File Permissions and Access Rights 2
Special Access Rights Setuid and Setgid
To allow a user who is not authorized to access a file to temporarily access the file, the setuid and setgid programs are authorized to execute the programs. Setuid works with the authority of the user who owns the program for the duration of the program. A program marked with setgid works with the authority of the group that owns it for the duration of the program.To give setuid access: "chmod u+s file_name"
To give setgid access: "chmod g+s file_name"
The "setuid" and "setgid" private study authorities apply only to compiled program files. The setuid or setgid run permission for a shell program is not different from the normal run permission.
Sticky "t" is a special case for the privileged directories. A directory with the "t" privilege can be written by all users, but can not be deleted or updated other users' writes (unless they are given write permissions on a file basis). However, a directory with an access rights of "rwxrwxrwx" is writable by everyone and they can also delete others' files.
It would not have been possible for ordinary users to change their passwords stored in /etc/passwd and /etc/shadow without the setuid scheme. Since the information stored in these files can only be accessed by the root user, the passwd program is setuid as root.
As it can be seen in the example above owner of the /etc/passwd file is the root user. However binary file located at /usr/bin/passwd has the setuid access right which means anyone can execute this file with the root authority.
For security reasons, setuid/setgid should not be done despite all these benefits, unless it is needed.
Sticky 't' Right
Sticky bit prevents other users to delete a file created by another user in the temporary file writing directories required by all user programs. In such directories, no user can delete another user's file or directory through sticky special authority, even though the user, group and others have all the permissions (read, write, execute). A temporary file created by a user in a directory such as "/tmp" without the "Sticky" special authority could easily be deleted by another user for the reason that all the permissions were granted to everyone else.
Setuid, setgid and sticky bit is set just like regular file permissions. For setuid we use 4, for setgid we use 2 and for sticky bit we use 1. For example:
All rights are given to a file including setuid, setgid and sticky bit:
chmod 7777 example_file
A file is given read permission to owner and group only and has sticky bit:
chmod 1440 example_file
Changing Owner and Group of a File/Directory
"chown" command is used for changing the owner of a file or directory and "chgrp" command is used for changing the group of a file or directory.If the "chown" or "chgrp" command is used with the "-R" option, the entire directory and filename under the command directory will be applied if the given parameter is an directory. If the "-R" option is not given, the command is applied only to the directory/file given as parameter.
chown -R newOwner:newGroup directory_name: This command sets newOwner and newGroup as the owner and group of every file and directory under directory_name recursively.
Ordinary users can not use the "chown" command. If they change ownership of a file of their own, they lose their authority over the file and can not take ownership of the file without the help of "root". The "chown" command can not be used by ordinary users to prevent this, whereas ordinary users have limited use of the "chgrp" command.
To read my previous article: File Permissions and Access Rights 1
No comments :
Post a Comment