Sunday, 18 Feb, 2018 What happens if you setgid directories? This is a spiritual follow-up to my previous post, Sticky Bits, Set[UID][GID] & checksecurity tools, which introduced you the setuid and setgid files' attributes concept. Setuid and Setgid applied to directories have a totally different meaning. If you recall my previous post, when you setuid and setgid files, the nature of the changes is more akin to "execution"-permissions. setgid and setuid applied to dirs instead is closer to "file creation"-permissions more than execution permissions. More specifically: Setgid applied to dirs allow new files created within a [setgidded-]dir to acquire (ie. inherit) the directory's group permissions (as specified on its "parent"-dir) rather than the group permissions of its creators-owners. Setuid applied to dirs is simply ignored (it does nothing). The same behaviour applies to newly created sub-dirs of a [setgidded-]dir - those sub-dirs will get the parent's dir Group permissions. Why use setgid? setgid allows the creation of a basic shared folders structure. It is also used on Code Versioning Systems (CVS - such as git). All of the users would be able to create files inside a dir. Newly-created files (ie. created inside thar dir), would obtain the group permissions of (main) dir (ie. instead of the group permissions of the users creating those files). Easily done than said (or Easily said than done)! Confused? time for examples then... Run a bash terminal on Ubuntu/CentOS and type the following: groupadd shared-grp useradd pwrusr1 passwd pwrusr1 useradd pwrusr2 passwd pwrusr2 useradd pwrusr3 passwd pwrusr3 usermod -G shared-grp,pwrusr1 pwrusr1 usermod -G shared-grp,pwrusr2 pwrusr2 usermod -G shared-grp,pwrusr3 pwrusr3 The above commands will: Create a new group named "shared-grp". Create 3 new users named pwrusr1, pwrusr2, pwrusr3. Please note - while creating the new users with the "useradd"-Command, you'll also obtain new groups (one new group per each new user). In other words, these new groups will be named exactly the same as the new users (ie. "useradd pwrusr1" will create one new User named "pwrusr1" AND one New Group called "pwrusr1", and so on and so forth). The usermod command will assign the new users to the group "shared-grp" (while also retaining their pre-existing membership to their own primary group - ie. "pwrusr2"-User is also a member of the "pwrusr2"-Group). Now that all the new users (pwrusr1, 2, etc.) also belong to the same shared group (shared-grp), create a new shared folder (say "/shared-folder"): mkdir /shared-folder chown root:shared-grp /shared-folder chmod 2775 /shared-folder The first command listed above will simply create a new directory named "/shared-folder". The second command will update the new folder's permissions (owner = root, group = shared-grp). Finally, with the third command, you will update the folder's UNIX permissions to "775". In the above screenshot, you will notice that root is the owner and the group is "shared-grp" of the "/shared-folder". You will also notice that the directory permissions have been updated to:"rwxrwsr-x" (with the "chmod ..." command). Playin' with users and files on setgidded-dirs. My example is very basic, hope you get the idea. Now that you have a shared folder with the proper permissions, it's time to create some files. To create some files, type the following commands: login pwrusr1 touch /shared-folder/pwrusr1-newfile.txt login pwrusr2 touch /shared-folder/pwrusr2-newfile.txt login pwrusr3 touch /shared-folder/pwrusr3-newfile.txt ll /shared-folder With the above commands you will: 1. Login as each User (ie. pwrusr1, 2 & 3). 2. Create an empty text file inside /shared-folder. You will notice each file is owned by the user that logged-in & created the file the file in the first place. You will also notice that each file will belong to the SAME Group of the Parent Directory (where "/shared-folder"-Group == shared-grp). Have a look at the screenshot above, and focus on the .txt file owners and groups to fully understand setgid 100%! I logged with every pwrusrX-user and created a new file, called "pwrusrX-newfile.txt" (inside "/shared-folder"). For example, you'll notice "pwrusr2-newfile.txt" is owned by pwrusr2, 'though the group is the same "shared-grp"! 101 Proof™. To prove you the concept, 1. while logged-in as pwrusr3-User. 2. I edited with vi "pwrusr1-newfile.txt" (ie. originally created and owned by pwrusr1-User). FWIW, I could've done that w/any other user (ie. pwrusr2 or pwrusr1) - just make sure the user is a member of the same "shared-grp"-Group): As you can see from the above screenshot, I edited "pwrusr1-newfile.txt" while logged-in as pwrusr3 user (inside the edited file I simply pasted the 1st list of code snippets at the beginning of my post). That (more or less) is all there is to know about setguid applied to directories. 3.3/5 - (48 votes) Andrea MatesiSenior Professional Network and Computer Systems Engineer during work hours and father when home. Andrea strives to deliver outstanding customer service and heaps of love towards his family. In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format. Share this:LinkedIn Related