Special Permissions

1
Special Permissions
2
Special Permissions

• Besides the User, Group, and Public categories
  there is a Special permission category
• Values for the Special category
• Set-uid allows program to run with privileges
  of the owner
• Set-gid allows files created in a directory to
  assume the group id of the directory rather than
  the primary group id of the creator of the file
• Sticky-bit tells OS to keep programs image in
  memory after it exits, and to prevent users from
  renaming or removing files from directories

3
Displaying Special Permissions

• Permission string from ls l
• Owner field has S in execute position means
  set-uid bit is on
• Owner field has s in execute position means
  set-uid bit and execute on
• Group field has S in execute position means
  set-gid bit is on
• Group field has s in execute position means
  set-gid and execute on
• Public field has T in execute position means
  sticky bit is on
• Public field has t in execute position means
  sticky bit and execute on

4
set-gid Examples

• rwxrwSr--
• Owner read, write, execute
• Group read, write
• Public read only
• Special set-gid bit on
• rwxrwsr--
• Owner read, write, execute
• Group read, write, execute
• Public read only
• Special set-gid bit on

5
Setting the set-gid Bit

• Use
• chmod gs directory
• For example,
• chmod gs my_dir

6
Why Use set-gid?

• If set-gid is on, when a file is created it is
  assigned the group of the directory rather than
  the primary group of the user who created the
  file
• Allows a single user to work on multiple projects
  conveniently because the access rights come from
  the directory rather than the individual users
  using the directory
• Users can belong to multiple groups and gain
  their access rights to directories via these
  various groups, but the files they create remain
  in the possession of the directorys group rather
  than the primary group of the users

7
chmod Numeric Notation

• May use binary number system to uniquely define a
  permission string.
• Permission Binary
  Decimal
• String Equivalent
  Equivalent
• --- 000 0
• --x 001 1
• -w- 010 2
• -wx 011 3
• r-- 100 4
• r-x 101 5
• rw- 110 6
• rwx 111 7
• Note r 4, w 2, x 1
• So, for example, rwx 4 2 1 7 and r-x
  4 1 5
• And, the entire permission string rw-r-----
  640

8
chmod Examples

• chmod 600 test.txt gt rw-------
• chmod 666 test.txt gt rw-rw-rw-
• chmod 755 test.txt gt rwxr-xr-x
• chmod 000 test.txt gt ---------
• chmod 777 test.txt gt rwxrwxrwx

9
Default Permission Mask

• The permission string that a file or directory is
  assigned when it is created by a user is
  determined by the umask value of that user
• In Fedora 9, default umask value for root 0022
• default umask value for end-users 0002
• First position is the Special category
• Second position is the Owner category
• Third position is the Group category
• Fourth position is the Public category
• The numbers act as filters through which
  permissions are pushed to ascertain what remains

10
Computing Permissions

• The standard permissions for a directory are
  rwxrwxrwx 0777 in numeric notation
• The standard permissions for a file are
• rw-rw-rw- 0666 in numeric notation
• To establish the actual permissions, the system
  subtracts the umask value from these numbers

11
Examples

• If the users umask 0022 then the permissions
  for a directory the user creates would be 0777
  0022 0755 rwxr-xr-x
• If the users umask 0022 then the permissions
  for a file the user creates would be 0666 0022
  0644 rw-r--r--
• If the users umask 0002 then the permissions
  for a directory the user creates would be 0777
  0002 0775 rwxrwxr-x
• If the users umask 0002 then the permissions
  for a file the user creates would be 0666 0002
  0664 rw-rw-r--

12
Default Permissions

• So, in Fedora 9 new directories are given
• rwxr-xr-x by default for the root account
• rwxrwxr-x by default for end-user account
• and new files are given
• rw-r--r-- by default for the root account
• rw-rw-r-- by default for end-user account
• These default permission strings assigned to
  files/directories may be customized for each user

13
Default umask

• To view umask value
• Enter umask without an argument to display the
  current umask value in numeric format.
• Enter umask -S to display the current umask
  value in symbolic format
• To change umask value
• Suppose umask value is 0022
• To change the mask to 0002, enter
• umask 0002

