Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email 



SUID, STICKY and CHATTR
( Advanced permissions )



There are some very special and advanced file permissions: the SUID/SGID Flag, the Sticky Bit and Change Attribute. In this Tip I will give a brief description.



The "SUID flag" ( Allow user ID access ) This mode gives normal users permission to execute files they normally would not be allowed to.

CODE
# chmod u+s testfile

If you use chmod with numbers the number for SUID is 4000.
An example what "ls -l" will show:

QUOTE
-rwsr-xr-x  1 root root    0 Sep 20 20:40 testfile*




The "SGID flag" ( Allow group ID access ). Same as SUID but then for groups

CODE
# chmod g+s testfile

If you use chmod with numbers the number for SGID is 2000.
An example what "ls -l" will show:

QUOTE
-rwxr-sr-x  1 root root   0 Sep 20 20:40 testfile*


NOTE: There are security issues with the SUID and SGID flags so only use it when absolutely needed.




The "Sticky Bit" ( Only the user that created the file, in the directory with the Sticky Bit, can delete it ):

CODE
# chmod +t testdirectory

If you use chmod with numbers the number for the Stick Bit is 1000.
An example what "ls -l" will show:

QUOTE
drwxr-xr-t  2 root root    4096 Sep 20 20:44 testdirectory/

A quote from the chmod man page:

QUOTE
STICKY FILES
On older Unix systems, the sticky bit caused executable files to be hoarded in swap space. This feature is not useful on modern VM systems, and the Linux kernel ignores the sticky bit on files. Other kernels may use the sticky bit on files for system-defined purposes. On some systems, only the superuser can set the sticky bit on files.
STICKY DIRECTORIES
When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.





And finally "chattr" ( Change file attribute ) has many options, one of them is "i", the immutable flag, meaning nobody, even root, can make changes to a file:

CODE
# chattr +i testfile

In this case "ls -l" will show nothing special:

QUOTE
-rwxr-xr-x  1 root root   0 Sep 20 20:40 testfile*

But related to the chattr command is "lsattr" it lists attributes set for a file:

CODE
# lsattr testfile

An example of what "lsattr" will show:

QUOTE
----i--------   testfile

To remove the immutable flag simply do "chattr -i"

See "man chattr" for more options of the chattr command.




There you go, this all makes part of the complex file permissions system that keeps a Linux box safe and secure.



Bruno



-- Mar 25 2007 --


Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email