Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Unix File Permissions
Top Forums UNIX for Beginners Questions & Answers Answers to Frequently Asked Questions Tips and Tutorials Unix File Permissions Post 73757 by Perderabo on Friday 3rd of June 2005 08:40:19 PM
Old 06-03-2005
Enforcement Mode File Locking/Manditory File Locking
We aren't finished with that Set Gid bit yet... Unix has a concept of file locking. File locking is beyond the scope of this thread. But you need to know that file locking comes in two flavors: advisory and manditory. Which flavor applies to a particular file depending on the permission settings. If the group execute bit is off but the setgid bit is on, any file locks on that file are manditory.

Useless Bit Combination?

Every reference that I have seen says that setgid on / group execute off is a otherwise useless combination. Even Richard Stevens (in Advanced Programming in the Unix Environment) says "Since the set-group-ID bit makes no sense when the group-execute bit is off, the designers of SVR3 chose this way to specify that the locking for a file is to be maditory locking and not advisory locking."

Well consider this case: Fred runs the Human Resources department. Fred and his group often need to lookup the vacation days used for employees. Fred decides to write a program so employees can lookup their own vacation days used. For security, Fred makes this program do a lot of logging. Fred decides that he doesn't want his group to use this program. They have other tools that won't clutter his log. So Fred does:
chown fred:hr vdays
chmod 2701 vdays
Now the vdays program cannot be run by members of hr (except fred). But it can be run by everyone else. And it will assume the gid of hr when it does run. I have written a test program, set it up like this, and have run it on both Solaris and HP-UX. It works.

Effect on ls output

While this bit combination may be useful is some limited cases, for better or worse, it will have two effects. The vdays program does work, but if a lock is attempted on the file, it will be manditory. As a practical matter, this would impact only an occasional program like a debugger. But ls may treat this bit combination differently. I have seen both of these...
Code:
chown fred:hr vdays
chmod 2701 vdays
-rwx--S--x   1 fred     hr          9938 Jul 16  2004 vdays
-rwx--l--x   1 fred     hr          9938 Jul 16  2004 vdays

These 3 Users Gave Thanks to Perderabo For This Post:
clx Neo shekhar_4_u
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Unix permissions

I am currently running jsp pages on unix server. At the top of my page is the import statement: <%@ page import="survey.*"%>. This imports the survey folder which i have placed in the same directory as my jsp page- jsp-servlet. However, when i try to run the page, its gives me an error saying that... (2 Replies)
Discussion started by: moukoko
2 Replies

2. UNIX for Advanced & Expert Users

UNIX File Permissions

Hello, What does the following mean in terms of file permissions. -rw-rwSrw- 1 owner group 999 May 25 2004 file_name What does the "S" stand for. Thanks in advance for your input. :) (3 Replies)
Discussion started by: jerardfjay
3 Replies

3. Solaris

Unix permissions

Is anyone aware of a tool that would produce a report or an extract file of all users, the files thry are allowed to access and their associated rights permitted (Read,Write etc.) (0 Replies)
Discussion started by: mobershaw
0 Replies

4. UNIX for Dummies Questions & Answers

Unix permissions for a newbie

Okay, this may turn out to be something quite simple, but I haven't found the answer so far: 1) Is it possible to retrieve a list of user(ID) file permissions? and then... 2) What is the most efficient way to create an alert/error message when/if those file permissions are denied? ... (2 Replies)
Discussion started by: hades1013
2 Replies

5. Shell Programming and Scripting

Unix File Permissions

I want to change one of my Dir permissions to drwx--S--- Can you tell me which number i have to use. Thanks in Advance (4 Replies)
Discussion started by: veeru
4 Replies

6. UNIX for Dummies Questions & Answers

Unix Permissions

We have a user group ‘norkgrp’ which is having 2 users ‘norkadm’ and ‘oracle’. Further we have a directory ‘fstf_blobs’ where ‘norkadm’ is the owner and ‘norkgrp’ is the group owner. The permission is set as 770. $ ls -lrt drwxrwx--- 2 norkadm norkgrp 1024 Jun 24 05:03 fstf_blobs We... (5 Replies)
Discussion started by: varunrbs
5 Replies

7. Solaris

Unix file, folder permissions, security auditing tools.

I want to periodically check if ASCII password/config files on Unix have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access. Are there any tools/scripts available for this kind of auditing that I can use on Solaris? (7 Replies)
Discussion started by: kchinnam
7 Replies

8. Shell Programming and Scripting

ksh; Change file permissions, update file, change permissions back?

Hi, I am creating a ksh script to search for a string of text inside files within a directory tree. Some of these file are going to be read/execute only. I know to use chmod to change the permissions of the file, but I want to preserve the original permissions after writing to the file. How can I... (3 Replies)
Discussion started by: right_coaster
3 Replies

LEARN ABOUT MINIX

chmod

CHMOD(2)							System Calls Manual							  CHMOD(2)

NAME

       chmod - change mode of file

SYNOPSIS

       #include <sys/types.h>
       #include <sys/stat.h>

       int chmod(const char *path, mode_t mode)

DESCRIPTION

       The  file  whose name is given by path has its mode changed to mode.  Modes are constructed by or'ing together some combination of the fol-
       lowing, defined in <sys/stat.h>:

	      S_ISUID  04000   set user ID on execution
	      S_ISGID  02000   set group ID on execution
	      S_ISVTX  01000   `sticky bit' (see below)
	      S_IRWXU  00700   read, write, execute by owner
	      S_IRUSR  00400   read by owner
	      S_IWUSR  00200   write by owner
	      S_IXUSR  00100   execute (search on directory) by owner
	      S_IRWXG  00070   read, write, execute by group
	      S_IRGRP  00040   read by group
	      S_IWGRP  00020   write by group
	      S_IXGRP  00010   execute (search on directory) by group
	      S_IRWXO  00007   read, write, execute by others
	      S_IROTH  00004   read by others
	      S_IWOTH  00002   write by others
	      S_IXOTH  00001   execute (search on directory) by others

       If mode ISVTX (the `sticky bit') is set on a directory, an unprivileged user may not delete or rename files of other users in  that  direc-
       tory.  (Minix-vmd)

       Only the owner of a file (or the super-user) may change the mode.

       Writing	or changing the owner of a file turns off the set-user-id and set-group-id bits unless the user is the super-user.  This makes the
       system somewhat more secure by protecting set-user-id (set-group-id) files from remaining set-user-id (set-group-id) if they are  modified,
       at the expense of a degree of compatibility.

RETURN VALUE

       Upon successful completion, a value of 0 is returned.  Otherwise, a value of -1 is returned and errno is set to indicate the error.

ERRORS

       Chmod will fail and the file mode will be unchanged if:

       [ENOTDIR]      A component of the path prefix is not a directory.

       [ENAMETOOLONG] The path name exceeds PATH_MAX characters.

       [ENOENT]       The named file does not exist.

       [EACCES]       Search permission is denied for a component of the path prefix.

       [ELOOP]	      Too many symbolic links were encountered in translating the pathname.  (Minix-vmd)

       [EPERM]	      The effective user ID does not match the owner of the file and the effective user ID is not the super-user.

       [EROFS]	      The named file resides on a read-only file system.

       [EFAULT]       Path points outside the process's allocated address space.

       [EIO]	      An I/O error occurred while reading from or writing to the file system.

SEE ALSO

       chmod(1), open(2), chown(2), stat(2).

NOTES

       The sticky bit was historically used to lock important executables into memory.

4th Berkeley Distribution					   May 13, 1986 							  CHMOD(2)
All times are GMT -4. The time now is 04:03 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy