1
00:00:06,990 --> 00:00:08,880
- All right, in this
demo, I want to show you

2
00:00:08,880 --> 00:00:11,550
how to work with the special permissions.

3
00:00:11,550 --> 00:00:16,380
And to start with, I am
going to create a file

4
00:00:16,380 --> 00:00:19,410
in user linda home directory.

5
00:00:19,410 --> 00:00:24,410
So /home/linda and I'm
calling it playme.sh.

6
00:00:24,720 --> 00:00:29,370
It's a shell script, so .sh for
the convenience of the user.

7
00:00:29,370 --> 00:00:32,490
And let me make it a decent shell script.

8
00:00:32,490 --> 00:00:35,100
In a decent shell script, you
always start with this line

9
00:00:35,100 --> 00:00:38,190
to make sure that it is
interpreted the right way.

10
00:00:38,190 --> 00:00:39,900
And then I'm using a friendly message,

11
00:00:39,900 --> 00:00:42,543
echo, do you want to play?

12
00:00:44,130 --> 00:00:46,530
Then, we want the shell script to stop,

13
00:00:46,530 --> 00:00:49,260
to do something with the user answer.

14
00:00:49,260 --> 00:00:51,540
Actually, if you just put read,

15
00:00:51,540 --> 00:00:53,130
then you stop the shell script,

16
00:00:53,130 --> 00:00:56,550
but you ignore what the user
is typing, that doesn't matter.

17
00:00:56,550 --> 00:01:01,550
And next we are using rm
-rf / --no-preserve-root.

18
00:01:05,760 --> 00:01:07,290
Does that sound like a good idea?

19
00:01:07,290 --> 00:01:10,020
Probably not, but I want
to make a point here.

20
00:01:10,020 --> 00:01:13,020
And the point is that I'm
going to make it executable.

21
00:01:13,020 --> 00:01:18,020
So sudo chmod +x /home/linda/playme.sh.

22
00:01:26,880 --> 00:01:31,710
And now I am going to open
a shell as user linda.

23
00:01:31,710 --> 00:01:33,820
So sudo su - linda

24
00:01:35,421 --> 00:01:37,500
and user linda comes
in her home directory,

25
00:01:37,500 --> 00:01:39,510
finds this playme.sh.

26
00:01:39,510 --> 00:01:42,480
So user linda is going to use playme.sh.

27
00:01:42,480 --> 00:01:45,150
The big question is, if you saw Linda

28
00:01:45,150 --> 00:01:48,300
is going to press enter, then
the script is going to try

29
00:01:48,300 --> 00:01:50,640
to remove the entire root directory.

30
00:01:50,640 --> 00:01:53,430
What do you think, is it
going to work? Yes or no?

31
00:01:53,430 --> 00:01:55,260
Well, the answer is no

32
00:01:55,260 --> 00:01:59,790
because the script is
executed by user linda.

33
00:01:59,790 --> 00:02:01,680
And that's the essence here.

34
00:02:01,680 --> 00:02:05,340
Now, lets talk set user ID.

35
00:02:05,340 --> 00:02:07,683
I'm going to repeat this
command and I'm using

36
00:02:07,683 --> 00:02:12,683
sudo chmod u+s because u+s,

37
00:02:12,840 --> 00:02:17,340
that's how you can set
set user ID on playme.sh.

38
00:02:17,340 --> 00:02:21,180
Let me log in as user linda again.

39
00:02:21,180 --> 00:02:24,600
So sudo su - linda and ls -l.

40
00:02:24,600 --> 00:02:25,860
And what do we see?

41
00:02:25,860 --> 00:02:29,070
We see that playme.sh is marked in red.

42
00:02:29,070 --> 00:02:31,320
We also see on the location where normally

43
00:02:31,320 --> 00:02:33,600
you see the x for execute for the user,

44
00:02:33,600 --> 00:02:35,430
we now have lowercase s.

45
00:02:35,430 --> 00:02:38,640
Lowercase s means that set user ID applies

46
00:02:38,640 --> 00:02:41,190
and normally set user ID means

47
00:02:41,190 --> 00:02:45,390
that the script will execute
as the owner of the script.

48
00:02:45,390 --> 00:02:46,560
How does that work?

49
00:02:46,560 --> 00:02:48,390
Linda runs it.

50
00:02:48,390 --> 00:02:50,790
While running it she opens the sub shell

51
00:02:50,790 --> 00:02:53,820
and in that sub shell, the
script would execute as root.

52
00:02:53,820 --> 00:02:57,120
And you know what playme.sh
is going to do in that case?

