Solved

What is stickey bit ??

Posted on 2001-07-26
10
600 Views
Last Modified: 2012-06-27
What is main differences between stickey bit and set user id (group id )
which is done using
chmod u+s
chmod g+s
chmod u+t

I was trying to set the following priv for /usr/bin/sh in my local home
-rwsr-sr-t   /home/rajiv/sh
Thia way while i run this script (i.e. sh) i should be having the root's priv.
Pl explain in detail
And how can i achieve this on Unixware 7.1.1
thanks in advance
0
Comment
Question by:rajiv_indya
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 5

Expert Comment

by:paulqna
ID: 6322461
The t means only the OWNER will have sufficient privileges to delete the file.

Just the first chmod u+s will do the trick the t will normally only be set on the /tmp directory.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6324527
Some clarification...

+t _on_a_directory_ means that only the owner of a file can delete it.  It essentially has no meaning any longer on regular files (it used to be a hint to the memory swapping system, but very few systems use swapping any more, as opposed to demand-paging).

Meanwhile, u+s/g+s implies that the program will run with the id of the file's owner (group).  If you want something to run as root, you have to chown it to be owned by root and then set u+s.
0
 

Author Comment

by:rajiv_indya
ID: 6332889
I was trying to set the following priv for /usr/bin/sh in my local home
-rwsr-sr-t   /home/rajiv/sh
This way while i run this script (i.e. sh) i should be having the root's priv.
but it is not so ..
Why ????
sh should be run with root owner

Also documentaion says that 1st line of shell script which is being executed should be
"#! /bin/sh"
Is it not true with binary files...???
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 14

Accepted Solution

by:
chris_calabrese earned 10 total points
ID: 6334438
There are four problems with this:
1.  This only works if the file is owned by root:sys (or whatever group you want to sgid to).
2.  This is a very bad idea from a security standpoint, as it allows anyone who can break into your account (sniff your password on the net through telnet or XDM, take advantage of bugs in cron or mail, etc) to become root trivially.
3.  The +t doesn't do anything useful.
4.  Most versions of sh have code that doesn't allow suid/sgid to prevent you from doing what you're trying to do.
0
 

Expert Comment

by:gmancuso
ID: 6342017
Right on chris_calabrese

rajiv_indya, perhaps you could tell us what you're trying to do, and we can give some ideas about a better way to do it?

To clear up some points:
#!/bin/sh tells the shell to go find /bin/sh and use it to interpret the file.  (I'm fairly sure it will use the file (not /bin/sh) to determine what permissions to use.)  #!/usr/local/bin/superinterpreter indicates that /usr/local/bin/superinterpreter will be handling the file.  

If all you're wanting to do is have a suid script, change the _script_, not its interpreter, to be suid.  (remember to keep suid scripts under tight control.. )

Hope that helps.. send more info, we'll send better answers :)

-Gus
0
 
LVL 9

Expert Comment

by:PeterMac
ID: 6413531
rajiv

 Fully in accord with previous answers, the one thing they haven't mentioned is that you would have to have root permissions already to achieve what you seem to be trying to do. the only way you can set "s" bits on a file owned by root is to be root, and the file must be owned by root before you set the bits.

0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 6799360
Lucky that EE no longer autogrades, huh?
As I see it, Chris deserves the points more than PeterMac, no? I mean Peter, your's is a comment if I ever saw a comment ;-)

Michel
0
 
LVL 9

Expert Comment

by:PeterMac
ID: 6799564
to mplungian

No problem at all with that, I just figured question had been answered, and not too happy about discussing unix security bypasses with someone at the level of question proposer. A simple statement of facts is OK, but suggestions on other methods of achieving what he was trying to do are out in my book.

Wasn't aware EE ever did autograde, and there had been no comment for three weeks. It was also my first day logged into EE, and hadn't quite figured out the system.
0
 
LVL 21

Expert Comment

by:tfewster
ID: 7621362
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
- Answered by chris_calabrese

Please leave any comments here before 13/1/2003

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER !

tfewster (I don't work here, I'm just an Expert :-)
0
 

Expert Comment

by:SpideyMod
ID: 7805230
per recommendation

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question