Skip to main content

Special Permissions in linux


The setuid permission on an executable file means that the command will run as the user owning the file, not as the user that ran the command. One example is the passwd command:
[student@desktopX ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 35504 Jul 16  2010 /usr/bin/passwd
In a long listing, you can spot the setuid permissions by a lowercase s where you would normally expect the x (owner execute permissions) to be. If the owner does not have execute permissions, this will be replaced by an uppercase S.
The special permission setgid on a directory means that files created in the directory will inherit their group ownership from the directory, rather than inheriting it from the creating user. This is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if files in a directory should be always owned by a specific group. An example of this is the /run/log/journal directory:
[student@desktopX ~]$ ls -ld /run/log/journal
drwxr-sr-x. 3 root systemd-journal 60 May 18 09:15 /run/log/journal
If setgid is set on an executable file, then similarly to setuid, that command will run as the group owning that file, not as the user that ran the command. One example is the screen command:
[student@desktopX ~]$ ls -ld /usr/bin/screen
-rwxr-sr-x. 1 root screen 475168 Jan 18  2016 /usr/bin/screen
In a long listing, you can spot the setgid permissions by a lowercase s where you would normally expect the x (group execute permissions) to be. If the group does not have execute permissions, this will be replaced by an uppercase S.
Lastly, the sticky bit for a directory sets a special restriction on deletion of files: Only the owner of the file (and root) can delete files within the directory. An example is /tmp:
[student@desktopX ~]$ ls -ld /tmp
drwxrwxrwt. 39 root root 4096 Feb  8 20:52 /tmp
In a long listing, you can spot the sticky permissions by a lowercase t where you would normally expect the x (other execute permissions) to be. If the other does not have execute permissions, this will be replaced by an uppercase T.
Effects of Special Permissions on Files and Directories
Special permission Effect on files Effect on directories
u+s (suid) File executes as the user that owns the file, not the user that ran the file. No effect.
g+s (sgid) File executes as the group that owns the file. Files newly created in the directory have their group owner set to match the group owner of the directory.
o+t (sticky) No effect. Users with write on the directory can only remove files that they own; they cannot remove or force saves to files owned by other users.

Setting Special Permissions
  • Symbolically: setuid = u+s; setgid = g+s; sticky = o+t
  • Numerically (fourth preceding digit): setuid = 4; setgid = 2; sticky = 1
Examples
  • Add the setgid bit on directory:
    [root@desktopX ~]# chmod g+s directory
  • Set the setgid bit, and read/write/execute for user and group on directory:
    [root@desktopX ~]# chmod 2770 directory
      

Default File Permissions

The default permissions for files are set by the processes that create them. For example, text editors create files so they are readable and writeable, but not executable, by everyone. The same goes for shell redirection. Additionally, binary executables are created executable by the compilers that create them. The mkdir command creates new directories with all permissions set—read, write, and execute.
Experience shows that these permissions are not typically set when new files and directories are created. This is because some of the permissions are cleared by the umask of the shell process. The umask command without arguments will display the current value of the shell's umask:
[student@desktopX ~]$ umask
0002
Every process on the system has a umask, which is an octal bitmask that is used to clear the permissions of new files and directories that are created by the process. If a bit is set in the umask, then the corresponding permission is cleared in new files. For example, the previous umask, 0002, clears the write bit for other users. The leading zeros indicate the special, user, and group permissions are not cleared. A umask of 077 clears all the group and other permissions of newly created files.
Use the umask command with a single numeric argument to change the umask of the current shell. The numeric argument should be an octal value corresponding to the new umask value. If it is less than 3 digits, leading zeros are assumed.
The system default umask values for Bash shell users are defined in the /etc/profile and /etc/bashrc files. Users can override the system defaults in their .bash_profile and .bashrc files.
This example demonstrates the effects of umask on new files and directories. Note: These steps are provided only as an example. You are not expected to complete them on your own.

  1. Create a new file and directory to see how the default umask affects permissions.
    [student@desktopX ~]$ touch newfile1
    [student@desktopX ~]$ ls -l newfile1
    -rw-rw-r--. 1 student student 0 May  9 01:54 newfile1
    [student@desktopX ~]$ mkdir newdir1
    [student@desktopX ~]$ ls -ld newdir1
    drwxrwxr-x. 2 student student 0 May  9 01:54 newdir1
    
  2. Set the umask value to 0. This setting will not mask any of the permissions of new files. Create a new file and directory to see how this new umask affects permissions.
    [student@desktopX ~]$ umask 0
    [student@desktopX ~]$ touch newfile2
    [student@desktopX ~]$ ls -l newfile2
    -rw-rw-rw-. 1 student student 0 May  9 01:54 newfile2
    [student@desktopX ~]$ mkdir newdir2
    [student@desktopX ~]$ ls -ld newdir2
    drwxrwxrwx. 2 student student 0 May  9 01:54 newdir2
    
  3. Set the umask value to 007. This setting will mask all of the "other" permissions of new files.
    [student@desktopX ~]$ umask 007
    [student@desktopX ~]$ touch newfile3
    [student@desktopX ~]$ ls -l newfile3
    -rw-rw----. 1 student student 0 May  9 01:55 newfile3
    [student@desktopX ~]$ mkdir newdir3
    [student@desktopX ~]$ ls -ld newdir3
    drwxrwx---. 2 student student 0 May  9 01:54 newdir3
    
  4. Set the umask value to 027. This setting will mask write access for group members and all of the "other" permissions of new files.
    [student@desktopX ~]$ umask 027
    [student@desktopX ~]$ touch newfile4
    [student@desktopX ~]$ ls -l newfile4
    -rw-r-----. 1 student student 0 May  9 01:55 newfile4
    [student@desktopX ~]$ mkdir newdir4
    [student@desktopX ~]$ ls -ld newdir4
    drwxr-x---. 2 student student 0 May  9 01:54 newdir4
    
  5. Log in as root to change the default umask for unprivileged users to prohibit all access for users not in their group.
    Modify /etc/bashrc and /etc/profile to change the default umask for Bash shell users. Since the default umask for unprivileged users is 0002, look for the umask command in these files that sets the umask to that value. Change them to set the umask to 007.
    [root@desktopX ~]# less /etc/bashrc
        # You could check uidgid reservation validity in
        # /usr/share/doc/setup-*/uidgid file
        if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
           umask 002
        else
           umask 022
        fi
        
        # Only display echos from profile.d scripts if we are no login shell
    [root@desktopX ~]# vim /etc/bashrc
    [root@desktopX ~]# less /etc/bashrc
        # You could check uidgid reservation validity in
        # /usr/share/doc/setup-*/uidgid file
        if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
           umask 007
        else
           umask 022
        fi
        
        # Only display echos from profile.d scripts if we are no login shell
    [root@desktopX ~]# less /etc/profile
        # You could check uidgid reservation validity in
        # /usr/share/doc/setup-*/uidgid file
        if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
            umask 002
        else
            umask 022
        fi
        
        for i in /etc/profile.d/*.sh ; do
    [root@desktopX ~]# vim /etc/profile
    [root@desktopX ~]# less /etc/profile
        # You could check uidgid reservation validity in
        # /usr/share/doc/setup-*/uidgid file
        if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
            umask 007
        else
            umask 022
        fi
        
        for i in /etc/profile.d/*.sh ; do
    
  6. Log back in as student and confirm that the umask changes you made are persistent.
    [student@desktopX ~]$ umask
    0007
    

Note

Other shells, such as tcsh, may have different system default initialization files in /etc and users' home directories.

Guided Exercise: Controlling New File Permissions and Ownership

In this exercise, you will control default permissions on new files using the umask command and setgid permission.
Outcomes

  • Create a shared directory where new files are automatically owned by the group ateam.
  • Experiment with various umask settings.
  • Adjust default permissions for specific users.
  • Confirm your adjustment is correct.
Before You Begin
Start your Amazon EC2 instance and use ssh to log in as the user ec2-user. It is assumed that ec2-user can use sudo to run commands as root.
It is also assumed that you have completed the steps from the preceding exercise in this chapter. The users alice and andy should exist on your system. The primary group for both users should be a user private group with the same name as the user's username. Both users should also be members of the group ateam.
Steps
  1. Use sudo to switch user to alice.
    [ec2-user@ip-192-0-2-1 ~]$ sudo su - alice
    Last login: Thu Jan 26 17:01:55 EDT 2017 on pts/0
    [alice@ip-192-0-2-1 ~]$ 
  2. Use the umask command without arguments to display Alice's default umask value.
    [alice@ip-192-0-2-1 ~]$ umask
    0002
    
  3. Create a new directory /tmp/shared and a new file /tmp/shared/defaults to see how the default umask affects permissions.
    [alice@ip-192-0-2-1 ~]$ mkdir /tmp/shared
    [alice@ip-192-0-2-1 ~]$ ls -ld /tmp/shared
    drwxrwxr-x. 2 alice alice 6 Jan 26 18:43 /tmp/shared
    [alice@ip-192-0-2-1 ~]$ touch /tmp/shared/defaults
    [alice@ip-192-0-2-1 ~]$ ls -l /tmp/shared/defaults
    -rw-rw-r--. 1 alice alice 0 Jan 26 18:43 /tmp/shared/defaults
    
  4. Change the group ownership of /tmp/shared to ateam and record the new ownership and permissions.
    [alice@ip-192-0-2-1 ~]$ chown :ateam /tmp/shared
    [alice@ip-192-0-2-1 ~]$ ls -ld /tmp/shared
    drwxrwxr-x. 2 alice ateam 21 Jan 26 18:43 /tmp/shared
    
  5. Create a new file in /tmp/shared and record the ownership and permissions.
    [alice@ip-192-0-2-1 ~]$ touch /tmp/shared/alice3
    [alice@ip-192-0-2-1 ~]$ ls -l /tmp/shared/alice3
    -rw-rw-r--. 1 alice alice 0 Jan 26 18:46 /tmp/shared/alice3
    
