Thursday, July 23, 2009

Redirection and 2>&1

In Unix, one often finds a input and output redirection "<", ">", ">>". These are simple to understand.

Users can also do redirect one stream into another stream. This is done by using standard file descriptors. So, if someone wants to redirect all standard errors to whereever standard output is going, add 2>&1 in the end of the command. 2>&1 means send the standard errors to where standard output is going. 2 is the default file descriptor for stderr and 1 for stdout. If certain command is redirecting stdout to, say some file, stderr still goes to default screen. If you want stderr also to be sent to the file where stdout is going, use 2>&1.
Similarly, you can also redirect stdout to whereever stderr is going by 1>&2.

Also, remember that "some unix command > some_file 2>&1" is different from "some unix command 2>&1 > some_file". The first one redirects stderr to some_file, whereas the second won't.

Saturday, July 11, 2009

A tutorial on setuid and sticky bits in Unix

Unix users are sometimes confused with setuid and sticky bit permissions on files and directories. Below is a small tutorial on the most common use of setuid and sticky bits.

There are certain files or devices that are writable only by root. Nevertheless, ordinary users often have to use root-owned programs that try to write to those files. Since these files are writable only by root, how would a non-root user run the program that writes into that file. The solution in Unix is setuid bit. When this bit is set on a root-owned program, the program gets the effective privileges of root even when run by non-root user. This happens only for setuid programs i.e. for programs that have setuid bit set by owner/root. Example is passwd program that modifies the password files that are writable only by root. Since passwd program is setuid id, any non-root user can run this program and modify his/her password. Another example is ping program that is also setuid since ordinary users also run the ping program that accesses network devices.

In the file permission listing found by command “ls –l” setuid programs have the s in place of x. This means the program is both executable by owner and setuid. Another possibility is S in place of x which means the program is setuid but NOT executable. The program permissions could look like

rwsr-xr-x ( executable by root and setuid; what matters for setuid bit is the third letter)

OR

rwSr-xr-x ( hmmm…does it make sense !?)

One can make a program setuid by

chmod u+s prog_name

OR

chmod 4755 prog_name

Although the explanation above was specific to root-owned files, it could apply to any owner. So any user can make a program owned by himself/herself setuid and let others modify some of the owner’s files by this program.

Another related special permission setting for a program is setgid bit which is similar to above, but is useful only to the owner’s group. The setuid and setgid bits have different meanings when applied to directories. setgid bit on directory "d" means that any file or directory created under it would get the group id of "d". Remember that normally the group id of any newly created directory is the group id of the user who created it.

Yet another special permission is the sticky bit. Now-a-days, it is mainly used for directories. Let us first understand what directory permissions mean. Some directories are writable by all users. That means all users can create files as well as delete files inside such directories. Execute permission for a directory means search permission into that directory. So, execute permission is necessary to descend into that directory.

An example of directory with sticky bit set is /tmp. This directory stores temporary data that is created by user programs. Since these directories are writable by all, any user can delete any file! Even those files that are owned by others! To fix this state, such directories have sticky bit set. Now only the owners can delete any file in such directories.

Directories with sticky bit set have t letter in the execute permission set for others, as seen by the output of “ls –l”.

rwxrwxrwt ( sticky bit is set and execute permission for others)

OR

rwxrwxrwT ( sticky bit set but no execute permission for others)

Capital T means that others don’t have execute permission for that directory, so they can’t search into it.

update: Added setgid directory explanation.