Finding Files with Special Permissions in Linux

Special-k-diet-1Ok, before you even attempt to read this post, I am assuming that you not only understand standard UNIX file permissions, but that you also understand special file permissions. What are special file permissions you ask. Well you know them as setuid, setgid, and the stickbit. If you don’t know what these things are then I will give you a very brief introduction.

Setuid – when set on a file, runs a command as root, a good example of this is the password command as shown below.

[root@localhost ~]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 27156 Aug  3  2013 /usr/bin/passwd

Setgid – when set on a file, elevates permissions to the group ownership of a file. When set on a directory, causes all files created in that directory to be inherit group ownership from the directory.

Sticky Bit – when set on a directory, blocks a user from renaming or removing a file that they do not own.

Now lets use the find command to find files on our linux box with special permissions.

To match a special permission with a specific octal number specify the octal number as shown below. Note that this command does not return anything at all as there are no files on my system with the perms 4000.

[root@localhost ~]# find / -perm 4000

To match the permissions on a file using a specific prefix use the ‘-‘ switch as shown below. Its basically a wildcard search, which searches on the fields that you specified.

[root@ip-172-31-22-45 ~]# find /bin -perm -4000 | head -n 5
/bin/umount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

As shown below, this command returns us all files in the /bin directory with the setuid bit set. In octal 4 is setuid.

[root@ip-172-31-22-45 ~]# ls -l /bin/ping
-rwsr-xr-x. 1 root root 40760 Sep 17  2013 /bin/ping

The next example returns us all files in /bin with the setgid bit set. Note that the octal value of the setgid bit is 2.

[root@ip-172-31-22-45 ~]# find /bin -perm /2000 | head -n 3
/bin/cgexec
/bin/cgclassify

See I told you so…

[root@ip-172-31-22-45 ~]# ls -l /bin/cgexec
-rwxr-sr-x. 1 root cgred 16384 Dec  2  2013 /bin/cgexec

Now lets get silly and try to match two octal values at once. This time we are going to search for files where both the setuid and setgid bits are set. As we know 4 + 2 = 6, so our command is as shown below

[root@ip-172-31-22-45 ~]# find /bin -perm -6000 | head -n 3

Note that this command does not return anything at all. However if we modify it a bit so that it searches for files that either have the setuid or the setgid bit set. To do this we use the ‘/’ modifier as shown below in my awesome example.

[root@ip-172-31-22-45 ~]# find /bin -perm /6000 | xargs ls -l
-rwxr-sr-x. 1 root cgred 16352 Dec  2  2013 /bin/cgclassify
-rwxr-sr-x. 1 root cgred 16384 Dec  2  2013 /bin/cgexec
-rwsr-xr-x. 1 root root  77336 Apr 10 04:50 /bin/mount
-rwsr-xr-x. 1 root root  40760 Sep 17  2013 /bin/ping
-rwsr-xr-x. 1 root root  36488 Sep 17  2013 /bin/ping6
-rwsr-xr-x. 1 root root  34904 Mar  5 07:21 /bin/su
-rwsr-xr-x. 1 root root  53472 Apr 10 04:50 /bin/umount

In this example below I am searching for files that either have the setuid (4), the setgid (2), or the stickybit (1) set.

[root@ip-172-31-22-45 ~]# find /bin -perm /7000 | xargs ls -l
-rwxr-sr-x. 1 root cgred 16352 Dec  2  2013 /bin/cgclassify
-rwxr-sr-x. 1 root cgred 16384 Dec  2  2013 /bin/cgexec
-rwsr-xr-x. 1 root root  77336 Apr 10 04:50 /bin/mount
-rwsr-xr-x. 1 root root  40760 Sep 17  2013 /bin/ping
-rwsr-xr-x. 1 root root  36488 Sep 17  2013 /bin/ping6
-rwsr-xr-x. 1 root root  34904 Mar  5 07:21 /bin/su
-rwsr-xr-x. 1 root root  53472 Apr 10 04:50 /bin/umount

To review. when using find if you do not specify any switches or options when searching for files by permissions, then you are attempting to do a specific match for files with those exact permissions. When you use the ‘-‘ option you are searching for files that match on a specific field. When you use the ‘/’ switch you are basically doing a wild card logical OR search. Use this option when you are searching for more than one type of special permission.

Related articles

CVE-2014-0907 – SetUID/SetGID Programs Allow Privilege Escalation Via Insecure RPATH In IBM DB2
setuid/setgid binaries in Debian’s Wheezy release?
Learn octal file permissions easily with stat
Advertisements

RHEL6 – Using ACLs to Grant and Restrict FIle Access.

RangerRick

Access Control Lists or ACLs provide more controll over file permissions than standard linux file permissions (UGO — user, group, other). For example lets say that you want all members of the group "students" to have the ability to read a file, however you want to allow one user in that group the ability to write to the file, well ACLs can help you do this.

First thing that you need to know is that you cannot just start using ACLs right away, first you have to make sure that your filesystem is mounted so that ACLs are availible. This means adding ACL to the mount options in /etc/fstab.

UUID=3fa4603e-9874-4f47-ae1c-3f7715a54238 /                       ext4    defaults,user_xattr

So in my fstab, I change the line above to the line below. I know, exciting right?

UUID=3fa4603e-9874-4f47-ae1c-3f7715a54238 /                       ext4    defaults,user_xattr.acl

Now to view the permissions and ACLs on a file use the getfacl command, below i am checking the file RangerRick.jpg in /root/Pictures.  In the example below there are no ACLs assigned, btw.

[root@fedora15 Pictures]# getfacl RangerRick.jpg
# file: RangerRick.jpg
# owner: root
# group: root
user::rw-
group::r–
other::r–

So lets allow the user "chris" to write to the file, just just read it.

[root@fedora15 Pictures] setfacl -m u:chris:w RangerRick.jpg

Now run getfacl again and check out the difference

[root@fedora15 Pictures]# getfacl RangerRick.jpg
# file: RangerRick.jpg
# owner: root
# group: root
user::rw-
user:chris:-w-
group::r–
mask::rw-
other::r–

Additonal Examples:

Lets give all users in the group "students" the ability to write to the file, since they may want to modify it and add a photochop their faces over the dear old racoon's face.

[root@fedora15 Pictures] setfactl -m g:students:w RangerRick.jpg

But oh no, user "bert" in the group "students", has decided to modify the file RangerRick.jpg in an in appropriate way, so lets remove his permissions altogether.

[root@fedora15 Pictures] setfacl -x u:bert

Lets say that we want to allow the user "chris" to be able to modify all existing and newly created files in the Pictures directory where the Ranger Rick picture lives.

[root@fedora15 Pictures] setfacl -m d:u:chris:rw /root/Pictures

Note that when a file has ACLs assigned to it, a plus "+" sign will appear in the output of an 'ls-l'

-rw-rw-r–+ 1 root root 148011 Oct 12 15:06 RangerRick.jpg

Honestly you will probably never need to use ACLs, but they are handy to have availible if you run into some sort of situation where you need to grant very particular permissions to files and directories.