Showing posts with label Basic Linux Commands. Show all posts
Showing posts with label Basic Linux Commands. Show all posts
Pawan Sharma | August 28, 2012 | | 1 Comment so far

SUID, SGID and Sticky Bit in RHEL6

In the previous post I have explained about changing file/directory permissions using chmod command in two ways: symbolic and numeric mode. In this post we will discuss about three special file permissions: Sticky Bit, SUID Bit and SGID bit, using which we can make processes more secure and efficient:

In the previous post we have discussed about three file permissions: ream(r), write (w) and execute(x), besides these three are three more permissions: SUID(s), SGID(s) and Sticky Bit(t). First we will explain what these terms means.

Sticky Bit(t): Sticky bit is very simple and effective file permission; it increases security of a file/directory which is shared with other users. When sticky bit is enabled, only user (owner) of that file can remove or rename the file even if other users have full (rwx) permissions on that file. In the case of a directory, only user (owner) of the directory or the owner of the file in that directory can remove or rename the file. Mainly sticky bit is used on directories on which multiple users have access like /tmp. By default sticky bit is set on /tmp in Redhat Enterprise Linux 6(RHEL6).

[root@PawanS1 ~]# ls -ld /tmp
drwxrwxrwt.  96 root root  4096  Aug 28 12:06   /tmp

In the above example we can see that there is a “t” at execute permission for others. Sticky bit can be enabled using “chmod” command. Let’s take some examples of Sticky Bit.
  • Add sticky bit permission on a directory with all permissions using symbolic chmod.
[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwx  2  admin pawan  4096 Aug 28 10:22  Test_Dir/

[root@PawanS1 ~]# chmod +t Test_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwt  2  pawan admin  4096 Aug 28 10:22   Test_Dir/
  • Add sticky bit permission on a directory using numeric chmod.
[root@PawanS1 ~]# ls -ld My_Dir/
drwxr-xr-- 2 pawan admin 4096 Aug 28 10:27   My_Dir/

[root@PawanS1 ~]# chmod 1754 My_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxr-xr-T  2  pawan admin  4096 Aug 28 10:22   MY_Dir/

Note: This time we have a “T” instead of “t” because the directory does not have execute permission for others.

SUID (Set User ID) Bit(s): Mainly we enable SUID bit on files specially on executable scripts. When SUID bit is enabled on the script/ file, whenever someone executes the file it runs as the user who is owner of that file. It means the file is ensured to run as the owner, even if executed by anyone. This comes handy when you want to give execute rights of a root privileged script to some other user. In RHEL 6, SUID bit is set by default on commands like /usr/bin/passwd, /usr/bin/wall, /usr/bin/ssh-agent, etc. This is the reason a user can change its password itself.

[root@PawanS1 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 27936 Aug  3  2010  /usr/bin/passwd

In the above example we can see that there is a “s” at execute permission of user (owner). SUID bit can be enabled using “chmod” command. Let’s take some examples of SUID bit.
  • Add SUID bit on a script using symbolic chmod.
[root@PawanS1 ~]# ls -l test_script.sh
-rwxr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh

[root@PawanS1 ~]# chmod u+s test_script.sh

[root@PawanS1 ~]# ls -l test_script.sh
-rwsr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh
  • Add SUID bit on a script which does not have execute permission for user (owner) using numeric chmod.
[root@PawanS1 ~]# ls -l my_script.sh
-rw-r--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

[root@PawanS1 ~]# chmod  4644 my_script.sh

[root@PawanS1 ~]# ls -l my_script.sh
-rwSr--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

Note: This time we have a “S” instead of “s” because the script “my_script.sh does not have execute permission for user.

SGID (Set Group ID) Bit: SGID bit is very useful when you have to give access of a directory to a set of users in a group. When SGID bit is enabled on a directory any file/directory created under it by any user have the same group permissions as of the parent directory.

For example, you have created a group named “sales” and you have added three user pawan, siddharth, ramswaroop and usaid in group “sales”. Now you want that every file created by any of these four users under directory “/Sales” can be accessible by any of these users.

1. To do this first you have to create a directory “/Sales” and then change group owner and group permission to sales and rwx respectively.

