topic Re: setuid,setgid,stickybit in Operating System - HP-UX

setuid,setgid,stickybit

sjana — Sun, 16 Jan 2005 09:41:52 GMT

Hi,

Could anyone, explain setuid,setgid,stickybit in hpux with examples

thanks in advance.

tar
siva

Re: setuid,setgid,stickybit

steven Burgess_2 — Sun, 16 Jan 2005 10:11:10 GMT

Hello

From the HP Certified Book

setuid and setgid plays an important role when you want to execute a programm with higher priviliges. For example, when you change your passwd you modify /etc/passwd. Only root has permission to modify this. This is possible because the command /bin/passwd has the setuid bit set (chmod u+s /bin/passwd). So whenever a user issues the command, it runs as root

stickybit

represented by 't' and is set using the chmod u+t command

The use for the sticky bit for directories has a significant advantage. If the sticky bit for the directory area is set, users can use that area as a public area for file sharing. Any file present in a directory with the sticky bit set can only be deleted by the owner. It may be useful to set the sticky bit for /tmp where users can safely put and delete temporary or sharable files

HTH

Steve

Re: setuid,setgid,stickybit

sjana — Sun, 16 Jan 2005 10:30:57 GMT

hi steven Burgess,

Thanks for your notes,

Could you pls. explain how to set setuid & setgid & sticky bit for a user/group/file using commands

tar
siva

Re: setuid,setgid,stickybit

Mic V. — Sun, 16 Jan 2005 12:36:36 GMT

These examples use symbolic notation. Some prefer to use octal (numbers) notation, but I feel symbolic notation for chmod is more useful for the learner (and easier for my dyxlexic brain to remember!). To set the sticky bit on /tmp, making it so only the owner or superuser can delete files:

chmod +t /tmp

ls -ld /tmp

drwxrwxrwt ... /tmp

To make your newly compiled sudo command imitate root:

chmod o+s /home/src/sudo-1.6/sudo

ls -l /home/src/sudo-1.6/sudo

-rwsr-xr-x ... root sys ... sudo

To make your Netscape command setgid so only "browser" group members can run it (there's probably more required to actually implement this fully):

chmod g+s /opt/netscape/bin/netscape

ls -l /opt/netscape/bin/netscape

-rwxr-s--- ... apps browser ... netscape

Have fun,
Mic

Re: setuid,setgid,stickybit

Biswajit Tripathy — Sun, 16 Jan 2005 14:52:48 GMT

Since setuid and setgid have been already covered
in the previous replies, I will not repeate that.

The sticky bit has 2 purposes depending on the file
type (a regular binary file or a directory file). Setting
the sticky bit for a binary is a way of telling the
unix kernel that the binary will be executed frequently (like, for example, a populat editor like
"vi"). So the kernel would keep this file in the swap
space and the subsequent invocation of this
program would be quick. If sticky bit is set for a
directory, all users can have read/write permission
on all files in that directory; but only the owner
can remove/rename the file. And, ofcourse, only
root can turn on the sticky bit.

- Biswajit

Re: setuid,setgid,stickybit

Mic V. — Sun, 16 Jan 2005 16:32:09 GMT

The sticky bit did keep "text" in memory for faster execution back around 4.3 BSD. But I thought I'd read that this usage had been dropped...maybe it was another version of UNIX. At any rate, the HP man pages say:

"If an executable file is prepared for sharing, mode bit S_ISVTX prevents the system from abandoning the swap-space image of the program-text portion of the file when its last user terminates. Then, when the next user of the file executes it, the text need not be read from the file system but can simply be swapped in, thus saving time.

If the mode bit S_ISVTX (sticky bit) is set on a directory, files inside the directory may be renamed or removed only by the owner of the file, the owner of the directory, or the superuser (even if the modes of the directory would otherwise allow such an operation)."

http://docs.hp.com/en/B2355-60103/chmod.2.html

Thanks for pointing out that it's still around.

Re: setuid,setgid,stickybit

Thierry Poels_1 — Mon, 17 Jan 2005 01:47:33 GMT

hi,

one yet uncovered feature of setgid:

if you are owner of a directory or if you are root, then you can create a subdirectory and execute "chmod g+s subdir".
All files created in this subdirectory will then inherit the group of the subdirectory.

#id
uid=1000(user) gid=101(users)
#mkdir subdir
#ll -d subdir
drwxr-xr-x 2 user users 96 Jan 17 07:43 subdir
#touch subdir/before
#chgrp testgrp subdir
#chmod g+s subdir
#touch subdir/after
#ll subdir
-rw-r--r-- 1 user tstgrp 0 Jan 17 07:45 after
-rw-r--r-- 1 user users 0 Jan 17 07:45 before

regards,
Thierry Poels.

Re: setuid,setgid,stickybit

Andrew Cowan — Mon, 17 Jan 2005 03:45:04 GMT

Two other tiny points that are worth noting are:

Files can be SGID/SUID and not executable and in this case they show as:

rwSrwSr-- myfile

When a shell script has the SUID bit set (and it belongs to a privileged user such as root), the SUID is not honoured and the script executes with normal privileges.