 |
|  |
||||||
 |
||||||||
 |
 |
 |
 |
 |
||||
|
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The Unexplained Disappearance of Janice's File Melkor is unable to write to or change 'file' for which only janice has write permission. But melkor has write permission for the directory that contains 'file'. Having write permission for a directory means you can change it - i.e. create and remove files within that directory. The point being that having write access to a directory allows one to delete a file from the directory no matter what the permissions for the file. You may have in your home directory a file owned by 'root' with no permissions for anyone. You can remove it. You can't view it or change it, but you can remove it. This may seem odd, but the reason is that you are not changing the file itself, only the directory. You are removing the directory entry for that file, and so the file vanishes and the disk space it occupied becomes free. But you are only changing only the directory, not the file. This behaviour may not always be desirable. For example, the shared directory /Users/Shared has read and write permission for everybody. But it is not desirable that users have a licence to arbitrarily delete each other's files. Enter the sticky bit. The secret to preventing unwanted file removals lies in making a directory 'append only'. Files can be added but not removed by unprivileged users. Such a directory is termed a sticky directory. A sticky directory has the sticky bit set. For example, the Shared directory is sticky. % ls -al /Users total 0 drwxrwxrwt 11 root wheel 330 Jul 7 19:36 Shared ... Stickiness is indicated by a 't' at the end of the permissions. 'ls' replaces 'x' in the others permissions triplet with 't'. As with all other permissions, 'chmod' is used to set and clear the sticky bit. % mkdir test % ls -ald test drwxr-xr-x 2 melkor staff 24 Jul 12 16:08 test % chmod u+t test % ls -ald test drwxr-xr-t 2 melkor staff 24 Jul 12 16:08 test The sticky bit is set. % chmod u-t test % ls -ald test drwxr-xr-x 2 melkor staff 24 Jul 12 16:08 test The sticky bit is cleared. You may also use 'g+t' which has exactly the same effect; 'o+t' has no effect. |
Tell Me More...
|
|
Exactly Who? A file in a sticky directory may be removed only by:
providing they have write access for the directory, and (of course):
Sticky Files Executable files can also be sticky, which has to do with sharing and memory management. In Mac OS X this is depreciated and is taken care of by the virtual memory system. Why 't' for Sticky ? Simply because the 's' nomenclature was already taken by the 'Set ID on execution' bit - covered later in this lesson. Little 't' Big 'T' When 'ls' lists a sticky directory it replaces 'x' with 't' in the others permissions. What if 'x' was not set - how does 'ls' differentiate these two cases? It uses 'T' instead of 't' 't' means sticky and others executable 'T' means sticky and not others executable. |
|
|
Thus far we have thought of user and group IDs in terms of textual names - melkor, janice, root, staff, admin, wheel. Unix thinks of them in terms of numeric IDs - User ID or UID, and Group ID or GID. Associated with each user is a unique UID; and associated with each group is a unique GID. Your user name is only really used for authentication when logging in. If your user name exists, and you give the correct password, then you are granted the use of a UID and a GID. From here on your UID identifies you. All Unix permissions are based on UID and GID - not on the textual names. This is because the user owner and group owner information for a file is recorded only as numeric IDs. The textual versions are for your convenience. You can use the 'id' command to view this information: % id uid=502(melkor) gid=20(staff) groups=20(staff), 80(admin) This command lists my UID, my primary GID, and all the groups to which I belong. |
Clones Because Unix relies on numeric IDs, not names, two users with the same UID, but different names, are in viewed as the same user and have identical file system permissions. Similarly, two groups with different names but the same GID are viewed as the same group. |
When I execute a command such as 'rm', I can remove only files for which I have the appropriate permissions. Another user issuing the same command sees a different set of permissions and can remove only files for which they have the appropriate permissions. Exactly as you would intuitively expect.....but thinking about it a bit deeper, how does the same executable behave differently depending on who invoked it?
Like this.....when a command is executed it inherits the UID and GID of the user by whom it was executed. It runs on behalf of that user, and enjoys the same file system permissions (and restrictions).
