suid conflicts from files where sticky bit is set Vs /etc/fstab
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
suid conflicts from files where sticky bit is set Vs /etc/fstab
I'm working with an Oracle DBA and we are trying to get Oracle Enterprise Manager to work by having sticky bit set on certain files.
There are a number of files that it needs to work with and the sticky bit is set on those files, and yet it still doesn't work.
Code:
[root@server1 bin]# ll nm*
-rws--s--- 1 root dba 28087 Jun 21 2012 nmb <---
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmb0
-rwxr-xr-x 1 oracle dba 28087 Jun 21 2012 nmb.0
-rwxr-xr-x 1 oracle dba 9755 Aug 7 2009 nmcbufp
-rwxr-xr-x 1 oracle dba 69611 Jun 21 2012 nmei
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmei0
-rws--x--- 1 root dba 80525 Jun 21 2012 nmhs <---
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmhs0
-rwxr-xr-x 1 oracle dba 80525 Jun 21 2012 nmhs.0
-rws--s--- 1 root dba 34795 Jun 21 2012 nmo <---
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmo0
-rwxr-xr-x 1 oracle dba 34795 Jun 21 2012 nmo.0
-rwxr-xr-x 1 oracle dba 32461 Jun 21 2012 nmocat
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmocat0
-rwxr-xr-x 1 oracle dba 55402 Jun 21 2012 nmosudo
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmosudo0
-rwxr-xr-x 1 oracle dba 21526 Jun 21 2012 nmupm
-rwxr-xr-x 1 oracle dba 0 Aug 13 2009 nmupm0
[root@server1 bin]# pwd
/ora/app/oracle/product/11.2.0/db_1/bin
[root@server1 bin]#
Looking around online, we noticed that removing nosuid for a directory under /etc/fstab and running
Code:
remount -o remount /ora/
Fixed the issue and now OEM works ok.
I'm not sure, because I want to set the sticky bit for various individual files so that the sticky bit is set only on those files Vs opening up for a whole partition and having the chance that there are other files that have the sticky bit set on them and running the risk that someone could do something bad against them.
So if someone could explain how the sticky bit works on a partition from /etc/fstab Vs individual files works...
Then why have nosuid set there at fstab if it doesn't come into play?
It is up to the administrator. setgid is considered a security weakness. For me, any filesystem that can be written to by a user should have several things disabled - setuid, setgid, nodev... Even if a file manages to get the flags set... they don't work.
In this case though, it wasn't indicated that it was disabled in the fstab.
BTW, it isn't called the "sticky bit" - that is a different flag with a different purpose.
suid, sgid, and nodev are there to provide security controls. All are used, but should not necessarily be available to general users.
As it stands now, it would be possible to eliminate devices from general filesystems - devices are supported by devtmpfs for most systems. Yet, some embedded will still use an ext[234] for /dev. And that prevents removal.
suid is used by administrators to provide access to privileged functions (such as password changing...) so it can't be removed from filesystems used for system binaries.... but that doesn't mean a user should be allowed to give away THEIR account to someone else... Same goes for sgid (used by some services to allow for shared locks, though that usage is fading).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.