  6. Ensure the permissions of /tmp/shared cause files created in that directory to inherit the group ownership of ateam.
    [alice@ip-192-0-2-1 ~]$ chmod g+s /tmp/shared
    [alice@ip-192-0-2-1 ~]$ ls -ld /tmp/shared
    drwxrwsr-x. 2 alice ateam 34 Jan 26 18:46 /tmp/shared
    [alice@ip-192-0-2-1 ~]$ touch /tmp/shared/alice4
    [alice@ip-192-0-2-1 ~]$ ls -l /tmp/shared
    total 0
    -rw-rw-r--. 1 alice alice 0 Jan 26 18:46 alice3
    -rw-rw-r--. 1 alice ateam 0 Jan 26 18:48 alice4
    -rw-rw-r--. 1 alice alice 0 Jan 26 18:43 defaults
    
  7. Change the umask for alice such that new files are created with read-only access for the group and no access for other users. Create a new file and record the ownership and permissions.
    [alice@ip-192-0-2-1 ~]$ umask 027
    [alice@ip-192-0-2-1 ~]$ touch /tmp/shared/alice5
    [alice@ip-192-0-2-1 ~]$ ls -l /tmp/shared
    total 0
    -rw-rw-r--. 1 alice alice 0 Jan 26 18:46 alice3
    -rw-rw-r--. 1 alice ateam 0 Jan 26 18:48 alice4
    -rw-r-----. 1 alice ateam 0 Jan 26 18:50 alice5
    -rw-rw-r--. 1 alice alice 0 Jan 26 18:43 defaults
    
  8. Log out and log back in again as alice, starting a new shell, and view her umask.
    [alice@ip-192-0-2-1 ~]$ umask
    0027
    [alice@ip-192-0-2-1 ~]$ exit
    logout
    [ec2-user@ip-192-0-2-1 ~]$ sudo su - alice
    Last login: Thu Jan 26 18:31:25 EDT 2017 on pts/0
    [alice@ip-192-0-2-1 ~]$ umask
    0002
    
    Note that alice's umask reverted to her default settings.
  9. Change the default umask for alice to prohibit all access in "other" on files she creates, by appending umask 007 to the end of her ~/.bashrc file.
    [alice@ip-192-0-2-1 ~]$ echo "umask 007" >> ~/.bashrc
    [alice@ip-192-0-2-1 ~]$ cat ~/.bashrc
    # .bashrc
    
    # Source global definitions
    if [ -f /etc/bashrc ]; then
     . /etc/bashrc
    fi
    
    # Uncomment the following line if you don't like systemctl's auto-paging feature:
    # export SYSTEMD_PAGER=
    
    # User specific aliases and functions
    umask 007
    

    Important

    Rather than using redirection, you could instead simply edit the file with the command vim ~/.bashrc, and add umask 007 as the last line of the file, as shown in the output of cat ~/.bashrc from the example.
    If you are interested in more in-depth information on shell I/O redirection, an overview is available at http://wiki.bash-hackers.org/syntax/redirection.
  10. Log out of alice's su session, and then log back into alice's account and confirm that the umask changes you made are persistent.
    [alice@ip-192-0-2-1 ~]$ exit
    logout
    [ec2-user@ip-192-0-2-1 ~]$ sudo su - alice
    Last login: Thu Jan 26 18:54:02 EDT 2017 on pts/0
    [alice@ip-192-0-2-1 ~]$ umask
    0007
    
  11. This concludes this exercise. Log out and stop your Amazon EC2 instance.

Comments

Popular posts from this blog

The Seven-Step Model of Migration

Irrespective of the migration approach adopted, the Seven-step Model of Cloud Migration creates a more rational point of view towards the migration process and offers the ability to imbibe several best practices throughout the journey Step 1: Assess Cloud migration assessments are conducted to understand the complexities in the migration process at the code, design and architectural levels. The investment and the recurring costs are also evaluated along with gauging the tools, test cases, functionalities and other features related to the configuration. Step 2: Isolate The applications to be migrated to the cloud from the internal data center are freed of dependencies pertaining to the environment and the existing system. This step cuts a clearer picture about the complexity of the migration process. Step 3: Map Most organisations hold a detailed mapping of their environment with all the systems and applications. This information can be used to distinguish between the ...

RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version

import tweepy /usr/lib/python2.7/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version!   RequestsDependencyWarning) Traceback (most recent call last):   File "<stdin>", line 1, in <module>   File "/usr/local/lib/python2.7/dist-packages/tweepy/__init__.py", line 14, in <module>     from tweepy.api import API   File "/usr/local/lib/python2.7/dist-packages/tweepy/api.py", line 12, in <module>     from tweepy.binder import bind_api   File "/usr/local/lib/python2.7/dist-packages/tweepy/binder.py", line 11, in <module>     import requests   File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 97, in <module>     from . import utils   File "/usr/lib/python2.7/dist-packages/requests/utils.py", line 26, in <module>     from ._internal_utils import to...

tag