Operating Systems and Systems Integration

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp 1 Aim

This short exercise is a quick introduction to the use of the tools chmod (change mode), chown (change owner ), and chgrp (change group). It also aims for you to understand the access control permissions, including set user id (suid) and set group id (sgid) through some practical exercises.

2
2.1

Background
Access Control to Files: the Rules
staff 9985 Dec 19 18:16 suid−sgid.tex time and date the file was last modified

$ ls −l suid−sgid.tex −rw−r−−r−− 1 nicku user others group file type number of hard links to this file (see later)

user who owns the file

group that owns the file

size in bytes

Figure 1: The output of ls -l: what each field is. File permissions are shown when you list a file’s details with the command ls -l; see figure 1. Permissions are divided into three sets, as shown in figure 2.
drwx rwx rwx Apply to other users who are not the user that owns the file nor members of the group that owns the file Apply to members of the group owner of the file, but excluding the user that owns the file Apply to the user that owns the file File type

Figure 2: There are three sets of of permissions: one for the user that owns the file, one set for the group that owns the file, and the last set for all other users who are not the owner of the file, not members of the group that owns the file.

The rules that determine your access rights to a file are quite simple:

Nick Urbanik nicku(at)vtc.edu.hk

ver. 1.12

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp Operating Systems and Systems Integration

2

1. if your user id is the same as the user that owns the file, then the left-most read, write, execute permissions on the file apply to you. 2. Otherwise, if you belong to the group that owns the file, then the middle three read, write, execute permissions on the file apply to you. 3. Otherwise, the right-most read, write and execute permissions on the file apply to you. Example: Suppose we have three users as shown in this table: Username nicku henryl a1 Belongs to these groups nicku a1 staff students

henryl staff

Suppose that the following files have these permissions and ownership: $ ls -l ----r--r-drwxr-x---rw-r----drwxr-x--x drwxr-xr--rw-r--r--rw-rw-rw-rw-r----1 17 1 2 2 1 1 1 nicku root root root root nicku root root root henryl staff root nicku nicku root root 4022 4096 289 4096 4096 4941 361 1626 Oct Aug Nov Dec Jul Mar Mar Oct 9 28 20 5 3 19 26 8 22:05 12:43 01:00 01:43 01:07 2002 2002 01:56 wgetrc X11 xinetd.conf xinetd.d xml xpdfrc yp.conf ypserv.conf

Then for each file or directory, each user has the following access rights: file wgetrc X11 nicku no access no access henryl read read, can change into the directory read a1 read no access no access list with ls, not ls -l read read, write no access

xinetd.conf read xinetd.d xml xpdfrc yp.conf ypserv.conf read, write list, change into

can change into the directory, but not list it.

2.2

Meaning of Read, Write, Execute Permissions on a Directory

Directories are files that contain a list of data for each file: filename, inode number. The directory does not contain other information about the file, such as the size, the time it was last modified, . . . . The inode number is just a number that uniquely identifies where on the disk partition the file contents are actually stored. We will discuss inode numbers in the module on filesystems in the workshop notes.
Nick Urbanik nicku(at)vtc.edu.hk ver. 1.12

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp Operating Systems and Systems Integration

3

read permission in a directory means that you can list the file names in the directory with commands such as ls. write permission on a directory means the right to delete a file from the directory. Note that the right to delete a file does not depend on the permissions on the file itself, only on the directory in which the file is located. execute permission on a directory allows changing into that directory with a cd command.

2.3

Minimum Permissions Required for some Operations
minimum access required on the file on the directory

Command

cd /var/project ls /var/project ls -l /var/project cat /var/project/user1.txt echo "hello" >> /var/project/user1.txt /var/project/binary-program /var/project/script-program rm /var/project/user1.txt

no file ----r--w--x r-x ---

--x r-r-x --x --x --x --x -wx

2.4

The Set User ID and Set Group ID Permissions

Every process has a user id that owns the process, and a group that owns the process. When you execute a program, the owner of the process is equal to your user id, and the group that owns the process is equal to your primary group id. If you execute a program file that has the set user id permission, the process will probably execute with a different user id from yours. If you execute a program file that has the set group id permission, the process will most likely execute with a different group id from yours. The aim of these exercises is to find out what determines the user id of a process started from a suid executable file, and what determines the group id of a process started from a sgid file.

2.5

Who owns a process?

How can you tell who owns a process? The ps command can tell you: ps -eo user,group,cmd. This will show all processes. To filter out all but /tmp/ash, you could do: ps -eo user,group,cmd | grep /tmp/[a]sh Or, any file created by a process will be owned by the owner of the process. The file will have group ownership equal to the primary group owner of the process. You can check the ownership of the file using the ls -l command.

