1
00:00:06,719 --> 00:00:09,269
So here I'm going
to demonstrate these special permissions.

2
00:00:10,730 --> 00:00:13,330
So what did
we do before?

3
00:00:13,990 --> 00:00:19,155
Well LS ld on data
sales is showing that I

4
00:00:19,155 --> 00:00:24,320
created directory sales that is
owned by the group sales.

5
00:00:24,820 --> 00:00:29,379
And the group sales has read, write and execute
permission. Now who's a member of the group sales?

6
00:00:29,879 --> 00:00:34,280
Well let's do a
grab sales on etc group.

7
00:00:35,500 --> 00:00:39,855
This is a secondary group and
secondary group membership is managed through etc

8
00:00:39,855 --> 00:00:44,210
group. So Anna, Linda and Laura
are a member of the group sales.

9
00:00:44,789 --> 00:00:50,284
Okay, now what does that mean?
That means that if I open a

10
00:00:50,284 --> 00:00:55,780
shell as user Linda then I
go to the data sales directory.

11
00:00:56,280 --> 00:01:01,340
I should be able to use
touc and create a couple of files.

12
00:01:02,399 --> 00:01:06,359
And LS L is showing
oh I did it wrong.

13
00:01:07,140 --> 00:01:10,200
I needed
arrange 1 3.

14
00:01:12,340 --> 00:01:14,659
So ls l is
showing all these files.

15
00:01:15,200 --> 00:01:16,829
Now what do we
see on these files?

16
00:01:17,329 --> 00:01:20,329
They are user owned by lynda.
They are group owned by Lynda.

17
00:01:21,030 --> 00:01:26,439
And in shared group environments maybe
it is convenient if the group

18
00:01:26,439 --> 00:01:31,849
ownership is set to the
group owner of the parent directory.

19
00:01:32,870 --> 00:01:36,635
What I mean is if Linda
is working in the sales group then

20
00:01:36,635 --> 00:01:40,400
the file she creates should be
owned by the sales group as well.

21
00:01:40,980 --> 00:01:47,015
So how are we going to do
that? Well, sudo chmod g S that's how

22
00:01:47,015 --> 00:01:53,049
you set set group ID on a
directory and the directory is data sales.

23
00:01:53,950 --> 00:01:59,150
Now I'm using LS ld on data sales
again and what do we see? Well you

24
00:01:59,150 --> 00:02:04,349
see that where before we had RW
access to group permissions, now we have rws.

25
00:02:05,629 --> 00:02:10,670
And this rws means that the
group owner of the directory is going

26
00:02:10,670 --> 00:02:15,710
to be applied for all files
that will be created in that directory.

27
00:02:16,610 --> 00:02:22,187
So if I use sudo su
linda again and lynda is using

28
00:02:22,187 --> 00:02:27,764
touch data sales lynda for up
to 6 then we use LS

29
00:02:27,764 --> 00:02:33,342
minus L on data sills and
there we can see that Lynda

30
00:02:33,342 --> 00:02:38,919
4, 5 and 6 are
group owned by the group sales.

31
00:02:40,259 --> 00:02:42,699
Right. Who else was
in the group sales?

32
00:02:43,819 --> 00:02:49,045
So let's do the grep command
again. Grep sils on etc group

33
00:02:49,045 --> 00:02:54,270
and there we can see Lora
is also in the group sales.

34
00:02:54,770 --> 00:03:00,085
Okay, so now I'm going to
use sudo sudo su minus lora to

35
00:03:00,085 --> 00:03:05,400
open a shell as user lora.
Oh boy, Linda cannot do that.

36
00:03:06,069 --> 00:03:12,664
So let me control c on that and let me exit back
to the student shell for the sudo su minus Laura to open a

37
00:03:12,664 --> 00:03:19,259
shell as user lora. Lora goes to data sales and and Laura
is going to use RM on Linda 1 and is that allowed?

38
00:03:26,009 --> 00:03:29,990
Well let's figure it out. And
yeah, it's allowed. Why is this allowed?

39
00:03:30,569 --> 00:03:35,050
Well, that is because the
directory sales. Let's figure out the

40
00:03:35,050 --> 00:03:39,530
properties. The directory sales has
write permission for the group.

