Pawan Sharma | August 28, 2012 | | 1 Comment so far

SUID, SGID and Sticky Bit in RHEL6

In the previous post I have explained about changing file/directory permissions using chmod command in two ways: symbolic and numeric mode. In this post we will discuss about three special file permissions: Sticky Bit, SUID Bit and SGID bit, using which we can make processes more secure and efficient:

In the previous post we have discussed about three file permissions: ream(r), write (w) and execute(x), besides these three are three more permissions: SUID(s), SGID(s) and Sticky Bit(t). First we will explain what these terms means.

Sticky Bit(t): Sticky bit is very simple and effective file permission; it increases security of a file/directory which is shared with other users. When sticky bit is enabled, only user (owner) of that file can remove or rename the file even if other users have full (rwx) permissions on that file. In the case of a directory, only user (owner) of the directory or the owner of the file in that directory can remove or rename the file. Mainly sticky bit is used on directories on which multiple users have access like /tmp. By default sticky bit is set on /tmp in Redhat Enterprise Linux 6(RHEL6).

[root@PawanS1 ~]# ls -ld /tmp
drwxrwxrwt.  96 root root  4096  Aug 28 12:06   /tmp

In the above example we can see that there is a “t” at execute permission for others. Sticky bit can be enabled using “chmod” command. Let’s take some examples of Sticky Bit.
  • Add sticky bit permission on a directory with all permissions using symbolic chmod.
[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwx  2  admin pawan  4096 Aug 28 10:22  Test_Dir/

[root@PawanS1 ~]# chmod +t Test_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwt  2  pawan admin  4096 Aug 28 10:22   Test_Dir/
  • Add sticky bit permission on a directory using numeric chmod.
[root@PawanS1 ~]# ls -ld My_Dir/
drwxr-xr-- 2 pawan admin 4096 Aug 28 10:27   My_Dir/

[root@PawanS1 ~]# chmod 1754 My_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxr-xr-T  2  pawan admin  4096 Aug 28 10:22   MY_Dir/

Note: This time we have a “T” instead of “t” because the directory does not have execute permission for others.

SUID (Set User ID) Bit(s): Mainly we enable SUID bit on files specially on executable scripts. When SUID bit is enabled on the script/ file, whenever someone executes the file it runs as the user who is owner of that file. It means the file is ensured to run as the owner, even if executed by anyone. This comes handy when you want to give execute rights of a root privileged script to some other user. In RHEL 6, SUID bit is set by default on commands like /usr/bin/passwd, /usr/bin/wall, /usr/bin/ssh-agent, etc. This is the reason a user can change its password itself.

[root@PawanS1 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 27936 Aug  3  2010  /usr/bin/passwd

In the above example we can see that there is a “s” at execute permission of user (owner). SUID bit can be enabled using “chmod” command. Let’s take some examples of SUID bit.
  • Add SUID bit on a script using symbolic chmod.
[root@PawanS1 ~]# ls -l test_script.sh
-rwxr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh

[root@PawanS1 ~]# chmod u+s test_script.sh

[root@PawanS1 ~]# ls -l test_script.sh
-rwsr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh
  • Add SUID bit on a script which does not have execute permission for user (owner) using numeric chmod.
[root@PawanS1 ~]# ls -l my_script.sh
-rw-r--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

[root@PawanS1 ~]# chmod  4644 my_script.sh

[root@PawanS1 ~]# ls -l my_script.sh
-rwSr--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

Note: This time we have a “S” instead of “s” because the script “my_script.sh does not have execute permission for user.

SGID (Set Group ID) Bit: SGID bit is very useful when you have to give access of a directory to a set of users in a group. When SGID bit is enabled on a directory any file/directory created under it by any user have the same group permissions as of the parent directory.

For example, you have created a group named “sales” and you have added three user pawan, siddharth, ramswaroop and usaid in group “sales”. Now you want that every file created by any of these four users under directory “/Sales” can be accessible by any of these users.

1. To do this first you have to create a directory “/Sales” and then change group owner and group permission to sales and rwx respectively.

[root@PawanS1 ~]# mkdir /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g=rwx /Sales/

[root@PawanS1 ~]# ghgrp sales /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwxr-x 2 root sales 4096 Aug 28 12:31 /Sales/

2. Then enable SGID Bit on “/Sales” directory

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g+s /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwsr-x 2 root root 4096 Aug 28 12:31 /Sales/

In the above example we can see that there is a “s” at execute permission of group. Now any file created under directory “/Sales” will have group user sales

Now login as user pawan and create a file in /Sales and check its permissions.

[pawan@PawanS1 Sales]# touch test.txt

[pawan@PawanS1 Sales]# chmod g+s /Sales/

[pawan@PawanS1 Sales]# ls -l test.txt
-rw-rw-r-- 1 pawan sales 8 Aug 28 12:43 test.txt
  • We can also enable SGID bit using chmod in numeric mode.
[root@PawanS1 ~]# ls -d /Purchase/
drwxrw-r-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

[root@PawanS1 ~]# chmod 2765 /Purchase/

[root@PawanS1 ~]# ls -d /Purchase/
drwxrwSr-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

Note: This time we have a “S” instead of “s” because directory “/Purchase” does not have execute permission for group.

