[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
slackbook:filesystem_permissions [2012/09/09 15:14 (UTC)] – [chmod, chown, and chgrp] update document with original text and formatting mfillpotslackbook:filesystem_permissions [2012/10/15 22:28 (UTC)] (current) – [SUID, SGID, and the Sticky Bit] gerardo.zamudio
Line 23: Line 23:
 case, the permissions are rwxr-xr-x, the user is root and the group is case, the permissions are rwxr-xr-x, the user is root and the group is
 also root. The permissions section, while grouped together, is really also root. The permissions section, while grouped together, is really
-three seperate pieces. The first set of three letters are the+three separate pieces. The first set of three letters are the
 permissions granted to the user that owns the file. The second set of permissions granted to the user that owns the file. The second set of
 three are those granted to the group owner, and the final three are three are those granted to the group owner, and the final three are
Line 36: Line 36:
 |Others |r-x |Everyone else may read and execute| |Others |r-x |Everyone else may read and execute|
  
-he permissions are pretty self explainatory of course, at least for+The permissions are pretty self explanatory of course, at least for
 files. Read, write, and execute allow you to read a file, write to it, files. Read, write, and execute allow you to read a file, write to it,
 or execute it. But what do these permissions mean for directories? or execute it. But what do these permissions mean for directories?
Line 166: Line 166:
 By adding these values together, we can reach any number between 0 and By adding these values together, we can reach any number between 0 and
 7 and specify all possible permission combinations. For example, to 7 and specify all possible permission combinations. For example, to
-grant both read and write privilages while denying execute, we would+grant both read and write privileges while denying execute, we would
 use the number 6. The number 3 would grant write and execute use the number 6. The number 3 would grant write and execute
 permissions, but deny the ability to read the file. We must specify a permissions, but deny the ability to read the file. We must specify a
Line 184: Line 184:
  
 **//chmod//** can also use letter values along with **//chmod//** can also use letter values along with
-<key>+</key> or <key>-</key> to grant or deny permissions.+<key>'+'</key> or <key>Minus</key> to grant or deny permissions.
 While this may be easier to While this may be easier to
 remember, it's often easier to use the octal permissions.  remember, it's often easier to use the octal permissions. 
Line 205: Line 205:
 group, and //"o"// for all others. You must also specify whether you are group, and //"o"// for all others. You must also specify whether you are
 adding or removing permissions with the //"+"// and //"-"// signs. Multiple adding or removing permissions with the //"+"// and //"-"// signs. Multiple
-sets can be changed at once by seperating each with a comma.+sets can be changed at once by separating each with a comma.
  
  
Line 232: Line 232:
 ===== SUID, SGID, and the "Sticky" Bit ===== ===== SUID, SGID, and the "Sticky" Bit =====
  
-We're not quite done with permissions just yet. There are three other "special" permissions in addition to those mentioned above. They are SUID, SGID, and the sticky bit. When a file has one or more of these permissions set, it behaves in special ways. The SUID and SGID permissions change the way an application is run, while the sticky bit restricts deletion of files. These permissions are applied with chmod like read, write, and execute, but with a twist.+We're not quite done with permissions just yet. There are three other 
 +//"special"// permissions in addition to those mentioned above. They are 
 +SUID, SGID, and the sticky bit. When a file has one or more of these 
 +permissions set, it behaves in special ways. The SUID and SGID 
 +permissions change the way an application is run, while the sticky bit 
 +restricts deletion of files. These permissions are applied with 
 +**//chmod//** 
 +like read, write, and execute, but with a twist
 + 
 + 
 +SUID and SGID stand for //"Set User ID"// and //"Set Group ID"// respectively. 
 +When an application with one of these bits is set, the application runs 
 +with the user or group ownership permissions of that application 
 +regardless of what user actually  
 +executed it. Let's take a look at a common SUID application, the humble 
 +**//passwd//** and the files it modifies.
  
-SUID and SGID stand for "Set User ID" and "Set Group ID" respectively. When an application with one of these bits is set, the application runs with the user or group ownership permissions of that application regardless of what user actually executed it. Let's take a look at a common SUID application, the humble passwd and the files it modifies. 
  
 <code> <code>
Line 245: Line 259:
 </code> </code>
  
-Notice the permissions on passwd. Instead of an x in the user's execute slot, we have an s. This tells us that passwd is a SUID program, and when we run it, the process will run as the user "root" rather than as the user that actually executed it. The reason for this is readily apparent as soon as you look at the two files it modifies. Neither /etc/passwd nor /etc/shadow are writeable by anyone other than root. Since users need to change their personal information, passwd must be run as root in order to modify those files. 
  