14
Startup Scripts

• The default umask value is set in the startup
  script /etc/bashrc
• Permanently changing users umask values from the
  default can be accomplished in the startup
  scripts
• Order of execution of the startup scripts at
  login time for end-users
• /etc/profile (system-wide login initialization)
• /etc/bashrc (system-wide shell initialization)
• /.bashrc (personal shell initialization)
• /.bash_profile (personal login initialization)

15
The set-uid Bit

• Set User ID
• Terminology
• Program is a file on auxiliary storage
• Process is an executing program in memory
• Normally when a program is executed its process
  is owned by the user who launched the program
• If an executable file has its set-uid bit on,
  then the files owner owns the process no matter
  which user launched the program

16
set-uid

• Typically, when set-uid is used, the file owner
  is root
• This allows anyone to temporarily have root
  access to the resources needed by the process
  while the program runs
• Examples of user programs that need root
  permissions are passwd and mount

17
set-uid

• As you recall, most executable files are shown by
  ls as green
• The ls command shows files with the set-uid bit
  on in red

18
Changing the set-uid Bit

• Setting it on
• chmod us filename
• Turning it off
• chmod u-s filename

19
Sticky Bit

• For Files
• On older systems, when machines did not have very
  much memory, the sticky bit was used to force a
  program or file to remain in memory.
• This feature is not used on todays virtual
  memory machines.
• So, sticky bit for files is ignored in Linux.

20
Sticky Bit

• For Directories
• Also called Restricted Deletion Flag
• Today, the sticky bit is largely used on publicly
  writable directories to ensure that users do not
  overwrite each other's files
• When the sticky bit is turned on for a directory,
  even though users may have read/write permissions
  for that directory and the files in it, they
  cannot remove or rename files other than the ones
  they own
• An example, the directory /tmp has sticky bit on

21
Setting the Sticky Bit

• Use
• chmod ot directory
• For example,
• chmod ot my_dir

22
Misc. Commands

• Some commands that can help with Assignment 3
• id display your identity on system including
  account and groups
• groups display the groups you are in
• chgrp change group name for a file or directory
• Example chgrp accounting testdir
• chown change owner and/or group names for a
  file or directory
• Example chown greena.manufacturing testfile
  change owner and group
• Example chown .manufacturing testfile change
  just group

23
Misc. Commands

• ls -ld list permissions for directory rather
  than files within directory
• Example ls ld /tmp
• type display location for command
• Example type passwd
• ps -ax or ps -ef display all processes in
  memory
• ps -ax grep vi display all occurrences of the
  string vi in the processes in memory, grep does
  the filtering
• help cmd display help info about cmd
• Example help umask or help type
• su - username substitute user command, used to
  login to another account from the shell, hyphen
  causes the login and shell startup scripts to run
  thereby assuming the operating environment of
  that user

24
Misc. Commands

• man -k string search the man pages for sections
  with string in them (may need to create the
  whatis database first with the command
  makewhatis)
• Example man -k umask
• man n string display entry from section n for
  string. Note There are 9 sections in the man
  pages
• Example man 2 umask
• man n intro display intro page for section n,
  n1 to 9
• man -a string display all man pages containing
  string
• Example man a chmod

25
Remote Login

• There are several remote login utilities that
  allow a user to login to a Linux machine from
  another computer on the network. Telnet is one
  such utility, but it is not used much anymore
  because all transmissions are in clear text even
  the passwords. Secure shell is more commonly
  used now.
• ssh l accountname ipaddress
• Developed by SSH Communications Security, Ltd
• TCP/IP remote login
• Entire transmission encrypted including passwords
• Protects network against IP spoofing and DNS
  spoofing
• May check to see if the sshd daemon is running
  using
• Services utility from the menus
• SystemgtAdministrationgtServices

26
putty

• putty is a free remote login utility that runs
  under Windows
• It allows remote logins to systems using several
  different protocols
• Windows XP does not provide ssh login by default
• By using putty under Windows, one may login
  remotely from a Windows XP machine to Linux
• In the Host Name field, enter the IP address of
  the Linux machine, leave the other fields at
  their defaults
• Putty is available from the Handouts page on the
  course website

27
End