SetGID

From UMIACS
Revision as of 15:42, 16 June 2008 by Derek (talk | contribs)
Jump to navigation Jump to search

The setgid bit works in two ways, one for files and one for directories.

SetGID Files

The setgid bit for files will force when a file is executed to set its group ID to the GID that of the binary instead of the user that is running it. This mode has no effect for files that are not executable. To a lesser extent than setuid this can lead to security issues when the group in question has some files that would be allowed to be read or written when otherwise not permitted. There are very limited uses for this feature these days and its use is discouraged.

SetGID Directories

SetGID directories have a much more beign behavior. When this bit is set on a directory all filesystem creations underneath that directory will inherit the group from the directory. UMIACS policy is to keep users default UID and GID. So for users who wish to have certain directory trees have consistent groups the use of SetGID directories is usefull. The SetGID directoy bit will force all files created under that directory to have the same GID. Any directories created will also be given the same GID and the SetGID bit so that the same policy is applied at the next level of directory down.

Before you we give an example of how to use the sticky bit please see the documentation about umask. SetGID will only work on the GID and the setting a sticky bit and will not change any other permissions. By default the umask is 022 and is a bit too restrictive for the use of SetGID effectively. (002 or 000 will be the appropriate setting depending if you want Others to be able to read/execute or not.

<verbatim> [derek@novelty ~/staff]$ id uid=2174(derek) gid=22174(derek) groups=15114(umadmin),15116(vnodedisplay),22174(derek) </verbatim>