LINUX-11
ADVANCED PERMISSIONS (RHEL-7)
·
Advanced permissions (SUID, SGID, STICKY BIT)
·
ID command
STICKY BIT……………………..
Let’s imagine a condition,
Where there is a shared dump directory having access of 10 users. All
users are allowed to create/delete files.
That’s very ideal condition, where all are happy.
User A has 10G of movies collection.
User B has 15G of CBT’s collection.
User C has 8G of games collection.
User D has 5G of songs collection.
Total shared space is 40G, nobody has any problem, a new user E
arrive with 6G of important manuals, but only 2G left.
He searched the files and seen that Ohhh.. These useless fellows have
occupied all space with their useless movies/games/songs.
User E has removed some movies and some games to copy his manuals.
When user A & C searched for their movies & games, they found
some of them are missing.
That’s make them RED…and as a counter attack they removed manuals and
cbt’s.
Complete chaos…
Now all are complaining to Admin regarding this mishap, blame game
started.
Wise admin has introduced “sticky bit” on the shared folder, to avoid
any future chaos.
Now the files can be deleted only by their owner as well as root.
How it was implemented…?
[root@rhel7-server ~]# mkdir /shared-dir
[root@rhel7-server ~]# chmod 1555 /shared-dir/
[root@rhel7-server ~]# ls -ld /shared-dir/
dr-sr-xr-t. 2 root root 6 Jan
2 12:50 /shared-dir/
[root@rhel7-server ~]# chmod 1554 /shared-dir/
[root@rhel7-server ~]# ls -ld /shared-dir/
dr-sr-xr-T. 2 root root 6 Jan
2 12:5 0 /shared-dir/
[root@rhel7-server /]# chmod 777 /shared-dir/
[root@rhel7-server
/]# ls -ld /shared-dir/
drwsrwxrwx. 2 root root 6 Jan
2 12:50 /shared-dir/
[root@rhel7-server /]# chmod ug+t /shared-dir/
[root@rhel7-server /]# ls -ld /shared-dir/
drwsrwxrwt. 2 root root 6 Jan
2 12:50 /shared-dir/
Check the small “t” and capital “T”
SET UID (SUID) / SET GROUP ID (SGID)…………………………..
Now consider another case, there is a script written to collect the
performance report of some applications and scheduled to FTP at 5pm daily to
some location.
All is well….
Till a user X joined performance monitoring team, a very enthusiastic
user.
Who proved that the application is ours, so why it is controlled by
others.
We want PM report thrice a day for better monitoring.
This is our application; hence we should be responsible for that.
Issue rose to admins with seeking explanation by the HOD of PM team.
Admins have no choice left other than giving privileged access to that
script.
How they did it…?
By setting SUID/SGID on that script file.
[root@rhel7-server ~]# touch id-script.sh
[root@rhel7-server /]# chmod 555 id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r-xr-xr-x. 1 root root 82 Jan
5 11:12 /id-script.sh
Now, check it carefully….
For User (SUID)……..
[root@rhel7-server /]# chmod u+s id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r-sr-xr-x. 1 root root 82 Jan
5 11:12 /id-script.sh
For Group (SGID)……..
[root@rhel7-server /]# chmod g+s id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r-sr-sr-x. 1 root root 82 Jan
5 11:12 /id-script.sh
Removal of SUID/SGID………..
[root@rhel7-server /]# chmod -s id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r-xr-xr-x. 1 root root 82 Jan
5 11:12 /id-script.sh
For Both user & group….
[root@rhel7-server /]# chmod ug+s id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r-sr-sr-x. 1 root root 82 Jan
5 11:12 /id-script.sh
Now I am changing permission……..
[root@rhel7-server /]# chmod 444 id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r--r--r--. 1 root root 82 Jan
5 11:12 /id-script.sh
See… I did not removed the SUID/SGID, but it is removed. Means regular
perms can override the special perms. Let’s set it again.
[root@rhel7-server /]# chmod ug+s id-script.sh
[root@rhel7-server /]# ls -l /id-script.sh
-r-Sr-Sr--. 1 root root 82 Jan
5 11:12 /id-script.sh
Check the capital “S” and small “s”…
Why…??
Whenever execute perm set for user/group, the letter will be small. Without
execute perm we will get capital letter.
Now, back to significance of SUID,
[root@rhel7-server /]# chmod 555 id-script.sh
[root@rhel7-server /]# cp id-script.sh /home/raman/
[root@rhel7-server /]# ls -l /home/raman/id-script.sh
-r-xr-xr-x. 1 root root 82 Jan
5 11:32 /home/raman/id-script.sh
[root@rhel7-server /]# chmod ug+s /home/raman/id-script.sh
[root@rhel7-server /]# ls -l /home/raman/id-script.sh
-r-sr-sr-x. 1 root root 82 Jan
5 11:32 /home/raman/id-script.sh
See… owner of the file is “root”
[root@rhel7-server /]# su - raman
[raman@rhel7-server /]$ cp id-script.sh /home/raman
[raman@rhel7-server ~]$ ./id-script.sh
Please enter your name
Anurag
[raman@rhel7-server ~]$ cat Anurag
uid=1001(raman) gid=1001(raman)
groups=1001(raman),5000(admins1),5001(monster)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[raman@rhel7-server ~]$ ls -l id-script.sh
-r-sr-sr-x. 1 root root 82 Jan
5 11:32 id-script.sh
By SUID/SGID, user cannot access the inaccessible, but still they can
modify the script according to their need.
One more thing, need to be considered…
These are few files on which by default SUID/SGID set…
WHY…??
Find it yourself…
[root@rhel7-server /]# ls -ltr /usr/bin/
-rwsr-xr-x. 1 root root 27832 Jan 30
2014 /usr/bin/passwd
-rwsr-xr-x. 1 root root
57536 Jan 27 2014 crontab
-rwsr-xr-x. 1 root root
53792 Jan 29 2014 at
-rwsr-xr-x. 1 root root
37624 Feb 12 2014 newgrp
-rwsr-xr-x. 1 root root
78168 Feb 12 2014 gpasswd
-rwsr-xr-x. 1 root root
64184 Feb 12 2014 chage
---s--x--x. 1 root root
130712 Feb 26 2014 sudo
---x--s--x. 1 root nobody
145312 Mar 20 2014 ssh-agent
-rwsr-xr-x. 1 root root 31960 Mar 28
2014 umount
Better to avoid this.
|
PERMS
|
NO. VALUE
|
RELATIVE VALUE
|
ON FILES
|
ON DIR'S
|
REMOVAL
|
|
SUID
|
4
|
u+s
|
user can run
file with perm of owner
|
No Sense
|
u-s
|
|
SGID
|
2
|
g+s
|
user can run
file with perm of group owner
|
file created
in Dir get the same gr. Owner
|
g-s
|
|
STICKY BIT
|
1
|
+t
|
No Sense
|
prevents
unauthorized deletions of files
|
-t
|
EFFECTIVE UID/GID………….. (ID COMMAND)…………..
This is actually what I am and what I am pretending to world.
When a regular user gets the file with SUID set and runs, it is done
via privilege of user “root”.
Though the user does not become root, but the program runs with root
access.
For the time being user is pretended to be “root”. And also inherits
the uid/gid of “root”.
That is called “Effective UID/GID”
It is not quite that the
user becomes root temporarily, it is that the trusted program runs with root
permissions.
[raman@rhel7-server ~]$ id -a
uid=1001(raman) gid=1001(raman)
groups=1001(raman),5000(admins1),5001(monster)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
Option
|
Purpose
|
|
-g
|
Display only the effective group ID
|
|
-G
|
Display all group IDs
|
|
-u
|
Display only the effective user ID
|
|
-n
|
Display a name instead of a number,
for -u or -g
|
|
-r
|
Display the real ID instead of the effective ID,
with -u or -g
|
|
-a
|
ignore, for compatibility with other versions
|
[root@rhel7-server ~]# id -g raman
1001
[root@rhel7-server ~]# id -G raman
1001 5000 5001
[root@rhel7-server ~]# id -u raman
1001
[root@rhel7-server ~]# id -n raman
id: cannot print only names or real IDs in default format
[root@rhel7-server ~]# id -n -u raman
raman
[root@rhel7-server ~]# id -n -g raman
raman
[root@rhel7-server ~]# id -r raman
id: cannot print only names or real IDs in default format
[root@rhel7-server ~]# id -r -u raman
1001
[root@rhel7-server ~]# id -r -g raman
1001
[root@rhel7-server ~]# su - raman
Last login: Thu Jan 5 12:08:33
IST 2017 on pts/0
[raman@rhel7-server ~]$ id -a
uid=1001(raman) gid=1001(raman)
groups=1001(raman),5000(admins1),5001(monster)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[raman@rhel7-server ~]$ su -
Password:
Last login: Thu Jan 5 12:20:53
IST 2017 from 192.168.234.1 on pts/1
[root@rhel7-server ~]# id -a
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel7-server ~]# id
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@rhel7-server ~]# id -u
0
[root@rhel7-server ~]# id -r
id: cannot print only names or real IDs in default format
[root@rhel7-server ~]# id -r -u raman
1001
[root@rhel7-server ~]#
No comments:
Post a Comment