Setting SUID and SGID attributes on executable files : chmod u+s, chmod g+s
By default, when a user executes a file, the process which results in this execution has the same permissions as those of the user. In fact, the process inherits his default group and user identification.
If you set the SUID attribute on an executable file, the process resulting in its execution doesn't use the user's identification but the user identification of the file owner.
For instance, consider the script myscript.sh which tries to write things into mylog.log :
ls -l
-rwxrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh
-rwxrwx--- 10 george administrators 4096 2006-03-10 12:50 mylog.log
As you can see in this example, George gave full permissions to everybody on myscript.sh but he forgot to do so on mylog.log. When Robert executes myscript.sh, the process runs using Robert's user identification and Robert's default group (robert:senioradmin). As a consequence, myscript fails and reports that it can't write in mylog.log.
In order to fix this problem George could simply give full permissions to everybody on mylog.log. But this would make it possible for anybody to write in mylog.log, and George only wants this file to be updated by his myscript.sh program. For this he sets the SUID bit on myscript.sh:
chmod u+s myscript.sh
As a consequence, when a user executes the script the resulting process uses George's user identification rather than the user's. If set on an executable file, the SUID makes the process inherit the owner's user identification rather than the one of the user who executed it. This fixes the problem, and even though nobody but George can write directly in mylog.log, anybody can execute myscript.sh which updates the file content.
Similarly, it is possible to set the SGID attribute on an executable file. This makes the process use the owner's default group instead of the user's one. This is done by:
chmod g+s myscript.sh
By setting SUID and SGID attributes the owner makes it possible for other users to execute the file as if they were him or members of his default group.
The SUID and GUID are represented by a "s" which replaces the "x" character respectively in the user and group permissions:
chmod u+s myscript.sh
ls -l
-rwsrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh
chmod u-s myscript.sh
chmod g+s myscript.sh
ls -l
-rwxrwsrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh
Setting the default file creation permissions : umask
When a file is created, its permissions are set by default depending on the umask setting. This value is usually set for all users in /etc/profile and can be obtained by typing:
umask
The default umask value is usually 022. It is an octal number which indicates what rights will be removed by default to all new files. For instance, 022 indicates that write permissions will not be given to group and other.
By default, and with a umask of 000, files get mode 666 and directories get mode 777. As a result, with a default umask value of 022, newly created files get a default mode 644 (666 - 022 = 644) and directories get a default mode 755 (777 - 022 = 755).
In order to change the umask value, simply use the umask command and give it an octal number. For instance, if you want all new directories to get permissions rwxr-xr--- and files to get permissions rw-r----- by default (modes 750 and 640), you'll need to use a umask value which removes all rights to other, and write permissions to the group : 027. The command to use is:
------------------------
Best Regards,
UKShane
http://www.eukhost.com
Enjoy 
More in file permissions (SUID, SGID, UMASK)
Linear Mode
