Section 15.8. Effect of Setting File and Directory SUIDSGID Permissions Explained


15.8. Effect of Setting File and Directory SUID/SGID Permissions Explained

The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as a normal user (let's say as the user bobj), and you execute a file that is owned by the user root (uid = 0), and the file has the SUID bit set, then the file is executed as if you had logged in as the user root and then executed the file. The SUID bit effectively gives you (as bobj) administrative privilege for the use of that executable file.

The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it applies the privilege to the UNIX group setting. In other words, the file executes with the force of capability of the group.

When the SUID/SGID permissions are set on a directory, all files that are created within that directory are automatically given the ownership of the SUID user and the SGID group, as per the ownership of the directory in which the file is created. This means that the system level create() function executes with the SUID user and/or SGID group of the directory in which the file is created.

If you want to obtain the SUID behavior, simply execute the following command:

root#   chmod u+s file-or-directory 

To set the SGID properties on a file or a directory, execute this command:

root#   chmod g+s file-or-directory 

And to set both SUID and SGID properties, execute the following:

root#   chmod ug+s file-or-directory 

Let's consider the example of a directory /data/accounts. The permissions on this directory before setting both SUID and SGID on this directory are:

root#   ls -al /data/accounts total 1 drwxr-xr-x   10 root     root           232 Dec 18 17:08 . drwxr-xr-x   21 root     root           600 Dec 17 23:15 .. drwxrwxrwx    2 bobj     Domain Users   48 Dec 18 17:08 accounts/ drwx------    2 root     root            48 Jan 26  2002 lost+found 

In this example, if the user maryv creates a file, it is owned by her. If maryv has the primary group of Accounts, the file is owned by the group Accounts, as shown in this listing:

root#   ls  -al /data/accounts/maryvfile.txt drw-rw-r--     2 maryv      Accounts        12346 Dec 18 17:53 

Now you set the SUID and SGID and check the result as follows:

root#   chmod ug+s /data/accounts root#   ls -al /data/accounts total 1 drwxr-xr-x   10 root     root          232 Dec 18 17:08 . drwxr-xr-x   21 root     root          600 Dec 17 23:15 .. drwsrwsr-x    2 bobj     Domain Users  48 Dec 18 17:08 accounts drwx------    2 root     root           48 Jan 26  2002 lost+found 

If maryv creates a file in this directory after this change has been made, the file is owned by the user bobj, and the group is set to the group Domain Users, as shown here:

root#   chmod ug+s /data/accounts root#   ls -al /data/accounts/maryvfile.txt total 1 drw-rw-r--    2 bobj     Domain Users  12346 Dec 18 18:11 maryvfile.txt 



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net