Advanced File Permissions in Linux
There are 3 special attributes other than the common read/write/execute.
1. Sticky bit
2. Set User ID (SUID)
3. Set Group ID (SGID)
Example:
drwxrwxrwt - Sticky Bits - chmod 1777
drwsrwxrwx - SUID set - chmod 4777
drwxrwsrwx - SGID set - chmod 2777
Here we will discuss about SGID
SGID (Set Group ID)
If a file is SGID, it will run with the privileges of the files
group owner, instead of the privileges of the person running the program.
You can also set SGID for both files or directories.
[root@localhost]# mkdir /home/projects
[root@localhost]# chmod 777 /home/projects
[root@localhost]# logout
login u1 user
[u1@localhost]$ mkdir /home/projects/myproject
[u1@localhost]$ chmod 2777 /home/projects/myproject
Note: Any files created by any users under myproject directory will under group owner that is u1
now lets me check
[u1@localhost]$ logout
login u2 user
[u2@localhost]$ vim file1 /home/projects/myproject
[u2@localhost]$ ls -la /home/projects/myproject
-rw-rw-r-- u2 u1 0 jan 24 8:20 file1
In the above example you can see that the owner of the file1 is u2 and the group owner of file1 is u1, so both u1 and u2 can edit, rename or delete file1. other users can not edit file1 but they can delete this file. to prevent this set sticky bit on myproject directory
[u2@localhost]$ logout
login u1 user (owner of myproject)
[u1@localhost]$ chmod +t /home/projects/myproject
Now only owner of directory or owner of file can delete or rename files.
Now let’s make this more interesting and complicated.
Create a directory "test". Chmod it to 2777. Add sticky bit to it.
Create a directory "test". Chmod it to 2777. Add sticky bit to it.
Example:
mkdir test
chmod 2777 test
chmod +t test
mkdir test
chmod 2777 test
chmod +t test
ls -al test
drwxrwsrwt 2 a1 a1 4096 Jun 13 2008 test
drwxrwsrwt 2 a1 a1 4096 Jun 13 2008 test
From the above permission set you can understand that SGID and
sticky bit is set for the folder "test".
Now any user can create files under the test directory.
Now any user can create files under the test directory.
Example:
drwxrwsrwt 2 a1 a1 4096 Jun 13 2008 .
-rw-rw-r-- 1 b2 a1 0 Jun 11 17:30 1.txt
-rw-rw-r-- 1 c3 a1 0 Jun 11 17:30 2.txt
-rw-rw-r-- 1 d4 a1 0 Jun 11 17:30 3.txt
drwxrwsrwt 2 a1 a1 4096 Jun 13 2008 .
-rw-rw-r-- 1 b2 a1 0 Jun 11 17:30 1.txt
-rw-rw-r-- 1 c3 a1 0 Jun 11 17:30 2.txt
-rw-rw-r-- 1 d4 a1 0 Jun 11 17:30 3.txt
So all the a1 user has access to all the files under the test
directory. He can edit, rename or remove the file.
b2 user has access to 1.txt only, c3 has access to 2.txt only...
b2 user has access to 1.txt only, c3 has access to 2.txt only...
If sticky bit was not set for the test directory, any user can
delete any files from the test directory, since the test directory has 777
permissions.
But now it not possible.
But now it not possible.
Example:
If d4 tries to remove 1.txt
rm -f 1.txt
rm: cannot remove `1.txt': Operation not permitted
If d4 tries to remove 1.txt
rm -f 1.txt
rm: cannot remove `1.txt': Operation not permitted
No comments:
Post a Comment