[root@PawanS1 ~]# mkdir /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g=rwx /Sales/

[root@PawanS1 ~]# ghgrp sales /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwxr-x 2 root sales 4096 Aug 28 12:31 /Sales/

2. Then enable SGID Bit on “/Sales” directory

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g+s /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwsr-x 2 root root 4096 Aug 28 12:31 /Sales/

In the above example we can see that there is a “s” at execute permission of group. Now any file created under directory “/Sales” will have group user sales

Now login as user pawan and create a file in /Sales and check its permissions.

[pawan@PawanS1 Sales]# touch test.txt

[pawan@PawanS1 Sales]# chmod g+s /Sales/

[pawan@PawanS1 Sales]# ls -l test.txt
-rw-rw-r-- 1 pawan sales 8 Aug 28 12:43 test.txt
  • We can also enable SGID bit using chmod in numeric mode.
[root@PawanS1 ~]# ls -d /Purchase/
drwxrw-r-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

[root@PawanS1 ~]# chmod 2765 /Purchase/

[root@PawanS1 ~]# ls -d /Purchase/
drwxrwSr-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

Note: This time we have a “S” instead of “s” because directory “/Purchase” does not have execute permission for group.

Below table summarize the chmod for SUID, SGID and Sticky Bit.

Permission
Symbolic Mode
Numeric Mode
Sticky Bit
chmod +t file_name
chmod 1XXX file_name
SUID Bit
chmod u+s file_name
chmod 4XXX file_name
SGID Bit
chmod g+s file_name
chmod 2XXX file_name
where X is permission for user,group and other

If you have any doubts or queries please post comment.


1 comment:
Pawan Sharma | August 27, 2012 | | 1 Comment so far

Changing File Permissions using chmod command

In this post we will learn how to use “chmod” command to change file permissions in Redhat Enterprise Linux 6. Linux is a multi-user operating system; this means many users can have access to particular file or directory. To maintain security, in Linux, there are three categories of user (user, group and other) for file permission (as discussed in previous post), also we have three types of permission: read, write and execute for each type of user.

To view current permissions of a file we can user long directory listing command “ls -l”:

[root@PawanS1 ~]# ls -l test_file.txt
-rwxr-xr-- 1 pawan admin 30 Aug 27 13:05 test_file.txt

In the above example we can see that owner of the file is pawan, group owner of the file is admin and file have permissions rwxr-xr-- which means:
User have read, write and execute (rwx) permissions.
Group have read and execute(r-x) permission.
And others have only read(r--) permission.
Note: “-“ means no permission.

This means user pawan have full access of file test_file.txt, he can read, modify and also execute the file. And members of group admin can only read and execute the file. Also users other that pawan and members of group admin can only read the file and can’t modify or execute the fiel.

To change the permission of file we can user “chmod” command, only root and file owner can change permission of file. There are two methods of changing permissions:
  • Symbolic mode
  • Numeric mode
Symbolic Mode:
Symbolic mode is very easy to user. There are three steps in this process:
  1. Decide whether you have to change permission for user (u), group (g), other (o) or for all (a).
  2. Decide to add (+), remove (-) or reset all permission (=).
  3. Decide what would be the permission: read (r), write (w), or execute (x).
  4. Then give the name of file of which you have to change permission.
Few examples of chmod in symbolic mode:
  • Remove execute permission from user
[root@PawanS1 ~]# chmod u-x test_file.txt
  • Add write permission for both group and other
[root@PawanS1 ~]# chmod go+w test_file.txt
  • Remove write and execute permissions from other
[root@PawanS1 ~]# chmod o-wx test_file.txt
  • Add write permissions for all
[root@PawanS1 ~]# chmod a+w test_file.txt
  • Change permission of user to rwx
[root@PawanS1 ~]# chmod u=rwx test_file.txt
  • To remove execute permission recursively from files in a directory
[root@PawanS1 ~]# chmod -R u-x Test_Directory/

Below table summarize the chmod in symbolic mode

User to be modified
What to do
Permission
u (user/owner)
+ (add permission)
r (read)
g (group)
- (remove permission
w (write)
o (other)
= (change permission)
x (execute)
a (all)

 
Note: besides above mentioned permissions there are two more permissions SUID/SGID(s) and Sticky bit(t) which can be set to give special permission.

