The Shell Game

OK, OK… sorry for the bad humor in the post title.

I’ve been diving into the intricacies of Unix permissions. Up to this point, I’ve been comfortable enough with both symbolic notation (rwx) and octal notation (1,2,4). I’ve been looking at a sandboxing scheme for BOINC. That has brought up a whole bunch of questions that I’ve been working on answering.

The first thing I noticed was the use of 4 digit octal notation. The second, third and forth digits are the file permissions I’ve been dealing with since the beginning. The first digit refers to the presence or absence of setuid, setgid and the sticky bit.

setuid and setgid change the ID a program runs under. In turn that allows controls access permissions. If you have a program you want to run as a regular user (a good thing) but it needs elevated privileges to do certain things, you can use setuid and setgid to give that program the permissions it needs. Remember though, it’s a good idea to only use that to the extent it’s needed. Elevate the privileges, do what you need to do and then drop them.

The sticky bit has two usages depending if it’s on an executable file (the original usage) or a directory (today’s common usage). If it’s on a executable, it allows the binary to be shared across users (or at least that’s how I’m understanding it). If it’s on directory it allows files to be locked down to the owner and the super user. So even if you have write permission on the directory, you won’t be able to move, modify rename or delete a file if you don’t own it.

There’s also some stuff on umasks I’m trying to understand, but that’s still all a bit hazy in my mind.

I never realized Unix permissions could get so complicated.