Nick Urbanik nicku(at)vtc.edu.hk

ver. 1.12

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp Operating Systems and Systems Integration

4

3
3.1

Procedure
Exercises with the Set User ID Permission

What we will do here is copy a shell program file to your /tmp directory, execute it, and use the command whoami, then exit, set the suid permission on the shell executable file, run it again, and find out who you are. Next, you will change the ownership of the shell program, and run it again. Do this last step a number of times, until you see what is happening. Don’t forget to delete this shell file, as it is a great security risk! The bash shell has built in precautions against the danger of running as a different user, but the simple shell ash does not, so we will experiment with it. 1. Copy the ash shell to your /tmp directory (not your network directory, as only you have permission to read that): $ sudo cp -a /bin/ash /tmp
Copy the shell using sudo to preserve the ownership of the shell; it should be owned by the root user: $ ls -l /tmp/ash -rwxr-xr-x 1 root root 110048 Jul 18 07:50 /tmp/ash

2. Now execute it, and run the command whoami: $ /tmp/ash $ whoami nicku
You may see some error messages saying “function: not found”; this is because ash does not understand everything in your ∼/.bashrc login script. Don’t worry; this does not alter what we will learn here.

3. Then exit: $ exit

4. and add the suid permission to the executable: $ sudo chmod u+s /tmp/ash
We are adding the special permission to the user who owns the file (which is root). The chmod (change mode) command changes the permissions on files. Here, we add the special permission to the existing permissions for the user who owns the file.

5. then list the permissions on the file: $ ls -l /tmp/ash -rwsr-xr-x 1 root

root

110048 Jul 18 07:50 /tmp/ash

Nick Urbanik nicku(at)vtc.edu.hk

ver. 1.12

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp Operating Systems and Systems Integration

5

Notice that the only change from before is that the first “x” (for user) has changed into an “s”.

6. Now execute the shell and see who you are this time: $ /tmp/ash # whoami

i

What user did you see? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7. Create a file in the /tmp directory: # touch /tmp/file # ls -l /tmp/file

i

Which user owns the file? Which group? . . . . . . . . . . . . 8. Now change the ownership of the shell program to the user apache, run the shell, then see who you are: # exit $ sudo chown apache /tmp/ash $ ls -l /tmp/ash -rwsr-xr-x 1 apache root $ /tmp/ash $ whoami

110048 Jul 18 07:50 /tmp/ash

i

What user did you see? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. Open your file /etc/passwd, and select a number of other users. Repeat the last exercise for each user. Try creating files (perhaps with the touch command) and see who owns the files. See which group owns each file. 10. Fill in the following table: SUID? SGID? user that owns /tmp/ash root root apache group that owns /tmp/ash root root root user that owns the process group that owns the process user that executes /tmp/ash me me me me group that executes /tmp/ash my group my group my group my group

no yes yes yes

no no no no

Nick Urbanik nicku(at)vtc.edu.hk

ver. 1.12

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp Operating Systems and Systems Integration

6

Conclusion
mission? i

What general rule can you state about the effect of the suid per-

3.2

Exercises with Set Group ID Permission

Here you will do essentially the same exercise as before, but this time with the set group id (sgid) permission turned on, and the suid permission turned off. 1. Turn off the suid permission and turn on the SGID permission: $ sudo chmod u-s /tmp/ash $ sudo chmod g+s /tmp/ash

or, as one command, $ sudo chmod u-s,g+s /tmp/ash

and list the file to ensure that the permissions are correctly set: $ ls -l /tmp/ash -rwxr-sr-x 1 apache

root

110048 Jul 18 07:50 /tmp/ash

Note the “s’ is now in the permissions that apply to the group owner of the executable file. 2. Now execute the shell, and see who you are: $ /tmp/ash $ whoami

3. Create a file, and list it to see who the user that owns the file is, and who the group that owns the file is: $ touch /tmp/newfile $ ls -l /tmp/newfile

4. Exit from the shell, then change the group owner of the executable shell program file to a number of other users, perhaps yourself, the user apache,. . .

Nick Urbanik nicku(at)vtc.edu.hk

ver. 1.12

Access Control & Permissions: SUID, SGID, chmod, chown, and chgrp Operating Systems and Systems Integration

7

$ $ $ $

sudo chgrp apache /tmp/ash /tmp/ash touch /tmp/newfile2 ls -l /tmp/newfile2

5. Fill in the following table: SUID? SGID? user that owns /tmp/ash root root root group that owns /tmp/ash root root apache user that owns the process group that owns the process user that executes /tmp/ash me me me me me group that executes /tmp/ash my group my group my group my group my group

no no no no yes

no yes yes yes yes

Conclusion
i

Explain what the effect of the sgid permission is.

Conclusion
an executable file? i

How is the sgid permission different from the suid permission on

3.3

Effect of Set Group ID Permission on a Directory

The effect of the sgid permission on a directory is that all files created in the directory have a group owner equal to the group owner of the directory. This is very useful for group projects. This is discussed in detail in the module on user management in the workshop notes.

Nick Urbanik nicku(at)vtc.edu.hk

ver. 1.12