Yesterday , I had faced a
strange issue while starting up oracle instance after applying PSU4 into our
12.1.0.2 database . Even when my ASM was up and running , I couldn't
able to start my database instances . Alerts log clearly showing ASM is
not available .its quite strange to me so I started googling .After an hours of
googling I found the solution .The file permission of
$ORACLE_HOME/bin/oracle got changed som how while applying the PSU , So I
have executed following and I am able to start my database instances .
#chown oracle:asmadmin
$ORACLE_HOME/bin/oracle
#chmod 6751
$ORACLE_HOME/bin/oracle
We are familiar with
setting file permission with 3 digit combination like 777,755 etc .
Now the question is,what is
the purpose of this extra digit 6 here ? and the answer is, its the
combination of unix special file permission suid and sgid.
So this time instead
of talking about Oracle specific topic , I would like to discuss more
about Special permission in Unix based operating system. So for all DBAs
who all are working in Unix based OS ,this will be an added advantage for them
, if they have good idea about special permission in Unix.
There are three type of
special permission bits that may be setup on executable files or directories if
required.
These permission bits are,
1.setuid (set user
identification bit )
2.setgid (set group
identification bit)
3.sticky bit
1)The
suid (set user id bit)
Setting the suid bit on a
file allows normal users to run that application with raised (usually
superuser) priviledges. Remember that when a user launches an application, that
application runs with the same permissions as that user. This is one of the
fundamental differences between Windows and *nix systems.
An example of a file that
has the suid bit set in most cases is the /usr/bin/passwd application. You can
see that the /usr/bin/passwd application has the suid bit set by the letter s
in place of the user’s eXecutable bit.
-rwsr-xr-x 1 root root
26680 May 10 13:44 passwd
For listing the setuid bit
enabled files you can use the common ls command with long list parameter as
follows
[root@node2 ~]# ls -lrt
/bin/su
-rwsr-xr-x 1 root root
24060 Nov 27 2006 /bin/su
You can see that the owner-executable
bit is set to 's', that means the executable file is setuid enabled
The passwd application
allows users to change their own passwords. In order to do so, it has to write
to the etc/passwd file which contains all of the accounts on a GNU/Linux system.
However, if the suid bit was not set on the passwd application then the passwd
application would only have the rights of the user and therefore could not make
changes to the etc/passwd file. Setting the suid bit on the passwd application
allows it to run as the superuser and it can therefore write the new password
to the etc/passwd file.
How to set the suid bit?
Use the number 4 in front
of a normal chmod string:
#chmod 4755
/home/mahi/mahi.sh
Alternatively you can use
symbolic notation to get the exact result
#chmod u+s
/home/mahi/mahi.sh
To unset the setuid bit
use
# chmod u-s
/home/mahi/mahi.sh
or
#chmod 0755 /home/mahi/mahi.sh
or
#chmod 0755 /home/mahi/mahi.sh
To search for all files in
the system that have setuid bit set on them , use find command
# find / -type f -perm
-04000 -exec ls -lrt {} \;
setuid on directories
Setting
uid on a directory is easy to understand as it is simply ignored by Linux. i.e you can set it but it is given no
special meaning when set on a directory. On Linux The setuid bit on a directory
is only effective when it is on the group bit.
2)Setgid
bit (set group id bit )
we can set setgid bit on
both file and directory.
2.1 setgid on a file
The setgid bit is set on
executable files at the group level. When this bit is enabled , the file
will be executed by the other users with exact same privileges that
the group member have on it. SGID modes on a file don't occur nearly as
frequently as SUID.
For example the linux write and wall command is owned by root with group membership set to tty. These command has setgid bit enabled on it.See the highlighted “s” in the group permission class below
[root@node2 ~]# ls -lrt
/usr/bin/wall
-r-xr-sr-x 1 root tty 10420
Oct 13 2006 /usr/bin/wall
The write and wall commands
are used to send messages to other users' terminals (ttys) or to any psuedo
terminal (pts/n). The write command writes a message to a single
user, while wall writes to all connected users. For eg;
[root@node2 ~]# wall
Hi
h r u?
^d
Then it will send message
to all connected users. Sending text to another user's terminal or graphical
display is normally not allowed. In order to bypass this problem, a group has
been created, which owns all terminal devices. When
the write and wall commands are granted SGID permissions,
the commands will run using the access rights as applicable to this group, tty in the example. Since this group has
write access to the destination terminal, also a user having no permissions to
use that terminal in any way can send messages to it.
From the following output
you can see that each terminal device (tty1 ,pts/0,pts/1 etc) is owned by
the group tty . So when a normal user run the ‘wall’
or ‘write’ command it will run with the access rights of the group tty .From the output we can see that ‘tty’ group have the write permission on
each destination terminal. So we will get the output on each terminal
[root@node2 ~]# ls -lrt /dev/tty1
crw--w---- 1 root tty 4, 1
Jan 21 23:29 /dev/tty1
[root@node2 ~]# ls -lrt
/dev/pts
crw--w---- 1 root tty 136,
0 Jan 21 23:19 0
crw--w---- 1 root tty 136,
1 Jan 21 23:29 1
You can also send message to any destination terminal by using ‘echo’ if you have enough permission, for eg
[root@node2 ~]# echo Hi
dear > /dev/pts/1
Then it will display the
message “Hi dear “ on the pseudo terminal dev/pts/1 , now try to execute
The same command as a
normal user
[mahi@node2 ~]$ echo Hi
dear > /dev/pts/1
-bash: /dev/pts/1:
Permission denied
Ie local user have no write
permission to the destination terminal , here the ‘setuid’ bit comes into play
.