Below table summarize the chmod for SUID, SGID and Sticky Bit.

Permission
Symbolic Mode
Numeric Mode
Sticky Bit
chmod +t file_name
chmod 1XXX file_name
SUID Bit
chmod u+s file_name
chmod 4XXX file_name
SGID Bit
chmod g+s file_name
chmod 2XXX file_name
where X is permission for user,group and other

If you have any doubts or queries please post comment.


Pawan Sharma | August 27, 2012 | | 1 Comment so far

Changing File Permissions using chmod command

In this post we will learn how to use “chmod” command to change file permissions in Redhat Enterprise Linux 6. Linux is a multi-user operating system; this means many users can have access to particular file or directory. To maintain security, in Linux, there are three categories of user (user, group and other) for file permission (as discussed in previous post), also we have three types of permission: read, write and execute for each type of user.

To view current permissions of a file we can user long directory listing command “ls -l”:

[root@PawanS1 ~]# ls -l test_file.txt
-rwxr-xr-- 1 pawan admin 30 Aug 27 13:05 test_file.txt

In the above example we can see that owner of the file is pawan, group owner of the file is admin and file have permissions rwxr-xr-- which means:
User have read, write and execute (rwx) permissions.
Group have read and execute(r-x) permission.
And others have only read(r--) permission.
Note: “-“ means no permission.

This means user pawan have full access of file test_file.txt, he can read, modify and also execute the file. And members of group admin can only read and execute the file. Also users other that pawan and members of group admin can only read the file and can’t modify or execute the fiel.

To change the permission of file we can user “chmod” command, only root and file owner can change permission of file. There are two methods of changing permissions:
  • Symbolic mode
  • Numeric mode
Symbolic Mode:
Symbolic mode is very easy to user. There are three steps in this process:
  1. Decide whether you have to change permission for user (u), group (g), other (o) or for all (a).
  2. Decide to add (+), remove (-) or reset all permission (=).
  3. Decide what would be the permission: read (r), write (w), or execute (x).
  4. Then give the name of file of which you have to change permission.
Few examples of chmod in symbolic mode:
  • Remove execute permission from user
[root@PawanS1 ~]# chmod u-x test_file.txt
  • Add write permission for both group and other
[root@PawanS1 ~]# chmod go+w test_file.txt
  • Remove write and execute permissions from other
[root@PawanS1 ~]# chmod o-wx test_file.txt
  • Add write permissions for all
[root@PawanS1 ~]# chmod a+w test_file.txt
  • Change permission of user to rwx
[root@PawanS1 ~]# chmod u=rwx test_file.txt
  • To remove execute permission recursively from files in a directory
[root@PawanS1 ~]# chmod -R u-x Test_Directory/

Below table summarize the chmod in symbolic mode

User to be modified
What to do
Permission
u (user/owner)
+ (add permission)
r (read)
g (group)
- (remove permission
w (write)
o (other)
= (change permission)
x (execute)
a (all)


 
Note: besides above mentioned permissions there are two more permissions SUID/SGID(s) and Sticky bit(t) which can be set to give special permission.

Numeric Mode:
Numeric mode of chmod command is also very useful and easy. This changes old permission directly to new permissions. In numeric file permissions are represented by three digit number. Also each permission(r,w and x) are represented with a number.

4=read(r)
2=write(w)
1=execute(x)
0=none(-)

To create permission we have to add number accordingly. For example:

rwx = 4+2+1 = 7
rw- = 4+2+0 = 6
--x = 0+0+1 = 1

To change permission we have to give a 4 digit number combining the above to change permission of file, in which the first digit is permission for user, second digit is permission for group and the third digit is permission for other.

Few examples of chmod in Numeric mode:
  • To change permission to -rwx-rw-r--
[root@PawanS1 ~]# chmod 0764 test_file.txt

In the above example 7=4+2+1, 6=4+2+0 and 4=4+0+0. This means owner have rwx(7), group have rw-(6) and others have r--(4) permission.
  • To change permission to -rw-r-x--x
[root@PawanS1 ~]# chmod 0651 test_file.txt

Note: The first digit 0 is for special permission like SUID, SGID and Sticky bit.

Besides these three bits discussed above there is a special bit which is used to give special permission to a file or directory for setting SUID bit, SGID bit and Sticky bit, which can be represented by. We will discuss this in the next post.

Numeric mode will take some time to get in ease, but it is very useful and effective to change permissions quickly.

Pawan Sharma | August 26, 2012 | Be the first to comment!

File Permissions In Redhat Enterprice Linux 6

In the previous post we have seen type of files and file permissions in Linux. In this post we will learn file permissions in detail. Every file in Linux has set of properties like permission, owner, group, created date, modified date size, name, type, etc. We will user one of the most important command “ls -l” to find these properties of a file in Redhat Enterprise Linux6.