41
00:03:40,110 --> 00:03:47,080
Laura is a member of the group Sales. Group Sales has
write permission. Deleting a file requires write permission on the directory.

42
00:03:47,599 --> 00:03:53,039
And that is something that Lora can do. And
if you don't like that, you need sticky bit.

43
00:03:54,479 --> 00:04:00,479
So how do we set that? Well,
sudo chmod d on Data Sales, chmod

44
00:04:00,479 --> 00:04:06,479
d is setting sticky bit. I always
do sticky bit and set groupid in

45
00:04:06,480 --> 00:04:12,480
relative mode because they are easier LS
minus ld on Data Sales is now

46
00:04:12,480 --> 00:04:18,480
showing an uppercase t in the permissions,
which indicates that sticky bit is set.

47
00:04:19,399 --> 00:04:25,539
And when we use sudo su
to lora again and Lora is

48
00:04:25,539 --> 00:04:31,679
going to try to do an
RM data sales, then we get

49
00:04:31,679 --> 00:04:37,819
operation not permitted on all of
these files. So I might as

50
00:04:37,819 --> 00:04:43,959
well control C out of it
because sticky bit is preventing this.

51
00:04:44,649 --> 00:04:51,170
So sticky bit and setgroupid are actually
pretty convenient permissions in a shared group environment.

52
00:04:51,949 --> 00:04:56,350
One more thing we need to talk about,
and that is the notation of these permissions.

53
00:04:56,860 --> 00:05:01,629
Do you see that we have lowercase
s and uppercase t? And that is

54
00:05:01,629 --> 00:05:06,399
because LS l doesn't have a separate
position to show if special permissions apply.

55
00:05:06,899 --> 00:05:10,644
So the convention is that special
permissions have a shared position in

56
00:05:10,644 --> 00:05:14,389
the LS l output where you
normally have the x for execute.

57
00:05:15,079 --> 00:05:21,111
Now for set group ID that is showing
as an s in the group permissions where

58
00:05:21,111 --> 00:05:27,143
you normally have an x and the sticky
bit is showing as a t and you

59
00:05:27,143 --> 00:05:33,174
get lowercase if behind the special permission there
is execute. You get uppercase if behind the

60
00:05:33,174 --> 00:05:39,206
special permission there is no execute. And that's
why we see uppercase t because others had

61
00:05:39,206 --> 00:05:45,238
no permissions at all and lowercase s, but
because the group had executed as well on

62
00:05:45,238 --> 00:05:51,269
this Data Sales directory. One more
thing, and that is sudo find 4000.

63
00:05:59,509 --> 00:06:02,230
Let me make sure that
I don't see any error messages.

64
00:06:03,629 --> 00:06:07,259
This is using the find command
to show permissions. And the permission

65
00:06:07,259 --> 00:06:10,889
that I'm looking for here
is a set user ID permission.

66
00:06:11,670 --> 00:06:18,449
So what is going on with this user bin passwd?
Let's do a LS minus l on user bin passwd.

67
00:06:19,769 --> 00:06:24,840
There we can see it's marked red and
at the position of the x for the

68
00:06:24,840 --> 00:06:29,910
user we have an s. And that means
that this binary has set user ID permissions.

69
00:06:30,490 --> 00:06:35,953
And that means that while running the command
you start a subshell in which you are

70
00:06:35,953 --> 00:06:41,416
the owner of the file. So while running
password, you are root. And why do you

71
00:06:41,416 --> 00:06:46,879
need that? Well, you need that in
order to write your changes to etc Shadow.

72
00:06:47,420 --> 00:06:54,180
Now isn't that funny? On Red Hat on etc
shadow, not even root has permissions. But that doesn't matter,

73
00:06:54,180 --> 00:07:00,939
because root is living in a world where permissions
don't matter. Root can always write, and when an ordinary

74
00:07:00,939 --> 00:07:07,699
user is using passwd to change their password, well,
this makes that the ordinary user is temporarily becoming root.

75
00:07:08,439 --> 00:07:14,480
Set user ID is needed for some commands. You can
see a list of these commands on my system right here.

76
00:07:15,360 --> 00:07:20,589
For all other cases, set user ID is
very dangerous and should be avoided at all times.