"Taking a LiveFire Labs' course is an excellent way to learn
Linux/Unix. The lessons are well thought out, the material is
explained thoroughly, and you get to perform exercises on a real
Linux/Unix box. It was money well spent."
Ray S.
Pembrook Pines, Florida
LiveFire Labs' UNIX and Linux Operating System Fundamentals
course was very enjoyable. Although I regularly used UNIX systems
for 16 years, I haven't done so since 2000. This course was a
great refresher. The exercises were fun and helped me gain a real
feel for working with UNIX/Linux OS. Thanks very much!"
Ming Sabourin
Senior Technical Writer
Nuance Communications, Inc.
Montréal, Canada
Read more student testimonials...
Receive UNIX Tips, Tricks, and Shell Scripts by Email
LiveFire Labs' UNIX Tip,
Trick, or Shell Script of the Week
Special Purpose Access Modes (Permissions) - Part I - SUID (set
user ID)
Even if you are new to the UNIX or Linux operating system
environment, you most likely have already worked with file access
modes (permissions) in some form. Your experience may have been as
simple as granting execute permission to a new shell script you
authored.
In addition to the basic file access modes (read, write, and execute),
there are also a few special purpose modes. The special mode
discussed in this week's tip is SUID, or set user ID.
If a file (command) is an executable and has the SUID bit set, the
process running the command inherits the privileges and access rights
of the file's owner for its duration, not those of the user who
created the process. A frequently used UNIX command that exhibits
this configuration is the passwd command:
-r-sr-sr-x 3 root sys 73748 Nov 2 2001
/usr/bin/passwd
The "s" in the third position of the owner permission set indicates
set user ID and execute permission. Non-privileged users running
passwd need this level of access (root) because the access-restricted
/etc/shadow file has to be updated each time a login password is
changed. Notice the ownership and permissions for this file:
-r-------- 1 root sys 346 Aug 16 15:14
/etc/shadow
If passwd was ran without having root's access rights, a
non-privileged user would be unable to update /etc/shadow.
Just like basic file access modes, the SUID bit is also set with the
chmod command. Consider the starting access mode of unixprogram:
-r-xr-xr-x 1 root other 647 Sep 6 16:17
unixprogram
The following command will set the SUID bit for this file:
# chmod 4555 unixprogram
# ls -l unixprogram
-r-sr-xr-x 1 root other 647 Sep 6 16:17 unixprogram
As you can see, the "x" in the owner permission set was changed to
"s". Review chmod's man page for more information regarding the
setting of this special permission.
It is important to recognize that using this functionality may also
introduce security vulnerabilities, especially if used with files
owned by root. This becomes even more of a concern if the files are
shell scripts because of the relative ease in which they can be
exploited.
Read the NEXT article in this series -
Special Purpose
Access Modes (Permissions) - Part II - SGID (set group ID)
