SetUID and SetGID question

Smoot Carl-Mitchell smoot at tic.com
Sun Sep 11 03:22:09 UTC 2011 

On Sun, 2011-09-11 at 05:17 +0300, Ioannis Vranos wrote:

> Correct me if I am wrong, but as far as I know, the Linux "user",
> "group" and "others" permissions for a file (including executables)
> work in this way:
> 
> 
> If the given User is the "user", he gets these permissions,
> 
> else if the given User belongs to the "group", he gets the "group" permissions,
> 
> else the given User gets the "others" permissions.
> 
> 
> Since, when SetUID is set, the given User gets the "user" permissions,
> what else does he get if SetGID is also set?

The process gets all those permissions.  Perhaps an example will help.

Suppose there is a file (call it foo) with the following permissions:

-rw-r-----  smoot wheel    foo

The user "smoot" can read and write the file.  Anyone in the "wheel"
group can read the file, while everyone else has no permissions to the
file.

Suppose there is a user called "fred" who is not in the "wheel" group.
fred has no permissions to read or write the file.  Now if there is a
program called "setuid" with the following permissions:

-rwsrwxr-x    smoot  user  setuid

When fred runs the setuid program, he has permissions to read or write
the file "foo". ( assuming the program is written to open the file
"foo").  Now suppose there is a setgid program called "setgid":

-rwxrwsr-x    smoot  wheel setgid

If fred runs this program, he only has permissions to read the file
"foo".  Now it is true in this example that the setgid permissions are a
subset of the setuid permissions for the file "foo", but that does not
need to be the case.  Suppose the permissions on "foo" are:

-r--rw----    smoot   wheel    foo

Now the setuid program only has permission to read the file, while the
setgid program can read and write the file.  It is true the owner of the
file can change permissions on any file it owns, but an attempt to open
the file "foo" for writing will fail for any setuid program owned by
"smoot".

The permissions in practice can be more complicated, since it is
possible to switch between the setuid or setgid permissions and the
permissions of the user invoking the program.  See the setuid man page
for details.

-- 
Smoot Carl-Mitchell
System/Network Architect
voice: +1 480 922-7313
cell: +1 602 421-9005
smoot at tic.com

More information about the ubuntu-users mailing list