Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Unix File Permissions
Top Forums UNIX for Beginners Questions & Answers Answers to Frequently Asked Questions Tips and Tutorials Unix File Permissions Post 73757 by Perderabo on Friday 3rd of June 2005 08:40:19 PM
Old 06-03-2005
Enforcement Mode File Locking/Manditory File Locking
We aren't finished with that Set Gid bit yet... Unix has a concept of file locking. File locking is beyond the scope of this thread. But you need to know that file locking comes in two flavors: advisory and manditory. Which flavor applies to a particular file depending on the permission settings. If the group execute bit is off but the setgid bit is on, any file locks on that file are manditory.

Useless Bit Combination?

Every reference that I have seen says that setgid on / group execute off is a otherwise useless combination. Even Richard Stevens (in Advanced Programming in the Unix Environment) says "Since the set-group-ID bit makes no sense when the group-execute bit is off, the designers of SVR3 chose this way to specify that the locking for a file is to be maditory locking and not advisory locking."

Well consider this case: Fred runs the Human Resources department. Fred and his group often need to lookup the vacation days used for employees. Fred decides to write a program so employees can lookup their own vacation days used. For security, Fred makes this program do a lot of logging. Fred decides that he doesn't want his group to use this program. They have other tools that won't clutter his log. So Fred does:
chown fred:hr vdays
chmod 2701 vdays
Now the vdays program cannot be run by members of hr (except fred). But it can be run by everyone else. And it will assume the gid of hr when it does run. I have written a test program, set it up like this, and have run it on both Solaris and HP-UX. It works.

Effect on ls output

While this bit combination may be useful is some limited cases, for better or worse, it will have two effects. The vdays program does work, but if a lock is attempted on the file, it will be manditory. As a practical matter, this would impact only an occasional program like a debugger. But ls may treat this bit combination differently. I have seen both of these...
Code:
chown fred:hr vdays
chmod 2701 vdays
-rwx--S--x   1 fred     hr          9938 Jul 16  2004 vdays
-rwx--l--x   1 fred     hr          9938 Jul 16  2004 vdays

These 3 Users Gave Thanks to Perderabo For This Post:
clx Neo shekhar_4_u
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Unix permissions

I am currently running jsp pages on unix server. At the top of my page is the import statement: <%@ page import="survey.*"%>. This imports the survey folder which i have placed in the same directory as my jsp page- jsp-servlet. However, when i try to run the page, its gives me an error saying that... (2 Replies)
Discussion started by: moukoko
2 Replies

2. UNIX for Advanced & Expert Users

UNIX File Permissions

Hello, What does the following mean in terms of file permissions. -rw-rwSrw- 1 owner group 999 May 25 2004 file_name What does the "S" stand for. Thanks in advance for your input. :) (3 Replies)
Discussion started by: jerardfjay
3 Replies

3. Solaris

Unix permissions

Is anyone aware of a tool that would produce a report or an extract file of all users, the files thry are allowed to access and their associated rights permitted (Read,Write etc.) (0 Replies)
Discussion started by: mobershaw
0 Replies

4. UNIX for Dummies Questions & Answers

Unix permissions for a newbie

Okay, this may turn out to be something quite simple, but I haven't found the answer so far: 1) Is it possible to retrieve a list of user(ID) file permissions? and then... 2) What is the most efficient way to create an alert/error message when/if those file permissions are denied? ... (2 Replies)
Discussion started by: hades1013
2 Replies

5. Shell Programming and Scripting

Unix File Permissions

I want to change one of my Dir permissions to drwx--S--- Can you tell me which number i have to use. Thanks in Advance (4 Replies)
Discussion started by: veeru
4 Replies

6. UNIX for Dummies Questions & Answers

Unix Permissions

We have a user group ‘norkgrp’ which is having 2 users ‘norkadm’ and ‘oracle’. Further we have a directory ‘fstf_blobs’ where ‘norkadm’ is the owner and ‘norkgrp’ is the group owner. The permission is set as 770. $ ls -lrt drwxrwx--- 2 norkadm norkgrp 1024 Jun 24 05:03 fstf_blobs We... (5 Replies)
Discussion started by: varunrbs
5 Replies

7. Solaris

Unix file, folder permissions, security auditing tools.

I want to periodically check if ASCII password/config files on Unix have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access. Are there any tools/scripts available for this kind of auditing that I can use on Solaris? (7 Replies)
Discussion started by: kchinnam
7 Replies

8. Shell Programming and Scripting

ksh; Change file permissions, update file, change permissions back?

Hi, I am creating a ksh script to search for a string of text inside files within a directory tree. Some of these file are going to be read/execute only. I know to use chmod to change the permissions of the file, but I want to preserve the original permissions after writing to the file. How can I... (3 Replies)
Discussion started by: right_coaster
3 Replies

LEARN ABOUT CENTOS

setgid32

SETGID(2)						     Linux Programmer's Manual							 SETGID(2)

NAME

       setgid - set group identity

SYNOPSIS

       #include <sys/types.h>
       #include <unistd.h>

       int setgid(gid_t gid);

DESCRIPTION

       setgid()  sets the effective group ID of the calling process.  If the caller is the superuser, the real GID and saved set-group-ID are also
       set.

       Under Linux, setgid() is implemented like the POSIX version with the _POSIX_SAVED_IDS feature.  This allows a set-group-ID program that	is
       not  set-user-ID-root to drop all of its group privileges, do some un-privileged work, and then reengage the original effective group ID in
       a secure manner.

RETURN VALUE

       On success, zero is returned.  On error, -1 is returned, and errno is set appropriately.

ERRORS

       EPERM  The calling process is not privileged (does not have the CAP_SETGID capability), and gid does not match the real group ID  or  saved
	      set-group-ID of the calling process.

CONFORMING TO

       SVr4, POSIX.1-2001.

NOTES

       The  original  Linux setgid() system call supported only 16-bit group IDs.  Subsequently, Linux 2.4 added setgid32() supporting 32-bit IDs.
       The glibc setgid() wrapper function transparently deals with the variation across kernel versions.

SEE ALSO

       getgid(2), setegid(2), setregid(2), capabilities(7), credentials(7)

COLOPHON

       This page is part of release 3.53 of the Linux man-pages project.  A description of the project, and information about reporting bugs,  can
       be found at http://www.kernel.org/doc/man-pages/.

Linux								    2010-11-22								 SETGID(2)
All times are GMT -4. The time now is 12:07 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy