Solved

set-owner-ID-on-file-execution

Posted on 2001-06-06
18
610 Views
Last Modified: 2009-12-16
Hi All,

Alongwith chmod command, there's one option as "set-owner-ID-on-file-execution or set-group-ID-on-file-execution" permission. I'm unable to understand this option and its use. Can anyone help me about this? If possible, along with some examples. I've gone through the man page, but in vain.

Thanks & Regards,

Arindam
0
Comment
Question by:arindammukherjee
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 3

Expert Comment

by:mrn060900
ID: 6159209
Hi Arindam,

If the "Set UID" bit is set, then when someone executes the program, the program runs as if it were being executed by the program's owner rather than by the person actually running the program. This gives the program access to the program owner's files but, on the other hand, it ceases to have access to the files belonging to the person running the program. If the "Set GID" bit is set, then when someone execute the program, the active "group" changes to the group of the program. If the program's group was groupnam, then the program could access all files with a group of groupnam for which group access has been granted.

In most cases, it is better to use "Set GID" so the program can access both the files belonging to the person running the program as well as the files for which the corresponding group access has been granted. You can set this bit using:

  chmod 2755 progname

You can set the program's group using:

  chgrp groupnam progname

It's not really a good idea to use this as it could be a security risk, take a look at sudo (much more secure)http://www.courtesan.com/sudo/

Hope this helps

Regards Mike
0
 

Author Comment

by:arindammukherjee
ID: 6160089
Hi Mike,

It's not exactly happening as you've mentioned. I'll tell you what and how I tried. I've created one script scr1 which just calls scr2. These two scripts are created by user usr1. scr1 has 4755 permission, whereas scr2 has only 700 permission. So, usr1 can access both scr1 and scr2, whereas another user usr2 can only access scr1, but not scr2 directly. As "Set UID" is set for scr1, then when usr2 calls scr1, it should be able to execute scr2 also. But, this is not exactly happening. Is there any problem of my understanding of the topic? Or, there's some other problem? Pl. help.

Thanks & Regards,

Arindam
0
 
LVL 3

Expert Comment

by:mrn060900
ID: 6162914
Because usr2 has no permission to run scr2, it can't, even if it's running scr1 as usr1.

Like I said before this method is open to abuse, and I would really recommend not using the set UID. In this case the sudo command would be a lot better.

With sudo you could give usr2 permission to run scr1 & scr2 as usr1.

Another way would be to use groups, create a group called scripters and put both usr1 & usr2 in that group. Then chgrp of the scripts to scripters, and chmod 750 the scripts.

unless you have a specific reason to not allow access to scr2 from usr2, I would try one of the suggestions above.

Regards Mike
www.unixonline.co.uk
0
 

Author Comment

by:arindammukherjee
ID: 6163054
Mike,

Still I'm unable to understand the usage of "Set UID" and "Set GID". If I've understood the basics of "Set UID" and "Set GID", then usr2 should've been able to run scr2 through scr1. But, that hadn't happened. This was my concern. I'd be obliged if you pl. elaborate on the basis of my instance given before. Thanks in advance.

Thanks & Regards,

Arindam
0
 
LVL 3

Expert Comment

by:mrn060900
ID: 6163097
Ok, just to clarify,

setting Set UID on a file, changes the abilty to run that file, it is not passed on to any other file.

Example

I(usr1) have a car(scr1) and a lorry(scr2). I allow you(usr2) to use my car(scr1) but not my lorry(scr2). What your trying to do is put the car on the back of the lorry, and drive the lorry, still sat in the car.

Sorry, but that's the best way I can think of telling you.

;-) Mike
0
 

Author Comment

by:arindammukherjee
ID: 6163873
Mike,

I'd like to add that, you (usr1) could've just allowed me (usr2) to use your car (scr1) by just 755 permission. Then, what's the use of "Set UID"? What's the added advantage of "Set UID"?

Thanks & Regards,

Arindam
0
 
LVL 3

Accepted Solution

by:
mrn060900 earned 50 total points
ID: 6164031
Exactly!!!

It's a waste of time!!!, It's from way back in the dark old days of unix, and serves no other purpose, than to be a gapping security hole, one that you don't need.

And before somebody jumps in and shouts me down, I know it can be of some use (But not much).

The normal method of securing files -rwxrwxrwx along with the use of controlled groups should be enough to make any system secure.

Arindam just try this for me and tell me how many files you have with these permissions

find / -type f -perm +6000 | wc -l
find / -type f -perm +4000 | wc -l

Regards Mike

0
 
LVL 3

Expert Comment

by:mrn060900
ID: 6164079
Oh I just thought of an example,

say you have some files created by root in the group system, but with read permissions for the world -rwxrw-r--

Now everybody that's on the system can read the contents of the file.

But only root itself or somebody in the systems group could delete the file.

Because it's only a log, you would like the users to be able to remove it themselves, but you don't want to give them root permissions, or put them in the systems group.

so do a chmod 4754 on the log.

now everyone has root permissions on the file. Good you say!

Bad I say, now someone could edit the file say put rm -r * in it.

run the script from / and suddenly the script is running as root, and deleting your files from root downwards

bad Bad BAd BAD.

same applies to the sgid side as well.

If I can think of a positive use for it I'll post it here, but someone far less cynical than myself will more than likely beat me to it....


Mike
0
 

Author Comment

by:arindammukherjee
ID: 6164513
Mike,

Both of the commands

find / -type f -perm +6000 | wc -l
find / -type f -perm +4000 | wc -l

yielded with result 0. What did you want to check?

Thanks & Regards,

Arindam
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Expert Comment

by:saila
ID: 6165148
in the he chmod commands
Search permission for directories.
 s   Set-user-ID-on-execution permission if the u flag is specified or implied. Set-group-ID-on-execution permission if the g flag is specified or implied.

The numeric mode is the sum of one or more of the following values:

 4000  Sets user ID on execution.
 2000  Sets group ID on execution.

eg:
chmod ug+s cmd

 When the cmd command is executed, the effective user and group IDs are set to those that own the cmd file. Only the effective IDs associated with the child  process that runs the cmd command are changed. The effective IDs of the shell session remain unchanged.

     This feature allows you to permit access to restricted files. Suppose that the cmd program has the Set-User-ID Mode enabled and is owned by a user called  dbms . The user dbms is not actually a person, but might be associated with a database management system.

The user betty does not have permission to access any of dbms 's data files. However, she does have permission to execute the cmd command. When she does so, her effective user ID is temporarily
 changed to dbms , so that the cmd program can access the data files owned by the user dbms .

This way the user betty can use the cmd  command to access the data files, but she cannot accidentally damage them with the standard shell commands.

Hope this helps
0
 
LVL 3

Expert Comment

by:mrn060900
ID: 6165599
I just wanted to see how many set uid or set gid programs you had on your system.

Just one point, did you know what those commands did, before you ran them?.

Mike
0
 

Author Comment

by:arindammukherjee
ID: 6166706
Hi Mike,

Although I know about "find" command and used at some places also, but I must admit that, I really haven't come across the "type f -perm" option before. But, I guessed "perm" has something to do with "permission".I understand that, I shouldn't have executed those commands unknowingly but, I did so having full faith on you.

;-)

Thanks & Regards,

Arindam
0
 

Author Comment

by:arindammukherjee
ID: 6166743
Hi saila,

This is exactly what I guessed and tried some example on that. Pl. go through my previous comments. This is not exactly happening. Can you pl. elaborate the example I've given abouve? Like, where might be the loop-hole?

Thanks & Regards,

Arindam
0
 
LVL 3

Expert Comment

by:mrn060900
ID: 6190547
Arindam,

I've just found this artical, you may find it useful.

http://www.sysadminmag.com/current/0106a/0106a.htm

Regards Mike
0
 

Author Comment

by:arindammukherjee
ID: 6209655
Thanks Mike. I'm going through the article.

Thanks & Regards,

Arindam
0
 

Author Comment

by:arindammukherjee
ID: 6209659
The examples were quite elaborative and very suitable.
0
 

Expert Comment

by:exclbr
ID: 8281510
0
 

Expert Comment

by:exclbr
ID: 8281590
Further to Arindam's original example, it should have worked. I had the same problem initially but it turned out you need the #!/bin/sh in the first line of the script.

Check this out: http://ou800doc.caldera.com/cgi-bin/man/man?chmod+1

This tip may not be in other Unix's man pages eg. HPUX

Excalibur
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now