Special Permission Bits

Posted on | Edited on | In

I have seen something like this in permission bits, What do these s/S and t/T stand for?

1
2
3
4
5
# s bit
-r-sr-sr-x 1 root     db2iadm1   115555 Mar 21 03:19 db2start
# s/t/T bit
drwxrwsr-t 1 db2inst1 db2iadm1 212 May 10 17:16 sqllib
drwxr-x--T 1 wasadmin dstage    21 Mar 21 03:56 usr

Basic Permission Bits

  • Read - a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.
  • Write - a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory (e.g. add/delete files).
  • Execute - for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.

Setuid and Setgid Bits

Note that setuid and setgid have an effect only on binary executable files and not on scripts (e.g., Bash, Perl, Python), see wiki.

Assigning the setuid bit to binaries, most often this is given to a few programs owned by the superuser. When an ordinary user runs a program that is setuid root, the program runs with the effective privileges of the superuser. Linux capabilities is a great alternative to reduce the usage of setuid.

Capabilities break up root privileges in smaller units, so root access is no longer needed. Most of the binaries that have a setuid flag, can be changed to use capabilities instead.

Apply on File

When the setuid or setgid attributes are set on an executable file, then any users able to execute the file will automatically execute the file with the privileges of the file’s owner (usually root) and/or the file’s group, depending upon the flags set. This may pose potential security risks in some cases and executables should be properly evaluated before set.

For example the passwd file:

1
2
3
# ordinary user can run this binary effectively as root
# this is a binary executable
-rwsr-xr-x. 1 root root 27832 Jan 29  2014 /usr/bin/passwd

set setuid on binary executable:

1
2
3
chmod u+s <executable>
# remove setuid on file:
chmod u-s <executable>

This post explains why setuid/setgid is usually ignored on shell script.

Another thing is about ping, it is a binary executable, for now, it may not have setuid:

1
-rwxr-xr-x 1 root root 81608 Feb  5 04:37 /usr/bin/ping

Instead, it may have capability see hardening Linux binaries by removing setuid:

1
2
# getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep

我也总结了一篇关于 Linux capabilities 的博客.

Or not at all, see thisping without SETUID and Capabilities: Creating (normal) ICMP packets does not require special permissions anymore.

Apply on Directory

Setting the setgid permission on a directory causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner ID is never affected, only the group ID).

set setgid on directory:

1
2
3
chmod g+s dir
# remove setgid on directory:
chmod g-s dir

The setuid permission set on a directory is ignored on most UNIX and Linux systems.However FreeBSD can be configured to interpret setuid in a manner similar to setgid, in which case it forces all files and sub-directories created in a directory to be owned by that directory’s owner - a simple form of inheritance.

Note that both the setuid and setgit bits have no effect if the executable bit is not set. if executable bit is not set, s changes to S.

Chown Removes Setuid

If you run chown on a setuid script, you will find that the s is gone. This is a reasonable design, otherwise the s will apply to the new owner, a big security hole.

The chown command sometimes clears the set-user-ID or set-group-ID permission bits. This behavior depends on the policy and functionality of the underlying chown system call, which may make system-dependent file mode modifications outside the control of the chown command. For example, the chown command might not affect those bits when invoked by a user with appropriate privileges, or when the bits signify some function other than executable permission (e.g., mandatory locking). When in doubt, check the underlying system behavior.

Note that if you want to have setuid and owner no change when copy, for example last time deal with sqllib, please perserve when you do copy like:

1
/bin/cp -rfp /home/dfdcdc/sqllib /tmp

Sticky Bit

When set on a file or directory, the sticky bit, or +t mode, means that only the owner (or root) can delete the file (or files under the directory), regardless of which users have write access to this file or directory by way of group membership or ownership! This is often used to control access to a shared directory, such as /tmp.

This is useful when a file or directory is owned by a group through which a number of users share write access to a given set of files.

Set sticky bit:

1
chmod +t script.sh

Remove sticky bit, note that to change the sticky bit, you need to be either root or the file owner. The root user will be able to delete files regardless of the status of the sticky bit.

1
chmod -t script.sh

Sometimes you see T instead of t, usually t sits with all fields x, but if the executable bit is not set then the t is flagged up as a capital, for example:

1
2
3
4
5
touch file
chmod u=rwx,go=rx file    # "-rwxr-xr-x 1 roaima 0 Sep 10 23:13 file"
chmod +t file             # "-rwxr-xr-t 1 roaima 0 Sep 10 23:13 file"
chmod o-x file            # "-rwxr-xr-T 1 roaima 0 Sep 10 23:13 file"
chmod u=rwx,go=,+t file   # "-rwx-----T 1 roaima 0 Sep 10 23:13 file"

Now if a user is not in that group, it cannot even enter the directory.

Resources

wiki setuid and setgid how to set T bit chown remove setuid

0%