Saturday, April 26, 2008

Setuid, Setgid and Sticky Bit

setuid Permission

When setuid (set-user identification) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who created the process. This permission enables a user to access files and directories that are normally available only to the owner.

The setuid permission is shown as an s in the file permissions. For example, the setuid permission on the passwd command enables a user to change passwords, assuming the permissions of the root ID are the following:

castle% ls -l /usr/bin/passwd
-r-sr-sr-x 3 root sys 96796 Jul 15 21:23 /usr/bin/passwd
castle%


NOTE: Using setuid permissions with the reserved UIDs (0-99) from a program may not set the effective UID correctly. Instead, use a shell script to avoid using the reserved UIDs with setuid permissions.

You setuid permissions by using the chmod command to assign the octal value 4 as the first number in a series of four octal values. Use the following steps to setuid permissions:

1. If you are not the owner of the file or directory, become superuser.
2. Type chmod <4nnn> <filename> and press Return.
3. Type ls -l <filename> and press Return to verify that the permissions of the file have changed.

The following example sets setuid permission on the myprog file:

#chmod 4555 myprog
-r-sr-xr-x 1 winsor staff 12796 Jul 15 21:23 myprog
#

To minimize setuid problems, minimize the number of local setuid programs. If you write a setuid program, use the following guidelines to minimize security problems:

Do not write setuid shell scripts for any shell.
Do not use library routines that start slave shells.
Do not use execlp(3) and execvp() routines that duplicate the path-searching functionality of a shell.
Use full pathnames to identify files.
Only setuid to root when you need to.
Use the set effective user ID function, seteuid(2), to control setuid use.
Keep permissions on setuid programs restrictive.
Avoid secret back-door escapes in your code.

setgid Permission

The setgid (set-group identification) permission is similar to setuid, except that the effective group ID for the process is changed to the group owner of the file and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:

castle% ls -l /usr/bin/mail
-r-x—s—x 1 bin mail 64376 Jul 15 21:27 /usr/bin/mail
castle%

When setgid permission is applied to a directory, files subsequently created in the directory belong to the group the directory belongs to, not to the group the creating process belongs to. Any user who has write permission in the directory can create a file there; however, the file does not belong to the group of the user, but instead belongs to the group of the directory.

You can set setgid permissions by using the chmod command to assign the octal value 2 as the first number in a series of four octal values. Use the following steps to set setgid permissions:

1. If you are not the owner of the file or directory, become superuser.
2. Type chmod <2nnn> <filename> and press Return.
3. Type ls -l <filename> and press Return to verify that the permissions of the file have changed.

The following example sets setuid permission on the myprog2 file:

#chmod 2551 myprog2
#ls -l myprog2
-r-xr-s—x 1 winsor staff 26876 Jul 15 21:23 myprog2
#

Sticky Bit

The sticky bit on a directory is a permission bit that protects files within that directory. If the directory has the sticky bit set, only the owner of the file, the owner of the directory, or root can delete the file. The sticky bit prevents a user from deleting other users' files from public directories, such as uucppublic:

castle% ls -l /var/spool/uucppublic
drwxrwxrwt 2 uucp uucp 512 Sep 10 18:06 uucppublic
castle%

When you set up a public directory on a TMPFS temporary file system, make sure that you set the sticky bit manually.

You can set sticky bit permissions by using the chmod command to assign the octal value 1 as the first number in a series of four octal values. Use the following steps to set the sticky bit on a directory:

1. If you are not the owner of the file or directory, become superuser.
2. Type chmod <1nnn> <filename> and press Return.
3. Type ls -l <filename> and press Return to verify that the permissions of the file have changed.

The following example sets the sticky bit permission on the pubdir directory:

castle% chmod 1777 pubdir
castle% ls -l pubdir
drwxrwxrwt 2 winsor staff 512 Jul 15 21:23 pubdir



Taken from: Solaris Advanced System Administrator's Guide, Second Edition:Understanding System Security

No comments:

Copyright ©2008 PreciousTulips. All rights reserved.