setgid Permission
The set-group identification (setgid) permission is similar to setuid, except that the process's effective group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group. The /usr/bin/mail command has setgid permissions:
-r-x--s--x 1 root mail 63628 Sep 16 12:01 /usr/bin/mail |
When setgid permission is applied to a directory, files that were created in this directory belong to the group to which the directory belongs, not the group to which the creating process belongs. Any user who has write and execute permissions in the directory can create a file there. However, the file belongs to the group that owns the directory, not to the user's group ownership.
You should monitor your system for any unauthorized use of the setuid and setgid permissions to gain superuser privileges. To search for and list all of the files that use these permissions, see "How to Find Files With setuid Permissions". A suspicious listing grants group ownership of such a program to a user rather than to root or bin.
Sticky Bit
The sticky bit is a permission bit that protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This special permission prevents a user from deleting other users' files from public directories such as /tmp:
drwxrwxrwt 7 root sys 400 Sep 3 13:37 tmp |
Be sure to set the sticky bit manually when you set up a public directory on a TMPFS file system.
Default umask Setting
When you create a file or directory, it has a default set of permissions. These default permissions are determined by the umask setting in the /etc/profile file, or in your .cshrc or .login file. By default, the system sets the permissions on a text file to 666, which grants read and write permission to user, group, and others, and to 777 on a directory or executable file.
The value assigned by the umask command is subtracted from the default. This process has the effect of denying permissions in the same way that the chmod command grants them. For example, while the chmod 022 command grants write permission to group and others, the umask 022 command denies write permission for group and others.
The following table shows some typical umask settings, and the effect on an executable file.
Table 15-3 umask Settings for Different Security Levels
Level of Security | umask Setting | Permissions Disallowed |
|---|---|---|
Permissive (744) | 022 | w for group and others |
Moderate (740) | 027 | w for group, rwx for others |
Moderate (741) | 026 | w for group, rw for others |
Severe (700) | 077 | rwx for group and others |
For more information on setting the umask value, see the umask(1) man page.
Displaying File Information
This section describes how to display file information.
How to Display File Information
Display information about all the files in a directory by using the ls command.
$ ls -la |
-l | Displays the long format that includes user and group ownership and file permissions. |
-a | Displays all files, including hidden files that begin with a dot (.). |
Each line in the display has the following information about a file:
Type of file
A file can be one of seven types. The following table lists the possible file types.
Table 15-4 File Types
Symbol
Type
-
Text or program
D
Door
d
Directory
b
Block special file
c
Character special file
p
Named pipe (FIFO)
l
Symbolic link
s
Socket
Permissions; see Table 15-1 and Table 15-2 for descriptions
Number of hard links
Owner of the file
Group of the file
Size of the file, in bytes
Date the file was created or the last date that the file was changed
Name of the file
Example--Displaying File Information
The following example displays the partial list of the files in the /sbin directory.
$ cd /sbin $ ls -la total 13456 drwxr-xr-x 2 root sys 512 Sep 1 14:11 . drwxr-xr-x 29 root root 1024 Sep 1 15:40 .. -r-xr-xr-x 1 root bin 218188 Aug 18 15:17 autopush lrwxrwxrwx 1 root root 21 Sep 1 14:11 bpgetfile -> ... -r-xr-xr-x 1 root bin 505556 Aug 20 13:24 dhcpagent -r-xr-xr-x 1 root bin 456064 Aug 20 13:25 dhcpinfo -r-xr-xr-x 1 root bin 272360 Aug 18 15:19 fdisk -r-xr-xr-x 1 root bin 824728 Aug 20 13:29 hostconfig -r-xr-xr-x 1 root bin 603528 Aug 20 13:21 ifconfig -r-xr-xr-x 1 root sys 556008 Aug 20 13:21 init -r-xr-xr-x 2 root root 274020 Aug 18 15:28 jsh -r-xr-xr-x 1 root bin 238736 Aug 21 19:46 mount -r-xr-xr-x 1 root sys 7696 Aug 18 15:20 mountall . . . |
Changing File Ownership
This section describes how to change the ownership and group ownership of a file.
By default, the owner cannot use the chown command to change the owner of a file or directory. However, you can enable the owner to use the chown command by adding the following line to the system's /etc/system file and rebooting the system.
set rstchown = 0 |
For more information, see chown(1).
In addition, the owner can only use the chgrp command to change the group of a file to a group in which the owner belongs by default. For example, if the owner of a file only belongs to the staff and sysadm groups, the owner can only change the group of a file to staff or sysadm group.
However, you can enable the owner to change the group of a file to a group in which the owner doesn't belong by adding the following line to the system's /etc/system file and rebooting the system.
set rstchown = 0 |
For more information, see chgrp(1).
Also, be aware that there can be other restrictions on changing ownership and groups on NFS-mounted file systems.