How to set setgid bit on files and directory
To set setgid bit you must
be either be the owner of the file or root , you can use chmod command to set
setgid on files and directories
#chmod 2755 /home/mahi/free.sh
Alternatively you can use
symbolic notation to get the exact result
#chmod g+s /home/mahi/free.sh
To unset the setgid bit
# chmod g-s /home/mahi/free.sh
or
#chmod 0755 /home/mahi/free.sh
To search for all files and
directories in the system having setgid bit enabled
# find / -type f -perm -02000 -exec ls -lrt {} \; (for directories use ‘d’ instead of ‘f’ )
2.2 Setgid bit on
directories
We can use the
command chmod to set the group ID bit for a directory.
#chmod g+s /mydir
#chmod g+s /mydir
or with numeric mode:
#chmod 2775 /mydir
After the change, the permission of the directory "/mydir" becomes "drwxrwsr-x".
drwxrwsr-x 3 ora ora 4096 2010-03-18 19:57 /mydir
But what is so special about setting the group ID for a directory? The trick is that when another user creates a file or directory under such a directory "/mydir", the new file or directory will have its group set as the group of the owner of "/mydir", instead of the group of the user who creates it.
For example, if mahi belongs to the groups "mahi" (main group) and "ora", and he creates a file "setgid.txt" under the diretory "/mydir", "setgid.txt" will be owned by the group of "ora" instead of mahi's main group ID "mahi".
-rw-r--r-- 1 mahi ora 10 2010-03-18 20:01 setgid.txt
Even if ‘mahi’ does not belong to the group "ora", the files or directories he creates under "/mydir" (if "/mydir" grants the write permission to "others") will also get owned by group "ora".
You can use such feature to share files within the group. Create a directory which permits the group to write, and set the group ID bit. Every files or directories created under it will have the same group ownership. Therefore, the whole group can share them.
#chmod 2775 /mydir
After the change, the permission of the directory "/mydir" becomes "drwxrwsr-x".
drwxrwsr-x 3 ora ora 4096 2010-03-18 19:57 /mydir
But what is so special about setting the group ID for a directory? The trick is that when another user creates a file or directory under such a directory "/mydir", the new file or directory will have its group set as the group of the owner of "/mydir", instead of the group of the user who creates it.
For example, if mahi belongs to the groups "mahi" (main group) and "ora", and he creates a file "setgid.txt" under the diretory "/mydir", "setgid.txt" will be owned by the group of "ora" instead of mahi's main group ID "mahi".
-rw-r--r-- 1 mahi ora 10 2010-03-18 20:01 setgid.txt
Even if ‘mahi’ does not belong to the group "ora", the files or directories he creates under "/mydir" (if "/mydir" grants the write permission to "others") will also get owned by group "ora".
You can use such feature to share files within the group. Create a directory which permits the group to write, and set the group ID bit. Every files or directories created under it will have the same group ownership. Therefore, the whole group can share them.
One commnad for finding all
the files with setuid or setgid bit
#find / -perm +6000
-type f -exec ls -lrt {} \;
3)sticky
bit
The sticky bit is normally
set on public writable directories to protect files and sub-directories
of individual users from being deleted by other users. This bit is
typically set on /tmp and /var/tmp directories. Thus If the sticky bit is set
for a directory, only the owner of that directory or the owner of a file can
delete or rename a file within that directory.
Normally all users are
allowed to create and delete files and sub-directories in these directories.
With default permission,
any user can remove any others files and sub-directories.
Sticky bit shows up as a t
in the execute position of the other permission , foe eg
[root@server ~]# ls -ld
/var/tmp/ /tmp
drwxrwxrwt 32 root root
4096 Mar 15 13:35 /tmp
drwxrwxrwt 2 root
root 4096 Feb 20 10:35 /var/tmp/
How to set sticky bit
permission
When digit 1 is used with
chmod command it sets the sticky bit on the directory
#chmod 1777 test
Alternatively you can use
symbolic notation to set the same
#chmod o+t test
There is no need to specify
‘o’ along with chmod command you can simply do it with
#chmod +t
test
How to unset sticky bit
permission
#chmod -t
test
Or
#chmod 0777 test
Note:
You may see both a ‘t’ and ‘T’
to indicate that the sticky bit is set. You can see a ‘t’ if the world
already have a execute permission before you set the sticky bit , and a ‘T’ if
the world didn’t have execute set before the sticky bit was put in place.
For eg:
#mkdir testdir
#chmod 754 testdir
#chmod o+t
testdir
# ls -ld testdir
drwxr-xr-T 2 root root 4096
Mar 15 14:23 testdir
To list all directories
having sticky bit enabled
#find / -perm -1000
-type d
Note:
Linux
ignores the sticky bit when it sets on files. It is possible to set combination of
suid , sgid and the sticky bit at the same time .
|
0
|
Remove sticky bit,suid
&sgid
|
|
1
|
Sets sticky bit
|
|
2
|
Sets sgid bit
|
|
3
|
Sets sticky bit and sgid
bit
|
|
4
|
Sets suid bit
|
|
5
|
Sets sticky bit and
suid
|
|
6
|
Sets suid and sgid bit
|
|
7
|
Sets sticky bit,
suid &sgid bit
|
Be sure to note that using
a 0 removes suid , sgid and sticky bit all at the same time . if you use 0 to
remove suid but you still want the sticky bit set you need to go back and reset
the sticky bit.
