Special Permissions In Unix

Earlier, I had faced a strange issue while starting up Oracle instance, after applying PSU 4 into our 12.1.0.2 database. Even when my ASM was up and running, I couldn't start my database instances. Alerts log was clearly showing that ASM was not available. It's quite strange to me and I started googling. After an hour of googling, I found the solution.The file permission of $ORACLE_HOME/bin/oracle got changed somehow while applying the PSU. So, I executed the following command and I started my database instances.

#chownoracle:asmadmin $ORACLE_HOME/bin/oracle
#chmod 6751 $ORACLE_HOME/bin/oracle

We are familiar with setting the file permission with 3 digit combination like 777,755 etc .

Now, the question is, the purpose of this extra digit 6 here.  Well, the answer is - it's the combination of Unix special file permissions suid and sgid.

So this time, instead of talking about Oracle specific topic, I would like to discuss more about "Special Permissions" in Unix based operating system. So, for all the DBAs working on Unix based OS, this will be an added advantage. 

There are three types of special permission bits that may be setup on executable files or directories if required.

These permission bits are,

  1. Setuid (set user identification bit )
  2. Setgid (set group identification bit)
  3. Sticky bit

Thesuid (set user id bit)

Setting the suid bit on a file allows normal users to run that application with raised (usually superuser) priviledges. Remember that when a user launches an application, that application runs with the same permissions as that user. This is one of the fundamental differences between Windows and *nix systems.

An example of a file that has the suid bit set in most cases is the /usr/bin/passwd application. You can see that the /usr/bin/passwd application has the suid bit set by the letter s in place of the user’s eXecutable bit.

-rwsr-xr-x 1 root root 26680 May 10 13:44 passwd

For listing the setuid bit enabled files you can use the common ls command with long list parameter as follows

[root@node2 ~]# ls -lrt /bin/su
-rwsr-xr-x 1 root root 24060 Nov 27 2006 /bin/su


You can see that the owner-executable bit is set to 's', that means the executable file is setuid enabled.

The passwd application allows users to change their own passwords. In order to do so, it has to write to the etc/passwd file which contains all of the accounts on a GNU/Linux system. However, if the suid bit was not set on the passwd application then the passwd application would only have the rights of the user and therefore could not make changes to the etc/passwd file. Setting the suid bit on the passwd application allows it to run as the superuser and it can therefore write the new password to the etc/passwd file.

How to set the suid bit?

Use the number 4 in front of a normal chmod string,
#chmod 4755 /home/mahi/mahi.sh

Alternatively you can use symbolic notation to get the exact result
#chmodu+s /home/mahi/mahi.sh

To unset the setuid bit use,

# chmod u-s /home/mahi/mahi.sh
or
#chmod 0755 /home/mahi/mahi.sh

To search for all files in the system that have setuid bit set on them , use find command,
# find / -type f -perm -04000 -exec ls -lrt {} \;

Setuid on directories

Setting uid on a directory is easy to understand as it is simply ignored by Linux. i.e you can set it but it is given no special meaning when set on a directory. On Linux Thesetuid bit on a directory is only effective when it is on the group bit.

Setgid bit (set group id bit )

we can set setgid bit on both file and directory.

Setgid on a file

The setgid bit is set on executable files at the group level. When this bit is enabled , the file will be executed by the other users with exact same privileges that the group member have on it. SGID modes on a file don't occur nearly as frequently as SUID.

For example the linux write and wall command is owned by root with group membership set to tty. These command has setgid bit enabled on it.See the highlighted “s” in the group permission class below

[root@node2 ~]# ls -lrt /usr/bin/wall
-r-xr-sr-x 1 root tty 10420 Oct 13 2006 /usr/bin/wall


The write and wall commands are used to send messages to other users' terminals (ttys) or to any psuedo terminal (pts/n). The write command writes a message to a single user, while wall writes to all connected users. For eg;

[root@node2 ~]# wall
Hi
h r u?
^d

Then, it will send message to all connected users. Sending text to another user's terminal or graphical display is normally not allowed. In order to bypass this problem, a group has been created, which owns all terminal devices. When the write and wall commands are granted SGID permissions, the commands will run using the access rights as applicable to this group, tty in the example. Since this group has write access to the destination terminal, also a user having no permissions to use that terminal in any way can send messages to it.

