Whenever a file, in which SUID bit is set by owner, is run by some user, the process runs with the identity and permission of owner and not of the user running the file.
Suppose we have a file "file1" whose permissions are shown as below.
-rwxr-xr-x
Let this file be owned by John. Now let there be another file "file2", owned by John, which has permissions as follows.
-rwxr- -r- -
"file2" can only be modified by John, who is the owner of the file. Suppose, this file stores the information about the employees working under John. Lee is one of the employee working under John, i.e. Lee's data is also stored in "file2". Now if John had given write permission to others and groups, then anyone would have been able to change anyone's data using vi editor.
John didn't want that, but also he wanted to make things simpler. So, what he did? He didn't give write permission to any of the employees for "file2", instead, he made another file "file1" on which he gave execute permission to everyone. He also set the SUID bit for "file1" because of which,when some user tries to execute "file1", the process will be executed with John's identity and permission.
Now when the process is executing with John's identity, it can very well change the contents in "file2", since John has write permission on "file2". In other words, John has cutomized the changes which an employee can make to "file2". Now a user cannot just open a file in vi editor and make any changes he/she wants. Instead, he will only be allowed to make changes in "file2" as determined by the program written in "file1".
So, that is the advantage of using SUID bit.
We set the SUID bit for "file1" as
chmod +s file1
After the SUID bit is set, the file permissions for "file2" will be as follows
-rwsr-xr-x
Did you notice the 'x' bit in user set changed to 's' ?. This confirms that SUID bit has been set for "file1".
In this way "file2" could not be modified by any employee using vi editor but can be modified by script/program in "file1" using owner's permission. Wasn't that amazing?
For more information visit
No comments:
Post a Comment