions in each digit place are additive: the digit represents the sum of all permission bits you want to set. If, for example, user permissions are set to 7, this represents 4 (the value for read) plus 2 (the value for write) plus 1 (the value for execute).

As I just mentioned, the basic numeric values are 4 for read, 2 for write and 1 for execute. (I remember these by mentally repeating the phrase, read-write-execute, 4-2-1.) Why no 3, you might wonder? Because this way, no two combination of permissions have the same sum.

Special permissions are as follows: 4 stands for setuid, 2 stands for setgid and 1 stands for sticky bit. For example, the numeric mode 3000 translates to setgid set, sticky bit set and no other permissions set, which is, actually, a useless set of permissions.

Here's one more example of a numeric mode. If I issue the command chmod 0644 mycoolfile, I am setting the permissions of mycoolfile, as shown in Figure 1.

Figure 1. Permissions for mycoolfile

For a more complete discussion of numeric modes, see the info page for coreutils, node Numeric Modes. That is, enter the command info coreutils numeric.