53
00:02:57,120 --> 00:02:59,310
It will remove all of the files

54
00:02:59,310 --> 00:03:01,020
from the entire roots directory

55
00:03:01,020 --> 00:03:04,140
because Linda is running it as root.

56
00:03:04,140 --> 00:03:06,690
That's what set user ID is doing.

57
00:03:06,690 --> 00:03:09,450
Now the good news is that the
bash shell has protection.

58
00:03:09,450 --> 00:03:13,080
The bash shell denies set
user ID on bash scripts.

59
00:03:13,080 --> 00:03:15,390
Fortunately, but I
wanted to make the point

60
00:03:15,390 --> 00:03:17,760
of what set user ID is doing.

61
00:03:17,760 --> 00:03:22,760
I also want to show you
when set user ID is useful.

62
00:03:23,550 --> 00:03:27,360
Honestly, I never ever
used it in my entire life

63
00:03:27,360 --> 00:03:31,200
while working with Linux, which
is about 30 years already,

64
00:03:31,200 --> 00:03:33,180
but some commands need it.

65
00:03:33,180 --> 00:03:38,180
I'm using sudo find / -perm /4000.

66
00:03:39,540 --> 00:03:40,710
And what do we get?

67
00:03:40,710 --> 00:03:42,480
We get a couple of files

68
00:03:42,480 --> 00:03:46,857
including a file called, where is it?

69
00:03:46,857 --> 00:03:48,630
Passwd.

70
00:03:48,630 --> 00:03:52,260
Passwd is your password
file, it has set user ID.

71
00:03:52,260 --> 00:03:57,260
ls -l /usr/bin/passwd is
showing the set user ID.

72
00:03:58,350 --> 00:03:59,340
What does that mean?

73
00:03:59,340 --> 00:04:02,460
That means that while the
user is running passwd,

74
00:04:02,460 --> 00:04:05,130
the user is in a root shell.

75
00:04:05,130 --> 00:04:08,760
And that is because in order
to change your password

76
00:04:08,760 --> 00:04:12,000
you need to edit the
contents of /etc/shadow.

77
00:04:12,000 --> 00:04:16,410
And /etc/shadow is a file
that is owned by a root

78
00:04:16,410 --> 00:04:18,120
where no permissions apply.

79
00:04:18,120 --> 00:04:20,790
So you need to be the special root user

80
00:04:20,790 --> 00:04:23,910
and the special root user
can change the password.

81
00:04:23,910 --> 00:04:27,720
Well, any user can update
their password in /etc/shadow

82
00:04:27,720 --> 00:04:30,693
and that is possible
because of set user ID.

83
00:04:31,945 --> 00:04:33,900
Now, what I would like to suggest,

84
00:04:33,900 --> 00:04:38,280
never ever use set user ID,
but do keep an eye on it

85
00:04:38,280 --> 00:04:41,340
because if ever your
system is getting hacked

86
00:04:41,340 --> 00:04:44,790
and the hacker wants to create a backdoor

87
00:04:44,790 --> 00:04:47,910
then set user ID is a popular backdoor.

88
00:04:47,910 --> 00:04:51,377
So you know what, you
sudo find /-perm /4000

89
00:04:53,490 --> 00:04:58,490
and copy that to a file
with the name /tmp/suid.txt

90
00:05:02,580 --> 00:05:07,580
and that will create file with
name suid.txt, cat suid.txt

91
00:05:10,350 --> 00:05:15,350
and we need to do that in
the tmp directory, of course.

92
00:05:16,290 --> 00:05:18,750
Do this regularly as a chrome (indistinct)

93
00:05:18,750 --> 00:05:21,540
That's a topic that I
will tell you later about

94
00:05:21,540 --> 00:05:26,280
and after doing it again
and again and again

95
00:05:26,280 --> 00:05:29,700
compare the contents of
this set user ID file.

96
00:05:29,700 --> 00:05:31,920
You know what, let me do that real fast.

97
00:05:31,920 --> 00:05:34,050
I am going to remove it this time

98
00:05:34,050 --> 00:05:35,760
because that would have the same effect.

99
00:05:35,760 --> 00:05:40,760
Sudo chmod u-s /home/linda/playme.sh

100
00:05:45,900 --> 00:05:49,560
I'm going to run my find command again.

101
00:05:49,560 --> 00:05:52,390
Let's call it sudo new.txt

102
00:05:53,550 --> 00:05:55,650
and then I'm going to
run a new Linux command

103
00:05:55,650 --> 00:05:57,060
that we have not seen before.

104
00:05:57,060 --> 00:05:59,760
Diff, diff is showing you differences.

105
00:05:59,760 --> 00:06:04,183
I wanna see differences
between /tmp/suid.txt

106
00:06:05,790 --> 00:06:10,743
and /tmp/suid-new.txt,

107
00:06:11,730 --> 00:06:13,230
which is showing me what?

108
00:06:13,230 --> 00:06:14,883
Which is showing me differences.

109
00:06:16,140 --> 00:06:18,960
A smaller dent sign, interpret
the smaller dent sign

110
00:06:18,960 --> 00:06:21,870
as an arrow to the left,
which means on the left

111
00:06:21,870 --> 00:06:26,040
we do have this lindaplayme.sh,
on the right we don't.

112
00:06:26,040 --> 00:06:29,910
This is an easy way to find
out that there are differences.

113
00:06:29,910 --> 00:06:32,940
And that is how you can do
a little bit of monitoring

114
00:06:32,940 --> 00:06:37,770
of this set user ID permission
by using the diff command.

115
00:06:37,770 --> 00:06:40,860
Right, let's also talk about set group ID.

116
00:06:40,860 --> 00:06:43,525
Set group ID on files is doing the same

117
00:06:43,525 --> 00:06:47,580
as set user ID on files
with the difference

118
00:06:47,580 --> 00:06:50,580
that the user will execute
with the permissions

119
00:06:50,580 --> 00:06:52,320
of the group owner.

120
00:06:52,320 --> 00:06:53,340
That's kind of useless.

121
00:06:53,340 --> 00:06:54,960
I don't wanna spend time on that.

122
00:06:54,960 --> 00:06:59,460
I do wanna spend time on
set group ID on directories

123
00:06:59,460 --> 00:07:01,590
because that is actually
a very convenient,

124
00:07:01,590 --> 00:07:04,031
very useful command.

125
00:07:04,031 --> 00:07:09,031
If you use sudo ls -l
/data/sales, what do we see?

126
00:07:10,290 --> 00:07:13,110
We see the file that
Linda has just created.

127
00:07:13,110 --> 00:07:16,110
Linda is a member of the
group sales, remember?

128
00:07:16,110 --> 00:07:19,920
And other people are a member
of the group sales as well.

129
00:07:19,920 --> 00:07:21,870
Now, what is the purpose of creating

130
00:07:21,870 --> 00:07:24,300
such a shared group environment?

131
00:07:24,300 --> 00:07:27,420
Well, the purpose is that
people who are a member

132
00:07:27,420 --> 00:07:29,582
of the same group can
work in the same files.

133
00:07:29,582 --> 00:07:32,550
Now, the question here
is can you user laura

134
00:07:32,550 --> 00:07:34,890
who is also a member of the group sales,

135
00:07:34,890 --> 00:07:36,990
write to the file that Linda created?

136
00:07:36,990 --> 00:07:39,630
And the answer is no, she can't

137
00:07:39,630 --> 00:07:41,460
because Laura is not Linda.

138
00:07:41,460 --> 00:07:43,740
Laura is not a member of the group Linda.

139
00:07:43,740 --> 00:07:47,220
So Laura is others and
others is read only.

140
00:07:47,220 --> 00:07:50,430
So Laura can read, Laura cannot write.

141
00:07:50,430 --> 00:07:52,200
The best thing that Laura could do

142
00:07:52,200 --> 00:07:54,360
is copy the file to a new file.

143
00:07:54,360 --> 00:07:58,560
What if you want the user to
be able to write to the file?

144
00:07:58,560 --> 00:08:02,130
Well, set group ID on
a directory makes that

145
00:08:02,130 --> 00:08:05,430
files created in that directory will get

146
00:08:05,430 --> 00:08:08,370
the same group owner as the directory.

147
00:08:08,370 --> 00:08:13,370
So I am going to use sudo
chmod g+s /data/sales.

148
00:08:15,600 --> 00:08:17,190
It's a directory permission.

149
00:08:17,190 --> 00:08:19,950
Let me double check that the
permission was set correctly.

150
00:08:19,950 --> 00:08:21,630
Do you see the difference?

151
00:08:21,630 --> 00:08:24,693
S on the position where
previously we had x.

152
00:08:25,645 --> 00:08:28,230
We still have x but this
position is a shared position.

153
00:08:28,230 --> 00:08:32,250
So s indicates that we have set
group ID as well as execute.

154
00:08:32,250 --> 00:08:35,670
Now, I'm going to open a
shell as user linda again.

155
00:08:35,670 --> 00:08:38,490
So sudo su -linda.

156
00:08:38,490 --> 00:08:43,150
Linda goes to data sales
and Linda is going to use

157
00:08:45,879 --> 00:08:48,540
touch lindafile and ls -l and oops.

158
00:08:48,540 --> 00:08:51,090
I need to create a new file,

159
00:08:51,090 --> 00:08:55,410
lindafile2 and ls -l and
now we can see the effect.

160
00:08:55,410 --> 00:09:00,410
Lindafile2 is owned by the group Linda

161
00:09:01,020 --> 00:09:04,470
and oh boy, something else
is still not being alright.

162
00:09:04,470 --> 00:09:07,830
The group linda doesn't
have right permission.

163
00:09:07,830 --> 00:09:09,900
That's something else
that we need to change.

164
00:09:09,900 --> 00:09:11,490
That will be up in the next lesson.

165
00:09:11,490 --> 00:09:12,452
That is Umask.

166
00:09:12,452 --> 00:09:15,570
So, hold that thought, we
are getting back on that

167
00:09:15,570 --> 00:09:17,250
in the next video.

168
00:09:17,250 --> 00:09:20,040
But for now one more thing
that I wanna tell you about

169
00:09:20,040 --> 00:09:22,053
and that is the following.

170
00:09:23,010 --> 00:09:25,740
Let me use sudo su - laura.

171
00:09:25,740 --> 00:09:27,810
So I'm becoming user laura.

172
00:09:27,810 --> 00:09:31,180
User laura is going to
data sales and user laura

173
00:09:33,193 --> 00:09:35,580
sees all these beautiful
files that Linda has created.

174
00:09:35,580 --> 00:09:39,450
Now, let me remind you what
exactly the permissions are.

175
00:09:39,450 --> 00:09:42,720
And the question is user
laura is going to use

176
00:09:42,720 --> 00:09:46,443
rm -f *, can she do that?

177
00:09:47,430 --> 00:09:49,980
Well you remember, removing files

178
00:09:49,980 --> 00:09:52,440
is actually a directory operation.

179
00:09:52,440 --> 00:09:54,930
User laura is a member of the group sales.

180
00:09:54,930 --> 00:09:57,900
Group sales has right
permission on the directory.

181
00:09:57,900 --> 00:10:01,080
So user laura is capable of removing files

182
00:10:01,080 --> 00:10:03,270
that Linda has created.

183
00:10:03,270 --> 00:10:06,450
In case you don't like
that, you need sticky bit.

184
00:10:06,450 --> 00:10:08,280
Sticky bit is a directory permission

185
00:10:08,280 --> 00:10:10,590
and if sticky bit is set on a directory,

186
00:10:10,590 --> 00:10:14,610
you can only remove the
file if you own the file

187
00:10:14,610 --> 00:10:17,913
or if you are the user
owner of the directory.

188
00:10:18,870 --> 00:10:21,400
So let me use chmod +t

189
00:10:23,760 --> 00:10:25,080
with sudo, of course.

190
00:10:25,080 --> 00:10:28,830
Chmod +t /data/sales

191
00:10:28,830 --> 00:10:33,210
and again ls- ld /data/sales.

192
00:10:33,210 --> 00:10:36,270
And there we can see, we
have an uppercase T right now

193
00:10:36,270 --> 00:10:38,476
and the uppercase T
means we have sticky bit

194
00:10:38,476 --> 00:10:41,760
meaning that users can
delete their own files.

195
00:10:41,760 --> 00:10:45,320
So, I am using Ctrl+R to reverse-i-search

196
00:10:45,320 --> 00:10:47,790
to get back in the laura shell.

197
00:10:47,790 --> 00:10:52,790
And Laura is going to
/data/sales and rm -f *

198
00:10:54,480 --> 00:10:57,150
and there we go, operation not permitted.

199
00:10:57,150 --> 00:10:58,380
Ain't gonna happen.

200
00:10:58,380 --> 00:11:01,650
It's no longer permitted
because of sticky bit.

201
00:11:01,650 --> 00:11:05,040
Sticky bit and set group
ID are useful permissions

202
00:11:05,040 --> 00:11:07,500
in a shared directory environment.

203
00:11:07,500 --> 00:11:11,580
Set group ID is mainly useful
if when a user creates a file,

204
00:11:11,580 --> 00:11:13,830
the group gets right permissions as well.

205
00:11:13,830 --> 00:11:15,330
That's something that's still open

206
00:11:15,330 --> 00:11:17,643
and I will explain in the next video.