SetUID and SetGID question
Ioannis Vranos
ioannis.vranos at gmail.com
Sun Sep 11 14:51:41 UTC 2011
On Sun, Sep 11, 2011 at 6:22 AM, Smoot Carl-Mitchell <smoot at tic.com> wrote:
>
> The process gets all those permissions. Perhaps an example will help.
>
> Suppose there is a file (call it foo) with the following permissions:
>
> -rw-r----- smoot wheel foo
>
> The user "smoot" can read and write the file. Anyone in the "wheel"
> group can read the file, while everyone else has no permissions to the
> file.
>
> Suppose there is a user called "fred" who is not in the "wheel" group.
> fred has no permissions to read or write the file. Now if there is a
> program called "setuid" with the following permissions:
>
> -rwsrwxr-x smoot user setuid
>
> When fred runs the setuid program, he has permissions to read or write
> the file "foo". ( assuming the program is written to open the file
> "foo"). Now suppose there is a setgid program called "setgid":
>
> -rwxrwsr-x smoot wheel setgid
>
> If fred runs this program, he only has permissions to read the file
> "foo". Now it is true in this example that the setgid permissions are a
> subset of the setuid permissions for the file "foo", but that does not
> need to be the case. Suppose the permissions on "foo" are:
>
> -r--rw---- smoot wheel foo
>
> Now the setuid program only has permission to read the file, while the
> setgid program can read and write the file. It is true the owner of the
> file can change permissions on any file it owns, but an attempt to open
> the file "foo" for writing will fail for any setuid program owned by
> "smoot".
>
> The permissions in practice can be more complicated, since it is
> possible to switch between the setuid or setgid permissions and the
> permissions of the user invoking the program. See the setuid man page
> for details.
Thank you for this information.
Question: If the file foo has the following permissions:
-r---w---- 1 someUser someGroup 36 2011-08-09 23:09 foo
and we access it with an executable, that has both SetUID and SetGID active:
-rwsr-sr-x 1 someUser someGroup 869 2011-07-26 17:38 someExecutable
Has this executable, both read and write access to the foo above?
--
Ioannis Vranos
http://www.cpp-software.net
More information about the ubuntu-users
mailing list