Security With chmod: Part 2 - Special Bits

Discussion in 'Filesystem' started by Eric Hansen, Nov 19, 2013.

  1. Eric Hansen

    Eric Hansen Moderator Staff Writer

    Messages:
    124
    Likes Received:
    87
    Trophy Points:
    28
    In the previous guide we covered some basics about chmod and how permissions are set up. While it provides some great security, there's also some finer details involving chmod that we can use to our advantage.
    s Bit
    The s bit is helpful in that it allows the object's owner and group complete control over what can be accessed while allowing others to access it as well. However, its effect does differ when used on an executable compared to a directory.

    For an executable, the user running the program with the s bit set gains the privileges that the program's owner has as well. So if a file is owned by root, but the s bit is set and a guest is able to run the program, then the guest gains root privileges through that program for as long as the program is running. While this does pose a major security risk, it does have its uses. Mostly being if a program is owned by billing department one and you in billing department two needs to run it, as long as anyone in billing department two has access to the program they can run it without issue.


    For a directory its a bit simpler. After a directory has the user or group s bit set, any files or folders created within that directory automatically inhereit that ID.

    If you don't specify the user or group (u or g), then both are set automatically. Here's some examples.

    user and group:
    Code:
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524801 -rw-r--r--  1 ehansen ehansen    0 Nov 19 12:16 monkeys
    [ehansen@as-l-001-eric ~]$ chmod +s monkeys
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524801 -rwSr-Sr--  1 ehansen ehansen    0 Nov 19 12:16 monkeys
    user only:
    Code:
    [ehansen@as-l-001-eric ~]$ chmod u+s monkeys
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524801 -rwSr--r--  1 ehansen ehansen    0 Nov 19 12:16 monkeys
    group only:
    Code:
    [ehansen@as-l-001-eric ~]$ chmod g+s monkeys
    [ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
    524801 -rw-r-Sr--  1 ehansen ehansen    0 Nov 19 12:16 monkeys
    t Bit
    The sticky, or t, bit has a more useful case. When this bit is set, only the object's owner, or a super user (i.e.: root) can rename or delete it. /tmp is almost always set with this bit so that no ordinary users can modify another user's data. For example look at the output on my system:
    Code:
    [ehansen@as-l-001-eric ~]$ ls -liha / | grep tmp
      6399 drwxrwxrwt  8 root root  200 Nov 19 12:18 tmp
    The bit is always set as the world (or other) as it affects everyone on the whole system.

    While this is a very helpful bit to set, it also can cause system-wide issues when set improperly, especially when chroot or dropped privileges are involved (i.e.: when your web server starts as root but finishes as running as www-data).

    Attached Files:

    • slide.jpg
      slide.jpg
      File size:
      75.6 KB
      Views:
      102,878
    ryanvade likes this.

Share This Page