Numeric Mode:
Numeric mode of chmod command is also very useful and easy. This changes old permission directly to new permissions. In numeric file permissions are represented by three digit number. Also each permission(r,w and x) are represented with a number.

4=read(r)
2=write(w)
1=execute(x)
0=none(-)

To create permission we have to add number accordingly. For example:

rwx = 4+2+1 = 7
rw- = 4+2+0 = 6
--x = 0+0+1 = 1

To change permission we have to give a 4 digit number combining the above to change permission of file, in which the first digit is permission for user, second digit is permission for group and the third digit is permission for other.

Few examples of chmod in Numeric mode:
  • To change permission to -rwx-rw-r--
[root@PawanS1 ~]# chmod 0764 test_file.txt

In the above example 7=4+2+1, 6=4+2+0 and 4=4+0+0. This means owner have rwx(7), group have rw-(6) and others have r--(4) permission.
  • To change permission to -rw-r-x--x
[root@PawanS1 ~]# chmod 0651 test_file.txt

Note: The first digit 0 is for special permission like SUID, SGID and Sticky bit.

Besides these three bits discussed above there is a special bit which is used to give special permission to a file or directory for setting SUID bit, SGID bit and Sticky bit, which can be represented by. We will discuss this in the next post.

Numeric mode will take some time to get in ease, but it is very useful and effective to change permissions quickly.

1 comment:
Pawan Sharma | June 8, 2011 | | Be the first to comment!

Basic Linux Commands

To start-up with the Linux first someone needs to know about the basic Linux commands. These commands are common in all Linux distributions. If you know these basic Linux commands, it will be easy for you to get further in in your goal to achieve a RedHat Certification.

To be a system administrator you need to know how to manage the server using command line, because you will hardly allowed to use GUI. Because most of the system administration tasks are managed remotely using the secure shell also known as SSH. So use the command line as much as possible.

Basic Linux Commands and there explanation is given below:

  • uname :- this command returns the name of Operatng System.
  • uname -a :- using :- "a" option with uname command, you will get the following information:
    • Operating System : Linux.
    • Fully Qualified Domain Name.
    • Kernel Version.
    • Date and time that the kernel was compiled.
  • tty :- reveals the current terminal.
  • echo :- prints to the screen.
  • set :- prints and optionally sets shell variables.
  • clear :- clears the screen / terminal.
  • reset :- resets the screen buffer
  • pwd :- prints the path of working directory.
  • whoami :- reveals the current logged-in user.
  • which programe_name :- reveals the path of the program / command.
  • history :- reveals your command history.
  • cd :- changes directory to desired directory:
    • cd with no option will changes to the home directory.
    • cd ~ will also change to the home directory.
    • cd /  will change to the root (/) directory
      • COMMAND LINE
    • cd ..  will change one level up in the directory tree.
  • ls  :- lists files and directories.
    • ls / lists the contents of / (root) directory.
    • ls -l will lists in long format. This command shows properties of files and directories.
    • ls -a will list all files including hidden files which starts with a period (.).
    • ls -ld will show properties of the directory.
  • cat  :- catinates files. Create files and also show contents of files.
    • cat 123.txt dumps the contents of the file 123.txt.
    • cat > xyz creats new file xyz. You can write to the file and save using ctrl+d.

  • mkdir  :- creates a new directory.
  • cp :- copies files
  • mv :- moves and rename files.
  • rm :- remove files.
  • touch :- create a blank file.
  • stat :-  reveals the statistics of a file.
  • find :- finds files using search pattern.
    • find / -name filename will search the file named filename in the / directory/
  • alias :- return/set aliases for command.
  • more/less :- display one page at a time.
  • head :- display opening lines of a file.
  • tail :- display cloasing lines of a file.
  • wc :- counts words and optionally lines and characters in a file.
  • grep :- search for text in a file.
  • su :- to switch user.
  • man command_name  :- open manual for that command.
 These are the the basic Linux commands. But there are a lot more commands, you will learn command while using it, it will take time but more you work in linux more you learn.

NOTE : There are many options which can be used with these commands or other commands. Always view man pages of command to find different options. I think using man command is very good habit.

Please comment on the post. You can also write questions and I would love to answer your questions and help you.
No comments:
Subscribe to: Posts (Atom)