FreeBSD 101 : File permissions, Setuid and Setgid.
A file has different attributes that dictates who can can modify or execute it.
Users belonging to a group will have the same access right to a file that is associated with that group, it works for projects for example where all the user need to same access rights to a file.
Access rights for files:
- r : Permission to read only.
- w : Permission to write and read. This allows users to view and edit a file.
- x : Permission to execute.
Type of files:
- - : regular file
- d : directory
- c : character device file (device that communicates by sending bytes like the keyboard and the mouse)
- s : local socket file (file used for communications over network)
- p : named pipe (file that can be used for read and write purposes between two programs)
- l : symbolic link (is a reference to file)
Useful basic commands for user and groups:
Changing ownership of a file to a new user:
Changing the group a file belongs to:
Adding a "user" to the "group":
Displaying the attributes of a file:
Changing the access rights of a file (Examples):
Adds (+) execute (x) permission to user (u) and adds (+) execute (w) permission to others (o) for "file".
User Permissions with SUID:
The SUID (rwsrw-r--) bit says that any user can execute the file with the permissions of the owner, but those permissions are limited to that file only.
SUID can be used when a file requires for example a temporary root permissions to execute privileged operations like changing a password
"Passwd" program example:
The file (program) passwd needs access to the /etc/shadow file which holds users passwords.
The SUID attribute set on the passwd program allows regular users to execute the passwd program which requires root privileges and to change their password without being the root user.
Those permissions are limited to the passwd program only.
It allows a user in a multi-user environment like FreeBSD to excecute some programs without asking the "root user".
To give a file SUID access rights, we run the below command:
4664 : 4 represents the SUID and the 644 is the numerical form of (rwxrw-rw-), which represents the regular file permissions as you can see in the diagram below.
Permissions SGID and files:
A file can belong to one group only, the group access rights on a file could be displayed using the "ls -l" command as we saw before:
When the SGID bit is set on a file, it allows a user to execute a file as if he were a member of the group the file is associated with.
SGID and directories:
The files created in the GUID directory by John, Albert and Tom will automatically belong to the same group the GUID directory is associated with regardless of the user who created the file.
2664 : 2 represents the SUID and the 644 represents the file permissions (rwxrw-rw-).