Managing Users, Part 2 - Critical Skill
(Page 4 of 4 )

Normally, when a program is run by a user, it inherits all of the rights (or lack thereof) that the user has. If the user can’t read the /var/log/messages file, neither can the program. Note that this permission can be different than the permissions of the user who owns the program file (usually called the binary). For example, the ls program (which is used to generate directory listings) is owned by the root user. Its permissions are set so that all users of the system can run the program. Thus, if the user sshah runs ls, that instance of ls is bound by the permissions granted to the user sshah, not root.

However, there is an exception. Programs can be tagged with what’s called a SetUID bit, which allows a program to be run with permissions from the program’s owner, not the user who is running it. Using ls as an example again, setting the SetUID bit on it and having the file owned by root means that if the user sshah runs ls, that instance of ls will run with root permissions, not with sshah’s permissions. The SetGID bit works the same way, except instead of applying the file’s owner, it is applied to the file’s group setting.

To enable the SetUID bit or the SetGID bit, you need to use the chmod command, which is covered in detail in Module 6. To make a program SetUID, prefix whatever permission value you are about to assign it with a 4. To make a program SetGID, prefix whatever permission you are about to assign it with a 2. For example, to make the /bin/ls a SetUID program (which is a bad idea, by the way), you would use this command:

[root@ford /root]# chmod 4755 /bin/ls

Module 5 Mastery Check List (for parts 1 and 2):

1. What information is stored in the /etc/passwd file?
2. What information is stored in the /etc/shadow file?
3. Does Linux use the username or the UID when performing operations pertaining to that user (such as file permissions)?
4. Why can SetUID programs be a bad thing?
5. What is the format of a user entry in the /etc/passwd file?
6. What is the GECOS entry?
7. How do you disable a user so they cannot access the system?
8. What information is stored in the /etc/group file?
9. What is the format of an entry in the /etc/group file?
10. What happens if you forget to add the home directory for a user?
11. Where is the list of available shells listed?
12. What are startup scripts?

This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today. Buy this book now.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Managing Users, Part 2

>>> Be the FIRST to comment on this article!