LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SUID vs SGID (https://www.linuxquestions.org/questions/linux-newbie-8/suid-vs-sgid-4175477078/)

mmhs 09-14-2013 01:03 AM
SUID vs SGID
 
hi guys

i have a simple question about sgid and suid .

as we know when we set suid and sgid and for a file or a command , when we execute command, that will be executed respectively by owner and group permission .

my question is about a simple command like ping .

this command has suid why when we set sgid for this command and unset suid users cannot execute ping ???

i set 2775 for this command instead of 4755 why users cannot execute ping ??

group has full permission and sgid shows every one execute this command as group permission .but why users cannot execute ping when we set sgid instead of suid ??

and another question is about write command which has sgid instead of suid ??

why when it must have sgid instead of suid ???

unSpawn 09-14-2013 05:32 AM
Quote:
Originally Posted by mmhs (Post 5027462)
i set 2775 for this command instead of 4755 why users cannot execute ping ??
If you don't know then you best ask before actually fscking with permissions. See here for a quick explanation: http://en.wikipedia.org/wiki/Setuid.

GNU/Linux 09-14-2013 08:11 AM
Code:
> ls -l /bin/ping
-rws--x--x 1 root root 32820 Jul 19  2012 /bin/ping*
To my limited understanding, more senior members may suggest better explanation. 'ping' needs to open raw sockets and 'root' can only do that so with SUID set to root when you run 'ping' it's as if 'root' is running it (but just as long as ping is running).

Code:
> ls -l /usr/bin/write
-rwxr-sr-x 1 root tty 10156 Aug 15  2012 /usr/bin/write*
In case of 'write' a user needs to write to another user's console, which is not normally allowed but a separate group (tty) is created and given access to write to TTYs. 'tty' group obviously was not given full 'root' access, so limiting the power as a security measure.

Now, I'm not sure why not create a separate group 'xgroup' and give it access to open/close sockets for 'ping' command.

jpollard 09-15-2013 04:08 PM
Quote:
Originally Posted by GNU/Linux (Post 5027581)
Code:
> ls -l /bin/ping
-rws--x--x 1 root root 32820 Jul 19  2012 /bin/ping*
To my limited understanding, more senior members may suggest better explanation. 'ping' needs to open raw sockets and 'root' can only do that so with SUID set to root when you run 'ping' it's as if 'root' is running it (but just as long as ping is running).

Code:
> ls -l /usr/bin/write
-rwxr-sr-x 1 root tty 10156 Aug 15  2012 /usr/bin/write*
In case of 'write' a user needs to write to another user's console, which is not normally allowed but a separate group (tty) is created and given access to write to TTYs. 'tty' group obviously was not given full 'root' access, so limiting the power as a security measure.

Now, I'm not sure why not create a separate group 'xgroup' and give it access to open/close sockets for 'ping' command.
Because groups are a file access control, not a privilege access control. Giving "write" group access allows the write application to access anyting with the group write belongs to (in this case, group tty). The "write" utility can then access the files with group "tty" permissions. If you look at /dev/tty* you will see that write can write to any tty with the group "tty". Another collection of devices is the pseudo terminals (/dev/pts/*). These are also group tty, which would allow the write utility to write messages to them.


All times are GMT -5. The time now is 06:09 PM.