SetUID and SetGID question

Ioannis Vranos ioannis.vranos at gmail.com
Sun Sep 11 14:51:41 UTC 2011 

On Sun, Sep 11, 2011 at 6:22 AM, Smoot Carl-Mitchell <smoot at tic.com> wrote:
>
> The process gets all those permissions.  Perhaps an example will help.
>
> Suppose there is a file (call it foo) with the following permissions:
>
> -rw-r-----  smoot wheel    foo
>
> The user "smoot" can read and write the file.  Anyone in the "wheel"
> group can read the file, while everyone else has no permissions to the
> file.
>
> Suppose there is a user called "fred" who is not in the "wheel" group.
> fred has no permissions to read or write the file.  Now if there is a
> program called "setuid" with the following permissions:
>
> -rwsrwxr-x    smoot  user  setuid
>
> When fred runs the setuid program, he has permissions to read or write
> the file "foo". ( assuming the program is written to open the file
> "foo").  Now suppose there is a setgid program called "setgid":
>
> -rwxrwsr-x    smoot  wheel setgid
>
> If fred runs this program, he only has permissions to read the file
> "foo".  Now it is true in this example that the setgid permissions are a
> subset of the setuid permissions for the file "foo", but that does not
> need to be the case.  Suppose the permissions on "foo" are:
>
> -r--rw----    smoot   wheel    foo
>
> Now the setuid program only has permission to read the file, while the
> setgid program can read and write the file.  It is true the owner of the
> file can change permissions on any file it owns, but an attempt to open
> the file "foo" for writing will fail for any setuid program owned by
> "smoot".
>
> The permissions in practice can be more complicated, since it is
> possible to switch between the setuid or setgid permissions and the
> permissions of the user invoking the program.  See the setuid man page
> for details.



Thank you for this information.


Question: If the file foo has the following permissions:

-r---w----  1 someUser someGroup   36 2011-08-09 23:09 foo



and we access it with an executable, that has both SetUID and SetGID active:


-rwsr-sr-x  1 someUser someGroup  869 2011-07-26 17:38 someExecutable


Has this executable, both read and write access to the foo above?



-- 
Ioannis Vranos

http://www.cpp-software.net

More information about the ubuntu-users mailing list