Advanced File Permissions(sgid-suid-stickybit,chattr)
SUID ( setuid ) :-
If SUID bit is set on a file and a user executed it. The process will have the same rights as the owner of the file being executed.
For example: passwd command have SUID bit enabled. When a normal user change his password this script update few system files like /etc/passwd and /etc/shadow which can’t be update by non root account. So that passwd command process always run with root user rights.
———————————–
[root@machine2 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 Feb 17 2012 /usr/bin/passwd
———————————–
[root@machine2 ~]# touch sample.txt
[root@machine2 ~]# ls -l sample.txt
-rw-r–r–. 1 root root 0 Feb 8 17:14 sample.txt
[root@machine2 ~]# chmod 4655 sample.txt
[root@machine2 ~]# ls -l sample.txt
-rwSr-xr-x. 1 root root 0 Feb 8 17:14 sample.txt
———————————————–
SGID ( setgid) :-
Same as SUID, The process will have the same group rights of the file being executed. If SGID bit is set on any directory, all sub directories and files created inside will get same group ownership as main directory, it doesn’t matter who is creating.
[root@machine2 ~]# mkdir /test-sgid
[root@machine2 ~]# cd /test-sgid/
[root@machine2 test-sgid]# touch one
[root@machine2 test-sgid]# chmod g+s /test-sgid/
[root@machine2 test-sgid]# ls -l /test-sgid/
-rw-r–r–. 1 root root 0 Feb 8 16:47 one
[root@machine2 test-sgid]# ls -l / | grep test
drwxr-sr-x. 2 root root 4096 Feb 8 16:47 test-sgid
[root@machine2 test-sgid]# chmod 777 /test-sgid/
[root@machine2 test-sgid]# su jack
[jack@machine2 test-sgid]$ touch two
[jack@machine2 test-sgid]$ ls -l
-rw-r–r–. 1 root root 0 Feb 8 16:47 one
-rw-rw-r–. 1 jack root 0 Feb 8 16:50 two
————————————————————-
Sticky Bit :-
The sticky bit is used to indicate special permissions for files and directories. If a directory with sticky bit enabled, will restricts deletion of file inside it. It can be removed by root, owner of file or who have write permission on it. This is usefull for publically accessible directories like /tmp.
[root@machine2 ~]# touch stickfile
[root@machine2 ~]# ls -l | grep stickfile
-rw-r–r–. 1 root root 0 Feb 8 17:23 stickfile
[root@machine2 ~]# chmod +t stickfile
[root@machine2 ~]# ls -l | grep stickfile
-rw-r–r-T. 1 root root 0 Feb 8 17:23 stickfile
[root@machine2 ~]# chmod 777 stickfile
[root@machine2 ~]# su jack
[jack@machine2 root]$ rm -rf stickfile
rm: cannot remove `stickfile’: Permission denied
—————————————————-
[root@machine2 ~]# touch stickfile2
[root@machine2 ~]# ls -l | grep stickfile2
-rw-r–r–. 1 root root 0 Feb 8 17:24 stickfile2
[root@machine2 ~]# chmod 1777 stickfile2
[root@machine2 ~]# ls -l | grep stickfile2
-rwxrwxrwt. 1 root root 0 Feb 8 17:24 stickfile2
[jack@machine2 root]$ rm -rf stickfile2
rm: cannot remove `stickfile2′: Permission denied
In above output it showing sticky bit is set with character t or T in permissions filed. Small t represent that execute permission also enable and capital T represent that execute permission are not enabled.
———————————
[root@machine2 ~]# mkdir stickfiledirectory
[root@machine2 ~]# touch stickfiledirectory/today
[root@machine2 ~]# chmod +t stickfiledirectory/
drwxr-xr-t. 2 root root 4096 Feb 8 17:42 stickfiledirectory
[root@machine2 ~]# cd stickfiledirectory/
[jack@machine2 stickfiledirectory]$ rm -rf today
rm: cannot remove `today’: Permission denied
[root@machine2 stickfiledirectory]# chmod 777 today
[root@machine2 stickfiledirectory]# su jack
[jack@machine2 stickfiledirectory]$ rm -rf today
rm: cannot remove `today’: Permission denied
========================================================================
chattr (Change Attribute) is a command line Linux utility that is used to set/unset certain attributes to a file in Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user.
In Linux native filesystems i.e. ext2, ext3, ext4, btrfs, etc. supports all the flags, though all the flags won’t support to all non-native FS. One cannot delete or modify file/folder once attributes are sets with chattr command, even though one have full permissions on it.
# chattr [operator] [flags] [filename]
Attributes and Flags
When a file has ‘u‘ attribute is deleted, its data are saved. This enables the user to ask for its undeletion.
= : Keep the existing attributes that the files have
For demonstration purpose, we’ve used folder demo and file important_file.conf respectively. Before setting up attributes, make sure to verify that the existing files have any attributes set using ‘ls -l‘ command. Did you see the results, currently no attribute are set.
[root@machine1 ~]# touch myfile
[root@machine1 ~]# mkdir mydir
-rw-r–r–. 1 root root 0 Jan 28 02:29 myfile
[root@machine1 ~]# chattr +i myfile
[root@machine1 ~]# chattr +i mydir/
-rw-r–r–. 1 root root 0 Jan 28 02:29 myfile
rm: cannot remove `myfile’: Operation not permitted
[root@machine1 ~]# rm -rf mydir/
rm: cannot remove `mydir’: Operation not permitted[root@machine1 ~]# chmod 755 myfile
chmod: changing permissions of `myfile’: Operation not permitted
[root@machine1 ~]# chattr -i myfile mydir/
Append data without Modifying existing data on a File
[root@machine1 ~]# chattr -a myfile

