HPE Community
Operating System - HP-UX
1752644 Members
5887 Online
108788 Solutions
New Discussion юеВ

Re: setuid,setgid,stickybit

 
SOLVED
Go to solution
sjana
Occasional Advisor

тАО01-16-2005 01:41 AM

тАО01-16-2005 01:41 AM

setuid,setgid,stickybit

Hi,

Could anyone, explain setuid,setgid,stickybit in hpux with examples

thanks in advance.

tar
siva
0 Kudos
Reply
7 REPLIES 7
steven Burgess_2
Honored Contributor

тАО01-16-2005 02:11 AM

тАО01-16-2005 02:11 AM

Solution

Re: setuid,setgid,stickybit

Hello

From the HP Certified Book

setuid and setgid plays an important role when you want to execute a programm with higher priviliges. For example, when you change your passwd you modify /etc/passwd. Only root has permission to modify this. This is possible because the command /bin/passwd has the setuid bit set (chmod u+s /bin/passwd). So whenever a user issues the command, it runs as root

stickybit

represented by 't' and is set using the chmod u+t command

The use for the sticky bit for directories has a significant advantage. If the sticky bit for the directory area is set, users can use that area as a public area for file sharing. Any file present in a directory with the sticky bit set can only be deleted by the owner. It may be useful to set the sticky bit for /tmp where users can safely put and delete temporary or sharable files

HTH

Steve
take your time and think things through
Reply
sjana
Occasional Advisor

тАО01-16-2005 02:30 AM

тАО01-16-2005 02:30 AM

Re: setuid,setgid,stickybit

hi steven Burgess,

Thanks for your notes,

Could you pls. explain how to set setuid & setgid & sticky bit for a user/group/file using commands

tar
siva
0 Kudos
Reply
Mic V.
Esteemed Contributor

тАО01-16-2005 04:36 AM

тАО01-16-2005 04:36 AM

Re: setuid,setgid,stickybit

These examples use symbolic notation. Some prefer to use octal (numbers) notation, but I feel symbolic notation for chmod is more useful for the learner (and easier for my dyxlexic brain to remember!). To set the sticky bit on /tmp, making it so only the owner or superuser can delete files:

chmod +t /tmp

ls -ld /tmp

drwxrwxrwt ... /tmp

To make your newly compiled sudo command imitate root:

chmod o+s /home/src/sudo-1.6/sudo

ls -l /home/src/sudo-1.6/sudo

-rwsr-xr-x ... root sys ... sudo

To make your Netscape command setgid so only "browser" group members can run it (there's probably more required to actually implement this fully):

chmod g+s /opt/netscape/bin/netscape

ls -l /opt/netscape/bin/netscape

-rwxr-s--- ... apps browser ... netscape

Have fun,
Mic


What kind of a name is 'Wolverine'?
Reply
Biswajit Tripathy
Honored Contributor

тАО01-16-2005 06:52 AM

тАО01-16-2005 06:52 AM

Re: setuid,setgid,stickybit

Since setuid and setgid have been already covered
in the previous replies, I will not repeate that.

The sticky bit has 2 purposes depending on the file
type (a regular binary file or a directory file). Setting
the sticky bit for a binary is a way of telling the
unix kernel that the binary will be executed frequently (like, for example, a populat editor like
"vi"). So the kernel would keep this file in the swap
space and the subsequent invocation of this
program would be quick. If sticky bit is set for a
directory, all users can have read/write permission
on all files in that directory; but only the owner
can remove/rename the file. And, ofcourse, only
root can turn on the sticky bit.

- Biswajit
:-)
Reply
Mic V.
Esteemed Contributor

тАО01-16-2005 08:32 AM

тАО01-16-2005 08:32 AM

Re: setuid,setgid,stickybit

The sticky bit did keep "text" in memory for faster execution back around 4.3 BSD. But I thought I'd read that this usage had been dropped...maybe it was another version of UNIX. At any rate, the HP man pages say:

"If an executable file is prepared for sharing, mode bit S_ISVTX prevents the system from abandoning the swap-space image of the program-text portion of the file when its last user terminates. Then, when the next user of the file executes it, the text need not be read from the file system but can simply be swapped in, thus saving time.

If the mode bit S_ISVTX (sticky bit) is set on a directory, files inside the directory may be renamed or removed only by the owner of the file, the owner of the directory, or the superuser (even if the modes of the directory would otherwise allow such an operation)."

http://docs.hp.com/en/B2355-60103/chmod.2.html

Thanks for pointing out that it's still around.
What kind of a name is 'Wolverine'?
Reply
Thierry Poels_1
Honored Contributor

тАО01-16-2005 05:47 PM

тАО01-16-2005 05:47 PM

Re: setuid,setgid,stickybit

hi,

one yet uncovered feature of setgid:

if you are owner of a directory or if you are root, then you can create a subdirectory and execute "chmod g+s subdir".
All files created in this subdirectory will then inherit the group of the subdirectory.

#id
uid=1000(user) gid=101(users)
#mkdir subdir
#ll -d subdir
drwxr-xr-x 2 user users 96 Jan 17 07:43 subdir
#touch subdir/before
#chgrp testgrp subdir
#chmod g+s subdir
#touch subdir/after
#ll subdir
-rw-r--r-- 1 user tstgrp 0 Jan 17 07:45 after
-rw-r--r-- 1 user users 0 Jan 17 07:45 before

regards,
Thierry Poels.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО01-16-2005 07:45 PM

тАО01-16-2005 07:45 PM

Re: setuid,setgid,stickybit

Two other tiny points that are worth noting are:

Files can be SGID/SUID and not executable and in this case they show as:

rwSrwSr-- myfile

When a shell script has the SUID bit set (and it belongs to a privileged user such as root), the SUID is not honoured and the script executes with normal privileges.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.