What does 'S' mean in mode? And how to remove it?
in [Shell]
|
From: Luis P. Mendes on 18 Dec 2009 18:16 Fri, 18 Dec 2009 13:32:42 -0800, steven_nospam at Yahoo! Canada escreveu: > On Dec 17, 6:36 pm, "PengYu...(a)gmail.com" <pengyu...(a)gmail.com> wrote: >> I have a directory of mode 'drwx--Sr-x'. I'm wondering what 'S' means >> and how to remove this mode. > > It's not the typical permissions I would expect to see. > > If you know how the chmod and the modes are used, you know that there > are three sets of permissions, one for each ownership category: > > User > Group > Other > > Each group can have three "standard" permission settings of (r)ead, (w) > rite, and e(x)ecute. It decides who can do what with a file on the > system. So in my example file: > > -rwxr-xr-- root staff example.file > > If you ignore the leading "-" for a minute, you can break this down as: > > User = rwx (The "root" user has read, write, and execute permissions to > this file.) > Group = r-x (The "staff" members have read and execute option, but > cannot write to or update the file.) > Other = r-- (Anyone who is not root and not a member of staff group has > only read access to this file.) > > Getting back to that leading "-" symbol, that is used to signify the > type of file that is represented. In the case of a "-" it is a standard > file. Others could be "d" for directory, "l" for a link, "c" for > character special file, or "b" for binary special file. There are > probably others, but that is not the focus here. > > So where do the "s" or "S" come into the picture? Just as you can break > the permissions down into three sets, there is an S-bit setting for each > of those groups (the one on the "other" group is not used or ignored). > The active S-bits are usually referred to as the setuid or setgid bit. > > One of the things that the S-bit does is controls how other files get > created, allowing you to have permissions to create files as someone > OTHER than your default UID. > > Here is an example: > > If a directory called /reports has the permissions of drwxrws--- and > root:docusers, any reports (files) that get created in that directory > will have group ownership of "docusers", allowing everyone in the group > the ability to see that report. If it was not set this way and root user > creates a report through cron, it may show up as root:system, and only > root (or a member of system) would be able to access that file. > > For executable files such as compiled C-programs, the S-bit on the user > portion will cause the program to run as if it were being run by the > owner of the file. This has been used for certain utilities in the past > so that they can be run as if they had been started by root user. A good > example of this would be a program that is used to disable or enable > virtual printer queues. On some UNIX versions, you must be root or a > member of printq group to do this, but if you have a utility that is > owned by root that enables or disables the queues, anyone can run it if > the S-bit is on like this: -rwsr-xr-x and root:staff > > A lowercase "s" means the S and the x are present. An uppercase "S" > means the x is not present. > The chmod numbers match up in this way (I hope this chart shows up ok): > +__4__ +__2__ +__1__ + > | 4_2_1 | 4_2_1 | 4_2_1 | > | r_w_x | r_w_x | r_w_x | > > So if you want "rwxr-sr--" as the permissions, you add the numbers: > > Setgid = 2 > User = 4+2+1 = 7 > Group = 4+1 = 5 > Other = 4 > > Result: chmod 2754 > > Hope this helps. And like others have mentioned, you can find this info > on Wikipedia under "UNIX permissions" and "setuid setgid" topics. Great post, thank you! Luis |