-So what about the sticky bit? The sticky bit restricts the ability to move or delete files and is only ever set on directories. Non-root users cannot move or delete any files under a directory with the sticky bit set unless they are the owner of that file. Normally anyone with write permission to the file can do this, but the sticky bit prevents it for anyone but the owner (and of course, root). Let's take a look at a common "sticky" directory.+Notice the permissions on **//passwd//**. Instead of 
 +an <key>'x'</key> in the user's execute slot, we have an 
 +<key>'s'</key>. This tells us that 
 +**//passwd//** is a SUID program, and when we run 
 +it, the process will run as the user //"root"// rather than as the user 
 +that actually executed it. The reason for this is readily apparent as 
 +soon as you look at the two files it modifies. Neither 
 +''/etc/passwd'' nor ''/etc/shadow'' 
 +are writable by anyone other than root. Since users need to change 
 +their personal information, **//passwd//** must be 
 +run as root in order to modify those files. 
 + 
 + 
 +So what about the sticky bit? The sticky bit restricts the ability to 
 +move or delete files and is only ever set on directories. Non-root 
 +users cannot move or delete any files under a directory with the sticky 
 +bit set unless they are the owner of that file. Normally anyone with 
 +write permission to the file can do this, but the sticky bit prevents 
 +it for anyone but the owner (and of course, root). Let's take a look at 
 +a common //"sticky"// directory.  
  
 <code> <code>
Line 254: Line 287:
 </code> </code>
  
-Naturally, being a directory for the storage of temporary files sytem wide, /tmp needs to be readable, writeable, and executable by anyone and everyone. Since any user is likely to have a file or two stored here at any time, it only makes good sense to prevent other users from deleting those files, so the sticky bit has been set. You can see it by the presence of the **t** in place of the **x** in the world permissions section.+ 
 +Naturally, being a directory for the storage of temporary files system 
 +wide, ''/tmp'' needs to be readable, writable, and 
 +executable by anyone and everyone. Since any user is likely to have a 
 +file or two stored here at any time, it only makes good sense to 
 +prevent other users from deleting those files, so the sticky bit has 
 +been set. You can see it by the presence of the <key>'t'</key> in 
 +place of the <key>'x'</key> in the world permissions section. 
  
 **Table 10.5. SUID, SGID, and "Sticky" Permissions** **Table 10.5. SUID, SGID, and "Sticky" Permissions**
-^Permission ^Type ^Octal Value ^Letter Value|+^Permission Type ^Octal Value ^Letter Value|
 |SUID |4 |s| |SUID |4 |s|
 |SGID |2 |s| |SGID |2 |s|
 |Sticky |1 |t| |Sticky |1 |t|
  
-When using octal permissions, you must specify an additional leading octal value. For example, to recreate the permission on /tmp, we would use 1777. To recreate those permissions on /usr/bin/passwd, we would use 4711. Essentially, any time this leading fourth octet isn't specified, chmod assumes its value to be 0.+When using octal permissions, you must specify an additional leading 
 +octal value. For example, to recreate the permission on 
 +''/tmp'', we would use 1777. To recreate those 
 +permissions on ''/usr/bin/passwd'', we would use 4711. 
 +Essentially, any time this leading fourth octet isn't specified, 
 +**//chmod//** assumes its value to be 0. 
  
 <code> <code>
Line 269: Line 316:
 </code> </code>
  
-Using the alphabetic permission values is slightly different. Assuming the two files above have permissions of 0000 (no permissions at all), here is how we would set them.+ 
 +Using the alphabetic permission values is slightly different. Assuming 
 +the two files above have permissions of 0000 (no permissions at all), 
 +here is how we would set them.  
  
 <code> <code>
Line 276: Line 327:
 </code> </code>
  
 +====== Chapter Navigation ======
 +
 +**Previous Chapter: [[slackbook:users|Users and Groups]]**
 +
 +**Next Chapter: [[slackbook:working_with_filesystems|Working with Filesystems]]**
 ====== Sources ====== ====== Sources ======
 <!-- If you copy information from another source, then specify that source --> <!-- If you copy information from another source, then specify that source -->
- * Original source: [[http://www.slackbook.org/beta/]] +  * Original source: [[http://www.slackbook.org/beta]] \\
 <!-- Authors are allowed to give credit to themselves! --> <!-- Authors are allowed to give credit to themselves! -->
-<!-- * Originally written by [[wiki:user:xxx | User X]] --> +  * Originally written by Alan Hicks, Chris Lumens, David Cantrell, Logan Johnson 
-<!-- * Contrbutions by [[wiki:user:yyy | User Y]] -->+<!-- * Contributions by [[wiki:user:yyy | User Y]] -->
  
 <!-- Please do not modify anything below, except adding new tags.--> <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must also remove the tag-word "template" below. Otherwise your page will not show up in the Table of Contents --> <!-- You must also remove the tag-word "template" below. Otherwise your page will not show up in the Table of Contents -->
 {{tag>slackbook filesystem permissions suid sgid sticky_bit chmod chown chgrp}} {{tag>slackbook filesystem permissions suid sgid sticky_bit chmod chown chgrp}}
 slackbook:filesystem_permissions ()