Security With chmod: Part 2 - Special Bits

E

Eric Hansen

Guest
In the previous guide we covered some basics about chmod and how permissions are set up. While it provides some great security, there's also some finer details involving chmod that we can use to our advantage.
s Bit
The s bit is helpful in that it allows the object's owner and group complete control over what can be accessed while allowing others to access it as well. However, its effect does differ when used on an executable compared to a directory.

For an executable, the user running the program with the s bit set gains the privileges that the program's owner has as well. So if a file is owned by root, but the s bit is set and a guest is able to run the program, then the guest gains root privileges through that program for as long as the program is running. While this does pose a major security risk, it does have its uses. Mostly being if a program is owned by billing department one and you in billing department two needs to run it, as long as anyone in billing department two has access to the program they can run it without issue.

For a directory its a bit simpler. After a directory has the user or group s bit set, any files or folders created within that directory automatically inhereit that ID.

If you don't specify the user or group (u or g), then both are set automatically. Here's some examples.

user and group:
Code:
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524801 -rw-r--r--  1 ehansen ehansen    0 Nov 19 12:16 monkeys
[ehansen@as-l-001-eric ~]$ chmod +s monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524801 -rwSr-Sr--  1 ehansen ehansen    0 Nov 19 12:16 monkeys

user only:
Code:
[ehansen@as-l-001-eric ~]$ chmod u+s monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524801 -rwSr--r--  1 ehansen ehansen    0 Nov 19 12:16 monkeys

group only:
Code:
[ehansen@as-l-001-eric ~]$ chmod g+s monkeys
[ehansen@as-l-001-eric ~]$ ls -liha | grep monkeys
524801 -rw-r-Sr--  1 ehansen ehansen    0 Nov 19 12:16 monkeys
t Bit
The sticky, or t, bit has a more useful case. When this bit is set, only the object's owner, or a super user (i.e.: root) can rename or delete it. /tmp is almost always set with this bit so that no ordinary users can modify another user's data. For example look at the output on my system:
Code:
[ehansen@as-l-001-eric ~]$ ls -liha / | grep tmp
  6399 drwxrwxrwt  8 root root  200 Nov 19 12:18 tmp
The bit is always set as the world (or other) as it affects everyone on the whole system.

While this is a very helpful bit to set, it also can cause system-wide issues when set improperly, especially when chroot or dropped privileges are involved (i.e.: when your web server starts as root but finishes as running as www-data).
 

Attachments

  • slide.jpg
    slide.jpg
    75.6 KB · Views: 104,009

Staff online

Members online


Latest posts

Top