LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-14-2013, 02:03 AM   #1
mmhs
Member
 
Registered: Oct 2010
Posts: 99

Rep: Reputation: 1
SUID vs SGID


hi guys

i have a simple question about sgid and suid .

as we know when we set suid and sgid and for a file or a command , when we execute command, that will be executed respectively by owner and group permission .

my question is about a simple command like ping .

this command has suid why when we set sgid for this command and unset suid users cannot execute ping ???

i set 2775 for this command instead of 4755 why users cannot execute ping ??

group has full permission and sgid shows every one execute this command as group permission .but why users cannot execute ping when we set sgid instead of suid ??

and another question is about write command which has sgid instead of suid ??

why when it must have sgid instead of suid ???
 
Old 09-14-2013, 06:32 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by mmhs View Post
i set 2775 for this command instead of 4755 why users cannot execute ping ??
If you don't know then you best ask before actually fscking with permissions. See here for a quick explanation: http://en.wikipedia.org/wiki/Setuid.
 
Old 09-14-2013, 09:11 AM   #3
GNU/Linux
Member
 
Registered: Sep 2012
Distribution: Slackware-14
Posts: 118

Rep: Reputation: Disabled
Code:
> ls -l /bin/ping
-rws--x--x 1 root root 32820 Jul 19  2012 /bin/ping*
To my limited understanding, more senior members may suggest better explanation. 'ping' needs to open raw sockets and 'root' can only do that so with SUID set to root when you run 'ping' it's as if 'root' is running it (but just as long as ping is running).

Code:
> ls -l /usr/bin/write 
-rwxr-sr-x 1 root tty 10156 Aug 15  2012 /usr/bin/write*
In case of 'write' a user needs to write to another user's console, which is not normally allowed but a separate group (tty) is created and given access to write to TTYs. 'tty' group obviously was not given full 'root' access, so limiting the power as a security measure.

Now, I'm not sure why not create a separate group 'xgroup' and give it access to open/close sockets for 'ping' command.
 
Old 09-15-2013, 05:08 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by GNU/Linux View Post
Code:
> ls -l /bin/ping
-rws--x--x 1 root root 32820 Jul 19  2012 /bin/ping*
To my limited understanding, more senior members may suggest better explanation. 'ping' needs to open raw sockets and 'root' can only do that so with SUID set to root when you run 'ping' it's as if 'root' is running it (but just as long as ping is running).

Code:
> ls -l /usr/bin/write 
-rwxr-sr-x 1 root tty 10156 Aug 15  2012 /usr/bin/write*
In case of 'write' a user needs to write to another user's console, which is not normally allowed but a separate group (tty) is created and given access to write to TTYs. 'tty' group obviously was not given full 'root' access, so limiting the power as a security measure.

Now, I'm not sure why not create a separate group 'xgroup' and give it access to open/close sockets for 'ping' command.
Because groups are a file access control, not a privilege access control. Giving "write" group access allows the write application to access anyting with the group write belongs to (in this case, group tty). The "write" utility can then access the files with group "tty" permissions. If you look at /dev/tty* you will see that write can write to any tty with the group "tty". Another collection of devices is the pseudo terminals (/dev/pts/*). These are also group tty, which would allow the write utility to write messages to them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] what is suid, sgid, sticky and why we use it ...? apnic Linux - Newbie 3 04-24-2013 03:54 PM
suid & sgid Soji Antony Linux - Newbie 3 05-31-2011 12:13 PM
SGID and SUID Paris Heng Linux - General 2 11-08-2008 10:45 PM
which suid sgid to unset? hank43 Linux - Security 1 10-09-2006 02:46 AM
suid/sgid question plan9 Linux - Security 1 07-08-2004 08:15 AM


All times are GMT -5. The time now is 05:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration