SCSA10-1 Objective 4.5 - Solaris restrict access to files, group membership, special file permissions
One of the coolest features of UNIX-type operating systems is the fine-grained ability to control access to files and directories based on owner, groups, and other users. Everything on a Solaris system is a file of some sort and every file is owned by one user and associated with one group. Given this, it is possible to achieve most any access control scheme imaginable.
Restrict access to data in files through the use of group membership, ownership, and special file permissions.
The basics of file permission modifications using the chmod command are covered at Tech-Recipes for simple chmod usage and more advanced octal chmod control.
Three special permissions exist in Solaris 10 filesystems: setuid, setgid, and sticky bit. The setuid permission causes the executable to run as the owner (which is an obvious security risk if misused or misconfigured). For example, the crontab executable needs to modify files in /var/spool/cron/crontabs which are all owned by root. To make this possible, the crontab executable is owned by root with the setuid bit set. This is evident in the long file listing of /usr/bin/crontab where the position of the execute bit (x) for the owner is replaced with an s:
-r-sr-xr-x 1 root bin 20336 Jan 22 2005 crontab
Likewise, the setgid allows a user to run an executable as a member of the group associated with the executable. For example, the write command allows one user to send another user a message by writing text to their tty terminal (which are associate with the group tty). Since the write command is also associated with the group tty and has the setgid permission, any user running it can access other tty terminals through the command. The write command in a long listing shows an s where the group x bit would normally be:
-r-xr-sr-x 1 root tty 18740 Jan 22 2005 write
The sticky bit is a protection mechanism for directories (like /tmp which is writable by anyone) which makes files in it deletable only by the file’s owner or root (or someone with root-like powers). Directories with their sticky bits set have a t where the “other” executable x bit would be, as in this long listing of /tmp:
drwxrwxrwt 18 root sys 2938 Jan 19 19:45 tmp
For the exam it is important to be able to read and understand permissions as well as set them.
Going a little beyond the exam, two relatively new commands allow the management of even finer grained access control of files and directories: setfacl and getfacl. These commands are capable of setting file permissions on a per-user basis such that user fred can read and write a certain file, but user john can only read.