This analysis may seem pedantic, but a command may inherit a UID and GIDs different to those of the executing user. The 'sudo' or 'substitute user do' command is one such example. Using 'sudo' as an intermediately, one can assume the status of super-user (or any other user) to execute a command.
For example:
% sudo ls /Users/somebodyelse/Documents
allows one to peek at another's files. Naughty!
We used 'sudo' in Part One to change the owner of a file - an act that only the super-user can perform.
Now, a command cannot simply run as another user on a whim, else some serious security concerns would be raised. So exactly how does 'sudo' manage to gain root permissions? The answer lies in the 'set user ID' and 'set group ID' bits - or 's' bits.
|
Let's examine the sudo executable: % ls -al /usr/bin/sudo ---s--x--x 1 root wheel ..... /usr/bin/sudo Because of the nature of this command it has high security settings. Also, notice that the 'x' in the user permissions shows as 's'. This means that the set user id on execution (S-UID) bit is set. The file is still executable by the user owner, as well as by all others. When 'sudo' is executed, instead of inheriting the UID of the user by whom it was executed, 'sudo' inherits the UID of the user who owns the file - in this case root. As far as the file system is concerned, the super-user executed 'sudo' and it runs with root permissions. The inherited GID(s) is unaffected. 'sudo' in turn executes as root the command it was given, passing on its inherited root UID. To set the S-UID bit, use (you guessed it) chmod: % touch a-script % ls -al a-script -rwxr-xr-x 1 melkor staff ... a-script % chmod u+s a-script % ls -al a-script -rwsr-xr-x 1 melkor staff ... a-script Now any user running 'a-script' will run as melkor. There are security implications in setting the S-UID bit. If 'a-script' were written to delete some of melkor's files, any user who can execute 'a-script' can now delete those files regardless of their native permissions. Worse still, if 'a-script' had write permission for others, any user could modify the script as they wish, and effectively gain complete visibility to, and control over, melkor's files. Scary! If you wish to set a command to execute with the GID of the group that owns the file, set the set group id on execution (S-GID) bit with: % chmod g+s a-script % ls -al a-script -rwsr-sr-x 1 melkor staff ..... a-script 'a-script' will now execute with the permissions of user melkor, group staff, no matter who executes it. Naturally, only the super-user and the file owner may set the S-UID and S-GID bits. |
Tell Me More...
|
|
S-OID? The command: chmod o+s a-scriptmakes no sense and has no effect on the file permissions. Little 's' Big 'S' When 'ls' lists a S-UID or S-GID enabled file, 's' replaces 'x' in the user and/or group owner permissions. What if 'x' was not set - how does 'ls' differentiate these two cases? It uses 'S' instead of 's' 's' means S-UID/G-UID set and user/group executable 'S' means S-UID/G-UID set but not user/group executable. Security Breach! S-UID and root are a dangerous combination. Imagine an editor owned by root that also has the S-UID bit set. Anyone who can execute the editor will do so as root and can therefore see and change any file in the file system. root UID, GID The super-user has a UID of 0. Its primary group is wheel, which has a GID of 0. |
Next Page
Next I will introduce the immutable and append only flags, and show you that the super-user you know is not all-powerful. You will meet the super-duper-user :-)
|
Lesson 2 - Users, Groups, and Permissions 2 - (page 1 of 2) |
|
| Copyright © 2000-2010 Inside Mac Media, Inc. All rights reserved. | ||
| Apple assumes no responsibility with regard to the selection, performance, or use of the products or services. All understandings, agreements, or warranties, if any, take place directly between the vendors and prospective users. | ||
| Apple, the Apple logo, Mac, PowerMac G4, PowerMac G5, Xserve, Xserve RAID, PowerBook, iBook, Airport, AirPort Extreme, iMac, eMac, iLife, iMovie, iCal, iPhoto, iTunes, QuickTime, FireWire, iPod, iSight, AppleWorks, Macintosh, Jaguar, Panther, Mac OS, Mac OS X and Mac OS X Server are trademarks of Apple Computer, Inc. |