I just do not get it. No matter how many times I *think* I get it, well, a week goes by and I can't remmember what I *thought* I understood. Therefore, I must have never *gotten* it! What's up with this suid bit and sgid bit????????????

Extended File Permissions


suid and sgid bits are fairly simple - although it may not seem so at first sight. They only matter for executable programs and directories.


All files are owned by a user and a group associated with it, which determines who can do what to the file. Users also have a primary group associated with them, and can be members of any number of other groups. Whenever a program is run, the permissions of the task it creates are set to the user and primary group of the user that runs it. What it can do is then limited by that. There are a bunch of rules about what it can then change its group and user permissions to, but they don't matter for the purposes of this discussion.


Sometimes, however, you want a program that ordinary users run to be able to do root-y things. Or you want something to always run as a certant user or group (for whatever reason). That's where the suid and sgid bits come in. If the suid bit is set on a program, that program will always run with the permissions of the user that owns it. The suid bit has no effect whatsoever on directories.


The sgid bit means it always runs with the permission of the group that owns it. It doesn't always have an effect for directories, but on some systems, it means that any files created in the directory are owned by the group that owns the directory, no matter what group the user created them as.


Both bits can, however, cause big huge gaping security holes if misapplied. So be extremely careful when using them - and never use them if there's a better way.


There are supposed to be more finely-grained security levels that are being introduced at some point soon, but I haven't read anything about them for a long time. If anyone digs something up, feel free to tack on a URL.


References:
info chmod


Ok, this is an experiment. I'm posting the proposed text of the NHF up here for comments before submitting it to Sensei. Post any comments or additions here. Thoughts of mine:


- Maybe make it into an NHF on permissions in general. Include stuff on octal and ASCII perms specifiers.


- Include info on the "sticky" bit?


- Provide more info on process permissions, or examples of the kinds of security holes suid or sgid can open up.


------------------
-Sterling
-This post made with the Lizard! (http://www.mozilla.org)

[This message has been edited by Sterling (edited 30 December 2000).]

Hmm... Since no-one seems interested in posting a reply, I'll turn the above into a generic permissions NHF and send to Sensei.

------------------
-Sterling
-This post made with the Lizard! (http://www.mozilla.org)

I am really interested in this NHF and want to thank you for the time you've taken. Sorry for the late reply, but I was out of town for a few days and just got in. I can already tell you've got alot to offer regarding this topic and can't wait to read the results. What would really help me is to also read more about "practical uses" of these functions. It would help me to associate these possibilities with actual real life tasks that are common on most linux systems.
I came across this stuff during my reading of Securing and Optimizing RedHat Linux and got pretty lost. I'll stay tuned http://www.linuxnewbie.org/ubb/smile.gif

Originally posted by Sterling:
Hmm... Since no-one seems interested in posting a reply, I'll turn the above into a generic permissions NHF and send to Sensei.

looks good Sterling.

------------------
Sensei
LNO Seti Black Belts Team Stats
http://setiathome.ssl.berkeley.edu/stats/team/team_11027.html

Join the Linuxnewbie.org SETI Black Belts!
http://setiathome.ssl.berkeley.edu/cgi-bin/cgi?cmd=team_join_form&id=11027