Why can SetUID programs be a bad thing? What happens if you forget to add the home directory for a user? Get answers to these and other questions in this, part 2 of Managing Users from the book Linux Administration, A Beginner's Guide, third edition by Steven Graham and Steve Shah (McGraw-Hill/Osborne, 0072225629, 2002). See this link for Part 1.
Normally, when a program is run by a user, it inherits all of the rights (or lack thereof) that the user has. If the user canít read the /var/log/messages file, neither can the program. Note that this permission can be different than the permissions of the user who owns the program file (usually called the binary). For example, the ls program (which is used to generate directory listings) is owned by the root user. Its permissions are set so that all users of the system can run the program. Thus, if the user sshah runs ls, that instance of ls is bound by the permissions granted to the user sshah, not root.
However, there is an exception. Programs can be tagged with whatís called a SetUID bit, which allows a program to be run with permissions from the programís owner, not the user who is running it. Using ls as an example again, setting the SetUID bit on it and having the file owned by root means that if the user sshah runs ls, that instance of ls will run with root permissions, not with sshahís permissions. The SetGID bit works the same way, except instead of applying the fileís owner, it is applied to the fileís group setting.
To enable the SetUID bit or the SetGID bit, you need to use the chmod command, which is covered in detail in Module 6. To make a program SetUID, prefix whatever permission value you are about to assign it with a 4. To make a program SetGID, prefix whatever permission you are about to assign it with a 2. For example, to make the /bin/ls a SetUID program (which is a bad idea, by the way), you would use this command:
[root@ford /root]# chmod 4755 /bin/ls
Module 5 Mastery Check List (for parts 1 and 2):
What information is stored in the /etc/passwd file?
What information is stored in the /etc/shadow file?
Does Linux use the username or the UID when performing operations pertaining to that user (such as file permissions)?
Why can SetUID programs be a bad thing?
What is the format of a user entry in the /etc/passwd file?
What is the GECOS entry?
How do you disable a user so they cannot access the system?
What information is stored in the /etc/group file?
What is the format of an entry in the /etc/group file?
What happens if you forget to add the home directory for a user?
Where is the list of available shells listed?
What are startup scripts?
This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today.