James Tanner

legacy-wiki

Permissions

January 20, 2011

Recovered from the older tannerjc.net wiki snapshot dated January 23, 2016.

Sticky Bit vs set UID and set GID

I have always been confused by the sticky bit and set uid and set gid.

From reading the below information I think it’s basically this:

sticky bit keeps non owners from deleting a file (like /tmp has)

setuid and setgid set the effective user id and effective group id when a file is executed.

  • however** if setuid and setgid are enabled on a directory this is where it will force any subsequent files/directories to be created with the same uid or gid.

That was the big difference I was missing.

$ info permissions

hit enter on

  • File permissions: (coreutils)File permissions.

Structure of File Mode Bits

27.1 Structure of File Mode Bits
================================
snip
 In addition to the three sets of three permissions listed above, the
file mode bits have three special components, which affect only
executable files (programs) and, on most systems, directories:

  1. Set the process's effective user ID to that of the file upon
     execution (called the set-user-ID bit, or sometimes the setuid
     bit).  For directories on a few systems, give files created in
     the directory the same owner as the directory, no matter who
     creates them, and set the set-user-ID bit of newly-created
     subdirectories.

  2. Set the process's effective group ID to that of the file upon
     execution (called the set-group-ID bit, or sometimes the setgid
     bit).  For directories on most systems, give files created in the
     directory the same group as the directory, no matter what group
     the user who creates them is in, and set the set-group-ID bit of
     newly-created subdirectories.

  3. Prevent unprivileged users from removing or renaming a file in a
     directory unless they own the file or the directory; this is
     called the restricted deletion flag for the directory, and is
     commonly found on world-writable directories like `/tmp'.

     For regular files on some older systems, save the program's text
     image on the swap device so it will load more quickly when run;
     this is called the sticky bit.

Numeric Modes:: File mode bits as octal numbers.

hit enter on

  • Numeric Modes:: File mode bits as octal numbers.
27.3 Numeric Modes
==================
snip
     Value in  Corresponding
     Mode      Mode Bit

               Other users not in the file's group:
        1      Execute/search
        2      Write
        4      Read

               Other users in the file's group:
       10      Execute/search
       20      Write
       40      Read

               The file's owner:
      100      Execute/search
      200      Write
      400      Read

               Special mode bits:
     1000      Restricted deletion flag or sticky bit
     2000      Set group ID on execution
     4000      Set user ID on execution

Directory Setuid and Setgid:: Set-user-ID and set-group-ID on directories

hit enter on

* Directory Setuid and Setgid:: Set-user-ID and set-group-ID on directories.

File: coreutils.info,  Node: Directory Setuid and Setgid,  Prev: Numeric Modes,  Up: File permissions

27.4 Directories and the Set-User-ID and Set-Group-ID Bits
==========================================================

On most systems, if a directory's set-group-ID bit is set, newly
created subfiles inherit the same group as the directory, and newly
created subdirectories inherit the set-group-ID bit of the parent
directory.  On a few systems, a directory's set-user-ID bit has a
similar effect on the ownership of new subfiles and the set-user-ID
bits of new subdirectories.  These mechanisms let users share files
more easily, by lessening the need to use `chmod' or `chown' to share
new files.

   These convenience mechanisms rely on the set-user-ID and set-group-ID
bits of directories.  If commands like `chmod' and `mkdir' routinely
cleared these bits on directories, the mechanisms would be less
convenient and it would be harder to share files.  Therefore, a command
like `chmod' does not affect the set-user-ID or set-group-ID bits of a
directory unless the user specifically mentions them in a symbolic
mode, or sets them in a numeric mode.  For example, on systems that
support set-group-ID inheritance:

     # These commands leave the set-user-ID and
     # set-group-ID bits of the subdirectories alone,
     # so that they retain their default values.
     mkdir A B C
     chmod 755 A
     chmod 0755 B
     chmod u=rwx,go=rx C
     mkdir -m 755 D
     mkdir -m 0755 E
     mkdir -m u=rwx,go=rx F

   If you want to try to set these bits, you must mention them
explicitly in the symbolic or numeric modes, e.g.:

     # These commands try to set the set-user-ID
     # and set-group-ID bits of the subdirectories.
     mkdir G H
     chmod 6755 G
     chmod u=rwx,go=rx,a+s H
     mkdir -m 6755 I
     mkdir -m u=rwx,go=rx,a+s J

   If you want to try to clear these bits, you must mention them
explicitly in a symbolic mode, e.g.:

     # This command tries to clear the set-user-ID
     # and set-group-ID bits of the directory D.
     chmod a-s D

   This behavior is a GNU extension.  Portable scripts should not rely
on requests to set or clear these bits on directories, as POSIX allows
implementations to ignore these requests.

ACLs

Issue

  • application/service has special user/group set on files it creates
  • have a need to let other users not related to this application/service manage the same files

Resolution

  • Use file Access Control Lists to allow read/write/execute permissions to other users

Diagnostic Steps

  • set default mount options to use ACLs for file system
  • enable ACLs on file system by remounting
  • use setfacl to change default ACLs recursively on affected directories
  • use setfacl to change current ACLs recursively on affected directories
1013  tune2fs -o acl /dev/mapper/efserv
 1014  tune2fs -l /dev/mapper/efserv | grep -i options
 1015  mount -o remount,acl /efserv
 1016  mount | grep efserv
 1017  setfacl -R -m d:u:john:rwx Torrents
 1018  getfacl Torrents
 1019* setfacl -R -m d:u:jtanner:rwx Torrents
 1020  getfacl Torrents
 1021  getfacl Torrents-transmission/
 1022  mkdir /efserv/Torrents/test
 1023  getfacl /efserv/Torrents/test/
 1024  ls -l
 1025  setfacl -R -m d:u:john:rwx Torrents-tfb4rt/
 1026  setfacl -R -m d:u:jtanner:rwx Torrents-tfb4rt/
 1027  setfacl -R -m d:u:jtanner:rwx Torrents-transmission/
 1028  setfacl -R -m d:u:john:rwx Torrents-transmission/
 1029  setfacl -R -m :u:john:rwx Torrents-transmission/
 1030  setfacl -R -m u:john:rwx Torrents-transmission/
 1031* setfacl -R -m u:jtanner:rwx Torrents
 1032  setfacl -R -m u:john:rwx Torrents
 1033  setfacl -R -m u:jtanner:rwx Torrents
 1034  setfacl -R -m u:jtanner:rwx Torrents-tfb4rt/
 1035  setfacl -R -m u:john:rwx Torrents-tfb4rt/

References

getfacl(1)