the "s" and "S" permissions.

the "s" and "S" permissions.

Post by John Pea » Sat, 16 Jan 1993 20:51:09



|>
|>  I have noticed that sometimes when I do an ls command, the
|>  permission value shown in the x (execute) position is either an
|>  s or an S. What do these two symbols mean, and what kind of
|>  permission do they offer?

RTFM

          The next 9 characters are interpreted as three sets of three
          char-
          acters each.  The first set of three characters refers to
          file-
          access permissions for the user; the next set, for the
          user-group;
          and the last set, for all others.  The permissions are
          indicated as
          follows:

          r if the file is readable
          w if the file is writable
          x if the file is executable
          - if the indicated permission is not granted.

          The group-execute permission character is given as s if the
          file
          has the set-group-id bit set; likewise, the user-execute
          permission
          character is given as s if the file has the set-user-id bit
          set.

          The last character of the See chmod(2) for the meaning of this
          mode.  The indications of set-ID and the 01000 bi

|>
|>  Also when using the chmod command, what is the numerical value of
|>  these two symbols (i.e. as in r=4, w=2, and x=1)?
Again RTFM

     For mode in absolute form, you specify an octal number constructed
     from
     the sum of one or more of the following values:

          4000      set user ID on execution (applies to executable
          files
                    only)
          2000      set group ID on execution (applies to executable
          files
                    only)
          1000      set sticky bit (see chmod(2) for more information)
          0400      read by owner
          0200      write by owner
          0100      execute, or search if file is a directory, by owner
          0040      read by group
          0020      write by group
          0010      execute, or search if file is a directory, by group

|>
|>  Thank you very much for the help.
|>
|>  Henry Manaster
|>
|> --
|> ***************************************************************************

|>   Brooklyn, NY            *
|>                                 *
|>   Disclaimer: The above is not necessarily MY opinion nor that
|>                           of anyone else :-)  ????!
|> ****************************************************************************
|>  

--
                               John Peach
                       Chevron Europe/Middle East
   Ninian House, Crawpeel Road, Altens, Aberdeen, AB1 4LG, Scotland.

 
 
 

the "s" and "S" permissions.

Post by Jay A. Konigsbe » Mon, 18 Jan 1993 02:53:16



> I have noticed that sometimes when I do an ls command, the
> permission value shown in the x (execute) position is either an
> s or an S. What do these two symbols mean, and what kind of
> permission do they offer?

> Also when using the chmod command, what is the numerical value of
> these two symbols (i.e. as in r=4, w=2, and x=1)?

> Thank you very much for the help.

> Henry Manaster

What follows is a (mostly) complete description of Unix permissions.
I'm posting rather than mailing because I've encountered the question
many times in other forums (though a copy has also meen mailed to the
poster). Also, if I made any mistakes or omissions I'm _sure_ to
be corrected :-)

The "s" and the "S" refer to programs with the setuid and setgid bits
set. When set the programs run with the effective user or group ID of
the owner of the program. I'm not sure what the symbolic args to chmod
are - I've used octal too long.

The most common example of this is the "passwd" program that allows users
to change their password (Example assumes passwords in /etc/passwd, not
/etc/shadow or /etc/security/passwd).

The permissions on /etc/passwd are:

-r--r--r--   1 root     sys        10265 Jan  8 12:20 /etc/passwd

This allows anyone to read it, but only root may change it. However,
any user _may_ change their own password - even though they don't
have permission to do so.

Thus, the following permissions on the "passwd" program in /bin:

-r-sr-sr-x   1 root     sys        25876 Dec  6  1991 /bin/passwd

When this program runs, the effective userid will be root and the
effective groupid will be sys (note the group varies from system to
system). The operative permission is the "s" in the owner field.

    NOTE: in the C program, you need to do a "setuid(effectiveuid)"
          and "setgid(effectivegid)" to set the real id the program
          operates under.

The base permission to /bin/passwd is:

        - read & execute for everyone
                or: chmod  555
        Set the effective user id of the process to the owner
                or: chmod 4000 - shown as a "s" or "S" in owner "x" field.
        Set the effective group id of the process to the group
                or: chmod 2000 - shown as a "s" or "S" in group "x" field.

        So, the octal code to set -r-sr-sr-x is: chmod 6555

If the "execute" bit is not set for "user", "group" or "other"; and
the setuid (or setgid) bit _is_ set, then there will be an "S" instead
of an "s".

chmod 1000 is also possible and refers to the "sticky bit" (normally a
"t" in the other "x" field). This will attempt to retain the text image
of a program in memory after execution - thus saving load time on the
next invocation.

If the sticky bit is set on a directory (system dependent) such as /tmp
then only the owner of a file will be able to delete it.

There are other possibilities for the permission combination explained,
but the tend to be release/system dependent: such as file locking for
chmod 2060 on Sys V rel 3.

Summary:

        0004000 - set user ID on execution
        0002000 - set group ID on execution
        0001000 - Save text image after execution

        0000400 - read by owner
        0000200 - write by owner
        0000100 - execute by owner

        0000040 - read by group
        0000020 - write by group
        0000010 - execute by group

        0000004 - read by others
        0000002 - write by others
        0000001 - execute by others

Also, there is a fifth bit not normally accessible (except from
certain programs and C) that controls the type of file:

        0010000 - fifo special
        0020000 - character special
        0040000 - directory
        0060000 - block special
        0100000
        0000000 - ordinary file

That 6'th and 7'th bits are also available. I suspect that they are
also used in various implemtations, though I don't know their meaning.

--
-------------------------------------------------------------

If something is worth doing, it's worth doing correctly.