SetGID: Difference between revisions

From UMIACS
Jump to navigation Jump to search
No edit summary
No edit summary
 
(9 intermediate revisions by 3 users not shown)
Line 2: Line 2:


==SetGID Files==
==SetGID Files==
The setgid bit for files will force when a file is executed to set its group ID to the GID that of the binary instead of the user that is running it.   This mode has no effect for files that are not executable.     To a lesser extent than [[setuid]] this can lead to security issues when the group in question has some files that would be allowed to be read or written when otherwise not permitted.  There are very limited uses for this feature these days and its use is discouraged.
The setgid bit for files will force when a file is executed to set its group ID to the GID that of the binary instead of the user that is running it. This mode has no effect for files that are not executable. To a lesser extent than [[SetUID]] this can lead to security issues when the group in question has some files that would be allowed to be read or written when otherwise not permitted.  There are very limited uses for this feature these days and its use is discouraged.


==SetGID Directories==
==SetGID Directories==
SetGID directories have a much more beign behavior.  When this bit is set on a directory all filesystem creations underneath that directory will inherit the group from the directory.  UMIACS policy is to keep users default UID and GID.  So for users who wish to have certain directory trees have consistent groups the use of SetGID directories is usefull.  The SetGID directoy bit will force all files created under that directory to have the same GID.  Any directories created will also be given the same GID and the SetGID bit so that the same policy is applied at the next level of directory down.
SetGID directories have a much more benign behavior.  When this bit is set on a directory all filesystem creations underneath that directory will inherit the group from the directory.  UMIACS policy is to keep users' default UID and GID.  So for users who wish to have certain directory trees have consistent groups the use of SetGID directories is useful.  The SetGID directory bit will force all files created under that directory to have the same GID.  Any directories created will also be given the same GID and the SetGID bit so that the same policy is applied at the next level of directory down.


Before you we give an example of how to use the sticky bit please see the documentation about [[umask]].  SetGID will only work on the GID and the setting a sticky bit and will not change any other permissions.  By default the umask is 022 and is a bit too restrictive for the use of SetGID effectively.  (002 or 000 will be the appropriate setting depending if you want Others to be able to read/execute or not.
Before we give an example of how to use the sticky bit please see the documentation about [[umask]].  SetGID will only work on the GID and the setting a sticky bit and will not change any other permissions.  By default the umask is 022 and is a bit too restrictive for the use of SetGID effectively.  (002 or 007 will be the appropriate setting depending if you want Others to be able to read/execute or not)


<verbatim>
First an example of what our default group is and what other groups we belong to:
[derek@novelty ~/staff]$ id
[username@novelty ~/staff]$ id
uid=2174(derek) gid=22174(derek) groups=15114(umadmin),15116(vnodedisplay),22174(derek)
uid=9001(username) gid=29001(username) groups=15114(umadmin),29001(username)
</verbatim>
 
Now we have created a directory called staff that we want to share with the umadmin group (which is not my default group)
[username@novelty ~/staff]$ ls -la .
drwxr-xr-x  2 username username  96 Jun 16 11:34 .
 
We are going to set the new group to umadmin and set rwxrwxr-x permissions.  Then finally we will add the SetGID bit.
[username@novelty ~/staff]$ chgrp umadmin .
[username@novelty ~/staff]$ chmod 775 .
[username@novelty ~/staff]$ chmod g+s .
 
Now you can see we have a directory that is correctly set up,
[username@novelty ~/staff]$ ls -la .
drwxrwsr-x  2 username umadmin  96 Jun 16 11:34 .
 
We are going to use [[umask]] of 002 since we want to allow others to read the files.
 
We are going to now create a test file and test directory,
 
[username@novelty ~/staff]$ touch test
[username@novelty ~/staff]$ mkdir testdir
 
Now as you can see we have the correct groups and permissions being used to create both files directories,
 
[username@novelty ~/staff]$ ls -la
drwxrwsr-x  3 username umadmin  96 Jun 16 12:58 .
-rw-rw-r--  1 username umadmin    0 Jun 16 12:58 test
drwxrwsr-x  2 username umadmin  96 Jun 16 12:58 testdir

Latest revision as of 16:56, 7 May 2021

The setgid bit works in two ways, one for files and one for directories.

SetGID Files

The setgid bit for files will force when a file is executed to set its group ID to the GID that of the binary instead of the user that is running it. This mode has no effect for files that are not executable. To a lesser extent than SetUID this can lead to security issues when the group in question has some files that would be allowed to be read or written when otherwise not permitted. There are very limited uses for this feature these days and its use is discouraged.

SetGID Directories

SetGID directories have a much more benign behavior. When this bit is set on a directory all filesystem creations underneath that directory will inherit the group from the directory. UMIACS policy is to keep users' default UID and GID. So for users who wish to have certain directory trees have consistent groups the use of SetGID directories is useful. The SetGID directory bit will force all files created under that directory to have the same GID. Any directories created will also be given the same GID and the SetGID bit so that the same policy is applied at the next level of directory down.

Before we give an example of how to use the sticky bit please see the documentation about umask. SetGID will only work on the GID and the setting a sticky bit and will not change any other permissions. By default the umask is 022 and is a bit too restrictive for the use of SetGID effectively. (002 or 007 will be the appropriate setting depending if you want Others to be able to read/execute or not)

First an example of what our default group is and what other groups we belong to:

[username@novelty ~/staff]$ id
uid=9001(username) gid=29001(username) groups=15114(umadmin),29001(username)

Now we have created a directory called staff that we want to share with the umadmin group (which is not my default group)

[username@novelty ~/staff]$ ls -la .
drwxr-xr-x  2 username username   96 Jun 16 11:34 .

We are going to set the new group to umadmin and set rwxrwxr-x permissions. Then finally we will add the SetGID bit.

[username@novelty ~/staff]$ chgrp umadmin .
[username@novelty ~/staff]$ chmod 775 .
[username@novelty ~/staff]$ chmod g+s .

Now you can see we have a directory that is correctly set up,

[username@novelty ~/staff]$ ls -la .
drwxrwsr-x  2 username umadmin   96 Jun 16 11:34 .

We are going to use umask of 002 since we want to allow others to read the files.

We are going to now create a test file and test directory,

[username@novelty ~/staff]$ touch test
[username@novelty ~/staff]$ mkdir testdir

Now as you can see we have the correct groups and permissions being used to create both files directories,

[username@novelty ~/staff]$ ls -la
drwxrwsr-x  3 username umadmin   96 Jun 16 12:58 .
-rw-rw-r--  1 username umadmin    0 Jun 16 12:58 test
drwxrwsr-x  2 username umadmin   96 Jun 16 12:58 testdir