@jialin.huang
FRONT-ENDBACK-ENDNETWORK, HTTPOS, COMPUTERCLOUD, AWS, Docker
To live is to risk it all Otherwise you are just an inert chunk of randomly assembled molecules drifting wherever the Universe blows you

© 2024 jialin00.com

Original content since 2022

back
RSS

rwxrwxrwx Also, SUID, SGID & SBIT?

As You may know the default column

You already know about rwx rwx rwx, which represents owner, group, and others respectively. Each group has its own rwx, and if you're the owner, you look at the first rwx group.

Using ls -l, you'll see these symbols before the file name:

  • Directories typically have x, which means they can be opened
  • Locally created files usually don't have @
  • @ indicates extended attributes. These are additional metadata associated with the file or directory, beyond the standard Unix permissions and ownership information
    • Think about index key in db
    • A screenshot image, camera model?
    • Usually, macOS files or datasets have com.apple.macl, which is a more nuanced permission management compared to traditional rwx, but that's managed by the system. We humans just manage rwx.

 $  ls -l
total 6832
-rw-r--r--@  1 jialinhuang  staff    78529 25 Sep 14:12 Screenshot 2024-09-25 at 2.12.56 PM.png
-rw-r--r--@  1 jialinhuang  staff        5 25 Sep 16:57 localFile.txt
drwxr-xr-x@ 10 jialinhuang  staff      320 25 Mar  2024 github-project
drwxr-xr-x@  6 jialinhuang  staff      192 20 Sep 10:03 github-project-2
drwxr-xr-x   9 jialinhuang  staff      288 20 Sep 10:16 localDirectory
drwxr-xr-x@ 23 jialinhuang  staff      736 24 Sep 14:01 abcdirectory
-rw-rw-r--@  1 jialinhuang  staff   465188 19 Sep 13:39 random.pdf
-, d, l, b, c, p, susergroupothers@
default- for file

d for directory

rwxrwxrwxExtended Attributes
if SUID is setrws
if SGID is setrws
if Sticky is setrwt

When a device got so many users

While simple rwx permission management can control basic access to files and directories, it has some shortcomings in multi-user environments, which led to the introduction of SUID, SGID, and Sticky Bit.

For instance, operating on the same resource, but you belong to different groups and need to adjust permissions manually.

sgid comes up.

Operating on the same resource, but everyone can freely change things inside, deleting others' efforts?

sticky comes up.

For resources owned by a certain user, in practice, everyone wants to be able to operate on it, but is limited because they're not the owner.

suid comes up.

SUID (Set User ID)

User means current user, means the owner.
This s is located in the owner's rwx, looking like this:

-rwsr-xr-x

When an item has the user group's execute set to s, it means even if you're not the owner, you can still execute it.

You're not the owner, but you can fake it.

One you've definitely used before, when using VM or Container to set permissions or passwords, using su - to expand your current permissions to root, but you're still not root.

chmod u+s <file name>

SGID (Set Group ID)

This 's' is located in the group's rwx section, as shown above.

-rwxr-sr-x

  • For files: When set on an executable file, it allows the file to be executed with the permissions of the file's group.

    You're belonging to group A, you need to change something that is from group B. You can still execute group B stuff, but remember you're just faking like you're in group B.

  • For directories: Files created in an SGID directory inherit the group ownership of the directory, rather than the primary group of the user creating the file.

    You can still execute group B's directory, but everything you change just doesn't belong to your group A.

chmod g+s [filename || directory]

Sticky

In a place where everyone can operate, setting 't' specifically means you're limited to adding or removing files that you own. It can apply to file or directory, but you can only change your own part that belongs to you.

chmod +t [directory]

Setting Permissions: chmod

Using Symbols

  1. Basic usage

    a: all, u: user (owner), g: group, o: others

    chmod <a|u|g|o>...+<r|w|x>...

# Allow read for all
chmod a+r <file>
# Allow full access for all
chmod a+rwx <file>
# Allow write for group and others
chmod go+w <file>
  1. Directory execute permission: The 'x' for directories means: allow to open/access
    $  chmod u-x normal-dir
$  cd normal-dir
cd: permission denied: normal-dir

# add back the right to execute
$  chmod u+x normal-dir
  1. Special permissions (SUID, SGID, Sticky):
    # Set SUID
chmod u+s <file>
# Set SGID
chmod g+s <file>
# Set Sticky bit
chmod +t <directory>
# Note: u+t and g+t have no effect (no error, but no change)

# no target group "s"
chmod +s test
# Equivalent to
chmod u+s test
chmod g+s test

Using Numbers

  1. Special permission numbers:
    SUID SGID Sticky Binary Octal Description
-    -    -      000    0     No special permissions
-    -    t      001    1     Sticky bit only
-    s    -      010    2     SGID only
-    s    t      011    3     SGID and Sticky
s    -    -      100    4     SUID only
s    -    t      101    5     SUID and Sticky
s    s    -      110    6     SUID and SGID
s    s    t      111    7     All special permissions


chmod 4755 file  # Set SUID numerically
chmod 2755 directory  # Set SGID numerically
chmod 1755 directory  # Set sticky bit numerically
  1. SGID example:
    # Set SGID, if group has execute permission (?????x???), use 's', else 'S'
# On macOS, it automatically checks for 'x', lowercase 's' works even without 'x'
chmod g+s test
# Equivalent to
chmod 2644 test.txt
  1. Numeric vs Symbolic notation: When using numbers, consider the entire rwxrwxrwx set. For example:
    # Allow execute for all (symbolic)
chmod a+x <file>

# Equivalent to
chmod u+x <file>
chmod g+x <file>
chmod o+x <file>

# NOT Equivalent to
# But numerically, this removes existing r and w permissions
chmod 111 <file>

More examples

# Remove all permissions
chmod 000 <file>
# Results in: ---------

# Set full permissions for owner, none for others
chmod 700 <file>
# Results in: rwx------

# Remove execute for others (assuming starting from 755)
chmod o-x <file>
# Results in: rwxr-xr--

# Remove execute for user and others
chmod uo-x <file>
# Results in: rw-r-xr--

# Change owner (requires sudo)
sudo chown root <file>

Uppercase S & T: What Do They Mean?

The uppercase S and T in file permissions indicate that the SUID, SGID, or sticky bit is set, but the corresponding execute permission is not present. This distinction is important to understand:

  • If the rwx permissions are set to 0 and you grant special permissions (SUID, SGID, or sticky bit), you'll see uppercase S or T in the output.
  • The uppercase S and T merely reflect the state of special permissions when execute rights are absent. The actual ability to access the file is primarily determined by the rwx permissions.
chmod 0 cat.txt
# Remove all permissions

chmod 7000 cat.txt
# Set SUID, SGID, and sticky bit without any rwx permissions
# Results in:
# ---S--S--T   1 jialinhuang  staff        5 25 Sep 16:57 cat.txt

What if we chmod 0 /bin/chmod?

😨

Don't panic!

While this command removes all permissions from the chmod command itself, rendering it unusable for regular users, there's still a solution:

The root user, as a superuser, can transcend normal permission restrictions. You can restore the situation using root privileges.

$  chmod 0 cat.txt
$  cat cat.txt
cat: cat.txt: Permission denied

$  sudo cat cat.txt
Password:
ahha

https://www.cis.rit.edu/class/simg211/unixintro/Access_Permissions.html

https://dywang.csie.cyut.edu.tw/dywang/linuxsecurity/node39.html

https://www.quora.com/What-is-the-result-of-chmod-000-which-chmod-What-exactly-are-the-after-effects

EOF