From the following output you can see that each terminal device (tty1 ,pts/0,pts/1 etc) is owned by the group tty . So when a normal user run the ‘wall’ or ‘write’ command it will run with the access rights of the group tty .From the output we can see that ‘tty’ group have the write permission on each destination terminal. So we will get the output on each terminal

[root@node2 ~]# ls -lrt /dev/tty1
crw--w---- 1 root tty 4, 1 Jan 21 23:29 /dev/tty1


[root@node2 ~]# ls -lrt /dev/pts
crw--w---- 1 root tty 136, 0 Jan 21 23:19 0
crw--w---- 1 root tty 136, 1 Jan 21 23:29 1


You can also send message to any destination terminal by using ‘echo’ if you have enough permission, for eg

[root@node2 ~]# echo Hi dear > /dev/pts/1
Then it will display the message “Hi dear “ on the pseudo terminal dev/pts/1 , now try to execute

The same command as a normal user
[mahi@node2 ~]$ echo Hi dear > /dev/pts/1
-bash: /dev/pts/1: Permission denied
Ie local user have no write permission to the destination terminal , here the ‘setuid’ bit comes into play .

How to set setgid bit on files and directory

To set setgid bit you must be either be the owner of the file or root , you can use chmod command to set setgid on files and directories

#chmod 2755 /home/mahi/free.sh
Alternatively you can use symbolic notation to get the exact result

#chmod g+s /home/mahi/free.sh
To unset the setgid bit

# chmod g-s /home/mahi/free.sh
or
#chmod 0755 /home/mahi/free.sh
To search for all files and directories in the system having setgid bit enabled

# find / -type f -perm -02000 -exec ls -lrt {} \; (for directories use ‘d’ instead of ‘f’ )

Setgid bit on directories

We can use the command chmod to set the group ID bit for a directory.

#chmodg+s /mydir
or with numeric mode:
#chmod 2775 /mydir


After the change, the permission of the directory "/mydir" becomes "drwxrwsr-x".

drwxrwsr-x 3 oraora 4096 2010-03-18 19:57 /mydir

But what is so special about setting the group ID for a directory? The trick is that when another user creates a file or directory under such a directory "/mydir", the new file or directory will have its group set as the group of the owner of "/mydir", instead of the group of the user who creates it.

For example, if mahi belongs to the groups "mahi" (main group) and "ora", and he creates a file "setgid.txt" under the diretory "/mydir", "setgid.txt" will be owned by the group of "ora" instead of mahi's main group ID "mahi".

-rw-r--r-- 1 mahiora 10 2010-03-18 20:01 setgid.txt

Even if ‘mahi’ does not belong to the group "ora", the files or directories he creates under "/mydir" (if "/mydir" grants the write permission to "others") will also get owned by group "ora".

You can use such feature to share files within the group. Create a directory which permits the group to write, and set the group ID bit. Every files or directories created under it will have the same group ownership. Therefore, the whole group can share them.

 One commnad for finding all the files with setuid or setgid bit,

#find / -perm +6000 -type f -exec ls -lrt {} \;

Sticky bit

The sticky bit is normally set on public writable directories to protect files and sub-directories of individual users from being deleted by other users. This bit is typically set on /tmp and /var/tmp directories. Thus If the sticky bit is set for a directory, only the owner of that directory or the owner of a file can delete or rename a file within that directory.

Normally all users are allowed to create and delete files and sub-directories in these directories.

With default permission, any user can remove any others files and sub-directories.
Sticky bit shows up as a t in the execute position of the other permission , foe eg

[root@server ~]# ls -ld /var/tmp/ /tmp
drwxrwxrwt 32 root root 4096 Mar 15 13:35 /tmp
drwxrwxrwt 2 root root 4096 Feb 20 10:35 /var/tmp/

How to set sticky bit permission

When digit 1 is used with chmod command it sets the sticky bit on the directory
#chmod 1777 test

Alternatively you can use symbolic notation to set the same
#chmodo+t test

There is no need to specify ‘o’ along with chmod command you can simply do it with
#chmod +t test

How to unset sticky bit permission

#chmod -t test
Or
#chmod 0777 test


Note -You may see both a ‘t’ and ‘T’ to indicate that the sticky bit is set. You can see a ‘t’ if the world already have a execute permission before you set the sticky bit , and a ‘T’ if the world didn’t have execute set before the sticky bit was put in place. For eg,

#mkdir testdir
#chmod 754 testdir
#chmod o+t testdir
# ls -ldtestdir
drwxr-xr-T 2 root root 4096 Mar 15 14:23 testdir


To list all directories having sticky bit enabled

#find / -perm -1000 -type d

Note - Linux ignores the sticky bit when it sets on files. It is possible to set combination of suid ,sgid and the sticky bit at the same time .

0Remove sticky bit,suid&sgid
Sets sticky bit
Sets sgid bit
3 Sets sticky bit and sgid bit
Sets suid bit
Sets sticky bit and suid
Sets suid and sgid bit
7 Sets sticky bit, suid&sgid bit

Be sure to note that using a 0, removes suid ,sgid and sticky bit all at the same time. If you use 0 to remove suid but you still want the sticky bit set, you need to go back and reset the sticky bit.