It is important to note that Linux is a multi-user operating system, it is important to secure files as different users can have different grants on a same file. Some users can have read-write grants on a file while others an only read it but not edit it or delete it. To maintain this security Linux operating system uses file permissions.

Every file/directory in Linux is owned by a user and a group so file permissions are defined for user, group and other.
  • User: It is the username of the person who owns the file and by default the user who created the file is the owner.
  • Group: A group who owns the file. Group can be same as the user or different and can contain more than one user.
  • Other: A user who is not the owner of the file and also does not belong to group owner.
Every class of user (user, group and other) has three types of permissions:
  • Read (r): For a file, this means it can be opened and read. For a directory, this means you can list contents of that directory.
  • Write (w): For a file, this means you can edit a file (remove or add contents) but you cannot remove or rename the file. For Directory, this means that you can add, remove and rename the files within that directory.
  • Execute(x): For a file, this means you can execute the file as program/script. For directory, this means that you can execute files/directories (change directory) within that directory.
To view file permissions we can user directory listing command ls with -l opthon.

[root@PawanS1 ~]# ls -l test_file.txt
-rwxrw-r-- 1 root root    12 Aug 25 19:50 Test_File.txt

In the above command we can see different properties of a file named “Test_File.txt”. File permissions are represented by 10 bits (the first 10 characters of the output of ls -l command -rwxr-xr-x).

First bit is file type “-“ for file and “d” for directory.
Second to fourth bits are Owner’s permission (User).
Fifth to seventh bits are Group’s permission.
Eighth to tenth bits are Other’s permission.

And if we represent permissions in octal notation:
User: rwx = in binary 111 = 7 = 4+2+1
Group: r-x = in binary 101 = 5 = 4+0+1
Other: --x = in binary 001 = 1 = 0+0+1

So permissions are -rwxr-x--x which are equivalent to 751. But for better understanding we assume:
  • r = read = 4
  • w = write = 2
  • x = execute = 1
By combining above mentioned permissions we can give Owner, Group and Others different permissions as we require. For example –rwxr-xr-- shown that it is a regular file with read, write and execute permissions to Owner; read and execute permissions to Group and only read permission to Others.

We can change these permissions using chmod command. We will discuss this command in the next post.
Some examples of octal combination of permissions:

Owner: rwx = 4+2+1 = 7
Group: r-x - 4+0+1 = 5
Other: --x = 0+0+1 = 1

So permissions are -rwxr-x--x which are equivalent to 751

So to change files permissions to -rwxr-x—x(751) we need to execute command:

# chmod 0751 filename
Or
# chmod 751 filename

The above commands do the same, but it is important to note the first octal notation which is “0” in this case, this is used to set SUID bit, GID bit and Sticky bit on a file which we will discuss in some other post.

For any queries please post comments.
Pawan Sharma | August 25, 2012 | Be the first to comment!

Files and Types of files in RHEL6

In this post we will discuss different types of files in Redhat Enterprise Linux 6. There are 7 types of files in Linux. As we all know "everything in Linux is a file". Linux treat everything as file, also hardware devices like CPU, Memory, keyboard, mouse and even a process is also considered as a file. A directory (aka folder) is also considered as a file containing list of files. Whenever a file is created in Linux it gets an inode number (index inode) which contains information like owner, file type, permission, date of creation etc.

To check the type of file we can use “ls -l” command :

# ls -l /erc/passwd
-rw-r--r-- 1 root root 3363 Aug 12 17:25 /etc/passwd


The above command give different information about a file, like its owner, group, creation time, permission etc, we will discuss it in another post. The very first character represents type of file, in the above example the first character is a "-" which indicates that it is a regular file.

There are seven types of files in Linux.

  1. REGULAR Files (-): Regular files are represented by “-“ in ls -l command output. Regular files are common files containing text like scripts or data. 
  2.  DIRECTORIES (d): Directories are represented by “d”. As mentioned above directories are special files that contains list of other files. 
  3. SYMBOLIC Links (l): Symbolic links are represented by “l”. A symbolic link is a reference to another file or in common language it is shortcut to another file. 
  4. NAMED PIPE (p): Named pipes are represented by “p”. Named pipes are like sockets for communication between processes. 
  5. SOCKET (s): These are represented by “s” Sockets are special files that provides inter process networking. 
  6. CHARACTER Device Files (c): Character device files are represented by “c”. These files represent devices which read/write 0 or more bytes in a stream like TTY or keyboard. 
  7. BLOCK Device Files (b): Block device files are represented by “b”. Block device can read/write bytes in a fixed size blocks like HDD or a partition.

Each type of file represented by different color in terminal. Like

       File Type               Colour
  • Regular File          White
  • Directory               Blue
  • Symbolic Link        Cyan
  • Socket                   Purple
  • Named Pipes         Red
  • Device File            Yellow 
File types in Linux
Type of files in RHEL 6
  
For any questions please feel free to comment.