I have seen something like this in permission bits, What do these s/S
and t/T
stand for?
1 | # s bit |
Basic Permission Bits
Read
- a readable permission allows the contents of the file to be viewed. A read permission on a directory allows you to list the contents of a directory.Write
- a write permission on a file allows you to modify the contents of that file. For a directory, the write permission allows you to edit the contents of a directory (e.g. add/delete files).Execute
- for a file, the executable permission allows you to run the file and execute a program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.
Setuid and Setgid Bits
Note that setuid
and setgid
have an effect only on binary executable files and not on scripts (e.g., Bash, Perl, Python), see wiki.
Assigning the setuid
bit to binaries, most often this is given to a few programs owned by the superuser. When an ordinary user runs a program that is setuid root, the program runs with the effective privileges of the superuser. Linux capabilities
is a great alternative to reduce the usage of setuid.
Capabilities break up root privileges in smaller units, so root access is no longer needed. Most of the binaries that have a setuid flag, can be changed to use capabilities instead.
Apply on File
When the setuid
or setgid
attributes are set on an executable file, then any users able to execute the file will automatically execute the file with the privileges of the file’s owner (usually root) and/or the file’s group, depending upon the flags set. This may pose potential security risks in some cases and executables should be properly evaluated before set.
For example the passwd
file:
1 | # ordinary user can run this binary effectively as root |
set setuid on binary executable:
1 | chmod u+s <executable> |
This post explains why setuid/setgid
is usually ignored on shell script.
Another thing is about ping
, it is a binary executable, for now, it may not have setuid
:
1 | -rwxr-xr-x 1 root root 81608 Feb 5 04:37 /usr/bin/ping |
Instead, it may have capability see hardening Linux binaries by removing setuid:
1 | # getcap /usr/bin/ping |
我也总结了一篇关于 Linux capabilities 的博客.
Or not at all, see thisping without SETUID and Capabilities: Creating (normal) ICMP packets does not require special permissions anymore.
Apply on Directory
Setting the setgid
permission on a directory causes new files and subdirectories created within it to inherit its group ID
, rather than the primary group ID of the user who created the file (the owner ID is never affected, only the group ID).
set setgid on directory:
1 | chmod g+s dir |
The setuid
permission set on a directory is ignored on most UNIX and Linux systems.However FreeBSD can be configured to interpret setuid
in a manner similar to setgid, in which case it forces all files and sub-directories created in a directory to be owned by that directory’s owner - a simple form of inheritance.
Note that both the setuid
and setgit
bits have no effect if the executable bit is not set. if executable bit is not set, s
changes to S
.
Chown Removes Setuid
If you run chown
on a setuid
script, you will find that the s
is gone. This is a reasonable design, otherwise the s
will apply to the new owner, a big security hole.
The chown
command sometimes clears the set-user-ID or set-group-ID permission bits. This behavior depends on the policy and functionality of the underlying chown
system call, which may make system-dependent file mode modifications outside the control of the chown
command. For example, the chown
command might not affect those bits when
invoked by a user with appropriate privileges, or when the bits signify some function other than executable permission (e.g., mandatory locking). When in doubt, check the underlying system behavior.
Note that if you want to have setuid and owner no change when copy, for example last time deal with sqllib
, please perserve when you do copy like:
1 | /bin/cp -rfp /home/dfdcdc/sqllib /tmp |
Sticky Bit
When set on a file or directory, the sticky bit
, or +t
mode, means that only the owner
(or root
) can delete the file (or files under the directory), regardless of which users have write access to this file or directory by way of group membership or ownership! This is often used to control access to a shared directory, such as /tmp
.
This is useful when a file or directory is owned by a group through which a number of users share write access to a given set of files.
Set sticky bit:
1 | chmod +t script.sh |
Remove sticky bit, note that to change the sticky bit, you need to be either root or the file owner. The root user will be able to delete files regardless of the status of the sticky bit.
1 | chmod -t script.sh |
Sometimes you see T
instead of t
, usually t
sits with all fields x
, but if the executable bit is not set then the t
is flagged up as a capital, for example:
1 | touch file |
Now if a user is not in that group, it cannot even enter the directory.