Linux 101 : Umask and the SUID bit
When a file is created, Linux assigns default permissions to it.
We can change these default permissions using the umask command.
The umask command as its name indicates "masks" certain permissions so that they get excluded.
In general, the default permissions for the files is "rw-rw-rw-" and for the directories it is "rwxrwxrwx", then the system applies the mask on these permissions.
Example:
If we apply the mask "077" or "---rwxrwx" to our file that has the following permissions "rw-rw-rw-", we would have the below:
The Set User ID bit:
The "s" parameter in the following permissions "-rwsr-xr-x" allows us to run a command as another user - the owner of the file -.
It is what allows a "normal" user to run the "passwd" command which is a "priviliged" command, to be able change the password.
When we look at the permissions of the "passwd" command, we can see the "s" bit as below:
SUID programs could represent a security breach. To find all the SUID programs in our system, we could run the below command:
Remark:
We can set the SUID bit on a file using the below command:
We can change these default permissions using the umask command.
The umask command as its name indicates "masks" certain permissions so that they get excluded.
In general, the default permissions for the files is "rw-rw-rw-" and for the directories it is "rwxrwxrwx", then the system applies the mask on these permissions.
Example:
If we apply the mask "077" or "---rwxrwx" to our file that has the following permissions "rw-rw-rw-", we would have the below:
We can change the umask value in the "~/.bash_profile" or in the "/etc/profile" for all the users, so that it persists through a reboot.
The Set User ID bit:
The "s" parameter in the following permissions "-rwsr-xr-x" allows us to run a command as another user - the owner of the file -.
It is what allows a "normal" user to run the "passwd" command which is a "priviliged" command, to be able change the password.
When we look at the permissions of the "passwd" command, we can see the "s" bit as below:
SUID programs could represent a security breach. To find all the SUID programs in our system, we could run the below command:
Remark:
We can set the SUID bit on a file using the below command:
Comments