grants access to features requiring higher level permissions than those you would
usually have.
Since a
setuid
root program is systematically run under the super-user identity, it is
very important to ensure it is secure and reliable. Any user who manages to subvert
a setuid root program to call a command of their choice could then impersonate the
root user and have all rights on the system. Penetration testers regularly search for
these types of files when they gain access to a system as a way of escalating their
privileges.
A directory is handled differently from a file. Read access gives the right to consult the list of its
contents (files and directories); write access allows creating or deleting files; and execute access
allows crossing through the directory to access its contents (for example, with the
cd
command).
Being able to cross through a directory without being able to read it gives the user permission to
access the entries therein that are known by name, but not to find them without knowing their
exact name.
SECURITY
setgid
directory and sticky
bit
The
setgid
bit also applies to directories. Any newly-created item in such directories
is automatically assigned the owner group of the parent directory, instead of inherit-
ing the creator’s main group as usual. Because of this, you don’t have to change your
main group (with the
newgrp
command) when working in a file tree shared between
several users of the same dedicated group.
The
sticky bit
(symbolized by the letter “t”) is a permission that is only useful in
directories. It is especially used for temporary directories where everybody has write
access (such as
/tmp/
): it restricts deletion of files so that only their owner or the
owner of the parent directory can delete them. Lacking this, everyone could delete
other users’ files in
/tmp/
.
Three commands control the permissions associated with a file:
•
chown
user file
changes the owner of the file
•
chgrp
group file
alters the owner group
•
chmod
rights file
changes the permissions for the file
TIP
