While we are on the subject of security and passwords another question arises. Given that when you run a program, the process that is created has the same permissions on file accesses that you do, how can you change your password in /etc/shaddow (or /etc/passwd if you are not using shaddow passwords) when you don't have permission to write to that file as an ordinaryuser?
In general, the previous statement is true. However, in order for you to be able to write to the password file at all (and when you change passwords, obviously you do), there must be some mechanism for you to run a program but then for theprocess that gets created to be able to do things as though it was running on behalf of someone else. In the case of the password file the 'someone else' would need to be root as only root has write permission on the file:
$ ls -l /etc/passwd -rw-r--r-- 1 root root 775 Jul 25 15:41 /etc/passwd
If we take a look at the file permissions on the executable program for changing passwords (/usr/bin/passwd), we shall get a clue:
$ ls -l /usr/bin/passwd -rws--x--x 1 root bin 3964 Mar 21 09:37 /usr/bin/passwd
As you can see, there is something unusual here. The owner's permission bits are given as rws, but what does the 's' mean in the owner's execute bit position? What it means is that anyone who has execute permission on the file, and in this case that means everyone, will run the program not with their own permissions but with the permissions of the file's owner (root in this case).
It is also possible (though less common) for an 's' to be set in the group execute bit position. Here is an example:
$ ls -l /usr/sbin/lpc -r-xr-s--x 1 root ip 21508 Feb 14 19:03 /usr/sbin/ipc
Any ordinary users on the system who run the lpc command will run it as though they were in the group lp and will therefore obtain lp group permissions on any files accessed by the ipc program. Don't worry for the moment about what lp does, it is related to the operation of a printer and we will cover its use later.
The way to set these 'extra' permission bits is with the standard chinod command but using an extra octal digit in front of the normal permission bits. A value of 4 will set the file's setuid bit, the value 2 will set the file's setgid bit and thevalue 6 will set them both. Obviously, the digit 0 (or no value specified) will turn both bits off. If a lower case 's' is displayed in an ls -l listing it means that the underlying execute bit is set. An upper case 'S' means the underlying execute bit is not set. The following sequence demonstrates some of these ideas:
$ ls -l /tmp/testbits -rwx--x--x 1 PC book 0 Jui 26 09:14 /tmp/testbits $ chmod 4711 /tmp/testbits $ ls -l /tmp/testbits -rws--x--x 1 pc book 0 Jui 26 09:14 /tmp/testbits $ chmod 2711 /tmp/testbits $ ls -l /tmp/testbits -rwx--s--x 1 pc book 0 Jul 26 09:14 /tmp/testbits $ chmod 711 /tmp/testbits $ ls -l /tmp/testbits -rwx--x--x 1 pc book 0 Jui 26 09:14 /tmp/testblts
As an additional security feature there is a command you can use which will restrict the access permissions that a process running on your behalf can give to a file it creates. The name of this command is umask.
The general form of the umask command is:
umask [permission_mask]
where the permission_mask is just a three-digit octal number corresponding to the permission bits you want to have reset by default when a file is created on your behalf.
If you do not specify a permission_mask then the current umask value will be displayed. This will typically be:
$ umask 022
The following is a simple sequence of commands to demonstrate the use of umask and the effect it has on file permission bits during file creation:
$ touch file1 $ umask 027 $ touch file2 $ umask 0 $ touch file3 $ ls -l file? -rw-r--r-- 1 pc book 0 Aug3 00:53 file1 -rw-r----- 1 pc book 0 Aug3 00:53 file2 -rw-rw-rw- 1 pc book 0 Aug3 00:54 file3
Here you can see that, left to its own devices (with umask set to zero), the touch command would generate files with permission bits set to rw-rw-rw-. You can also see the effect on permission bits of creating files with umask values of 022 and 027 as well.