Paranoid Penguin - Linux Filesystem Security, Part II
Now we come to two of the most dangerous permissions bits in the world of UNIX and Linux, setuid and setgid. If set on an executable binary file, the setuid bit causes that program to run as its owner, no matter who executes it. Similarly, when set on an executable, the setgid bit causes that program to run as a member of the group that owns it, again regardless of who executes it.
When I say run as, I mean the program runs with the same privileges as. For example, suppose biff writes and compiles a C program, killpms, that behaves the same as the command rm /extreme_casseroles/pineapple_mushroom_surprise.txt. Suppose further that biff sets the setuid bit on killpms, with the command chmod +s ./killpms and also makes it group-executable. A long listing of killpms might look like this:
-rwsr-xr-- 1 biff drummers 22 2004-08-11 23:01 killpms
If crash runs this program, he finally can succeed in his quest to delete the Pineapple-Mushroom Surprise recipe: killpms runs as though biff had executed it. When killpms attempts to delete pineapple_mushroom_surprise.txt, it succeeds because the file has user-write permissions and killpms is acting as its user/owner, biff.
setuid and setgid are very dangerous if set on any file owned by root or any other privileged account or group. I'm illustrating setuid and setgid so you understand what they do, not because I think you actually should use them for anything important. The command sudo, described later in this article, is a much better tool for delegating root's authority.
If you want a program to run setuid, that program must be group-executable or other-executable for what I hope are obvious reasons. In addition, the Linux kernel ignores the setuid and setgid bits on shell scripts. These bits work only on binary (compiled) executables.
setgid works the same way but with group permissions. If you set the setgid bit on an executable file with the command chmod g+s filename, and if the file also is other-executable (-r-xr-sr-x), when that program is executed it runs with the group ID of the file rather than of the user who executed it.
In the above example, if we change killpms' other permissions to r-x (chmod o+x killpms) and make it setgid (chmod g+s killpms), no matter who executes killpms, killpms exercises the permissions of the drummers group, because drummers is the group owner of killpms.
What about directories? Well, setuid has no effect on directories, but setgid does, and it's a little non-intuitive. Normally, when you create a file, it's automatically owned by your user ID and your (primary) group ID. For example, if biff creates a file, the file has a user owner of biff and a group owner of drummers, assuming that drummers is biff's primary group, as listed in /etc/passwd.
Setting a directory's setgid bit, however, causes any file created in that directory to inherit the directory's group owner. This is useful if users on your system tend to belong to secondary groups and routinely create files that need to be shared with other members of those groups. For example, if the user animal is listed in /etc/group as being a secondary member of drummers but is listed in /etc/passwd has having a primary group of muppets, then animal has no trouble creating files in the extreme_casseroles/ directory, whose permissions are set to drwxrwx--T. However, by default, animal's files belong to the group muppets, not to drummers, so unless animal manually reassigns his files' group ownership (chgrp drummers newfile) or resets their other permissions (chmod o+rw newfile), other members of drummers cannot read or write animal's recipes.
If, on the other hand, biff or root sets the setgid bit on extreme_casseroles/ (chmod g+s extreme_casseroles), when animal creates a new file therein, the file has a group owner of drummers, exactly like extreme_casseroles/ itself. All other permissions still apply; if the directory in question isn't group-writable to begin with, the setgid bit has no effect, because group members are not able to create files inside it.
Now we've covered all possible permissions: read, write, execute, sticky bit, setuid and setgid. If you understand all six of these, you're probably in the minority of Linux users. But wait, there's more!
So far we've been using mnemonics to represent permissions—r for read, w for write and so on. Needless to say, as with everything else, your system actually uses numbers to represent permissions. The chmod command recognizes both mnemonic permission modifiers (u+rwx,go-w) and numeric modes.
A numeric mode consists of four digits: as you read left to right, these represent special permissions, user permissions, group permissions and other permissions. Recall that other is short for other users not covered by user permissions or group permissions. For example, 0700 translates to no special permissions set, all user permissions set, no group permissions set and no other permissions set.
Each permission has a numeric value, and the permissions in each digit place are additive: the digit represents the sum of all permission bits you want to set. If, for example, user permissions are set to 7, this represents 4 (the value for read) plus 2 (the value for write) plus 1 (the value for execute).
As I just mentioned, the basic numeric values are 4 for read, 2 for write and 1 for execute. (I remember these by mentally repeating the phrase, read-write-execute, 4-2-1.) Why no 3, you might wonder? Because this way, no two combination of permissions have the same sum.
Special permissions are as follows: 4 stands for setuid, 2 stands for setgid and 1 stands for sticky bit. For example, the numeric mode 3000 translates to setgid set, sticky bit set and no other permissions set, which is, actually, a useless set of permissions.
Here's one more example of a numeric mode. If I issue the command chmod 0644 mycoolfile, I am setting the permissions of mycoolfile, as shown in Figure 1.
For a more complete discussion of numeric modes, see the info page for coreutils, node Numeric Modes. That is, enter the command info coreutils numeric.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- Dynamic DNS—an Object Lesson in Problem Solving
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- Tech Tip: Really Simple HTTP Server with Python
- Roll your own dynamic dns
4 hours 33 min ago
- Please correct the URL for Salt Stack's web site
7 hours 44 min ago
- Android is Linux -- why no better inter-operation
10 hours 7 sec ago
- Connecting Android device to desktop Linux via USB
10 hours 28 min ago
- Find new cell phone and tablet pc
11 hours 26 min ago
12 hours 55 min ago
- Automatically updating Guest Additions
14 hours 4 min ago
- I like your topic on android
14 hours 50 min ago
- This is the easiest tutorial
21 hours 26 min ago
- Ahh, the Koolaid.
1 day 3 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?