Table of Contents Link to heading
Setuid Link to heading
When setuid permission is set on an executable binary file (a program), the binary file is run as the owner of the file, not as the user who executed it.
This permission is set on a handful of system utilities so that they can be run by normal users, but executed with the permissions of root, providing access to system files that the normal user does not normally have access to.
For example, the updatedb
command requires administrative priviledges.
However, after setting setuid permission on it, the updatedb
command can be
run without root access.
The passwd
command has the special setuid permission set. When the passwd
command is run, and the command accesses the /etc/shadow file, the system acts
as if the user accessing the file is the owner of the passwd command (the root
user), not the user who is running the command.
.rwsr-xr-x 60k root 24 Nov 2022 /usr/bin/passwd
A lowercase s means that both the setuid and execute permission are set, while an uppercase S means that only setuid and not the user execute permission is set.
To add the setuid permission symbolically, run:
chmod u+s file
To add the setuid permission numerically, add 4000 to the file’s existing permissions (assume the file originally had 775 for its permission in the following example):
chmod 4775 file
To remove the setuid permission symbolically, run:
chmod u-s file
To remove the setuid permission numerically, subtract 4000 from the file’s existing permissions:
chmod 0775 file
When a three-digit code is provided, the chmod command assumes that the first digit before the three-digit code is 0. Only when four digits are specified is a special permission set.
If three digits are specified when changing the permission on a file that already has a special permission set, the first digit will be set to 0, and the special permission will be removed from the file.
Setgid Link to heading
similar to setuid, but it makes use of the group owner permission.
Represented by s or S in group permissions: -rwxr-sr-x
Setgid on Files Link to heading
allows user to run executable binary file by providing temporary group access.
Consider the usr/bin/wall command file group ownership.
*rwxr-sr-x. 1 root tty 10996 Jul 19 2011 /usr/bin/wall
This executable file is owned by the tty group, when a user executes this command they will be able to access files that are group owned by the tty group.
Setgid on Directories Link to heading
causes files created in the directory to automatically be owned by the group that owns the directory.
Normally, new files are group owned by the primary group of the user who created the file.
If a directory is setgid, any directories created within that directory will inherit the setgid permission.
Setgid Permissions Link to heading
To add the setgid permission on a directory symbolically use:
chmod g+s <file|directory>
To add the setgid permission numerically, add 2000 to the file’s existing permissions (assume the file below originally had 775 for its permission):
chmod 2775 <file|directory>
To remove the setgid permission symbolically:
chmod g-s <file|directory>
To remove the setgid permission numerically, subtract 2000 from the file’s existing permissions:
chmod 0775 <file|directory>
Sticky Bit Link to heading
allows for files to be shared with other users, by changing write permission on the directory so that users can still add and delete files in the directory, but files can only be deleted by the owner of the file or the root user.
A good example of the use of sticky bit directories would be the /tmp and /var/tmp directories. These directories are designed as locations where any user can create a temporary file.
Because these directories are intended to be writable by all users, they are configured to use the sticky bit. Without this special permission, users would be able to delete any files in this directory, including those that belong to other users.
drwxrwxrwt - root 11 May 23:10 /tmp
A lowercase t means that both the sticky bit and execute permissions are set for others. An uppercase T means that only the sticky bit permission is set.
To set the sticky bit permission symbolically, execute a command like the following:
chmod o+t <directory>
To set the sticky bit permission numerically, add 1000 to the directory’s existing permissions (assume the directory in the following example originally had 775 for its permissions):
chmod 1775 <file|directory>
To remove the sticky permission symbolically, run:
chmod o-t <directory>
To remove the sticky bit permission numerically, subtract 1000 from the directory’s existing permissions:
chmod 0775 <directory>
Links Link to heading
To create links, the ln
command is used with two arguments. The first argument
is an existing filename to link to, called a target, and the second argument is
the new filename to link to the target.
Hard Links Link to heading
For every file created, there is a block of data on the file system that stores the metadata of the file. Metadata includes information about the file like the permissions, ownership, and timestamps. Metadata does not include the filename or the contents of the file, but it does include just about all other information about the file. This metadata is called the file’s inode table. The inode table also includes pointers to the other blocks on the file system called data blocks where the data is stored. Every file on a partition has a unique identification number called an inode number.
Hard links are two filenames that point to the same inode.
If two files have the same inode number, they essentially are the same file. You can access the file data using either filename.
Like users and groups, what defines a file is not its name, but rather the number it has been assigned. The inode table does not include the filename. For each file, there is also an entry that is stored in a directory’s data area (data block) that includes an association between an inode number and a file name. When you attempt to access the a file, the system uses this table to translate the filename into an inode number. It then retrieves the file data by looking at the information in the inode table for the file
The link count number indicates how many hard links have been created. When the number is a value of one, then the file has only one name linked to the inode.
To display the inode number of a file, use the ls -i command.
ln target link_name
When the ln command is used to create a hard link, the link count number increases by one for each additional filename.
Soft/Symbolic Links Link to heading
simply a file that points to another file.
There are several symbolic links already on the system, including several in the /etc directory.
ln -s target link_name
Comparison Link to heading
Although they have the same result, each produces different results and have advantages and disadvantages.
- Hard Link Advantage: If there are multiple files with the same hard link, deleting any four of these files would not result in deleting the actual file contents. With a soft link; if the original file is removed, then any files linked to it, will fail.
- Soft Link Advantage: Soft links are easier to see.
- Soft Link Advantage: Soft links can link to any file because it uses a pathname. Hard links cannot be created that attempt to cross file systems because each file system has a unique set of inodes.
- Soft Link Advantage: Soft links can link to a directory