Certified Linux Administrator SetUID, ps, df, ulimit and chroot

SetUID, ps, df, ulimit and chroot
 


SetUID

The concept of setuid files means that if you have the setuid bit turned on on a file, anybody executing that command (file) will inherit the permissions of the owner of the file. So if you have the following setuid file:

-rwsr-xr-x  1 tot        2437 Sep  8 18:12 foo

This means, that when any user executes this file `foo', he will inherit tot's uid (which means he inherits all their file access permissions whether you're tot or not). Note: this can be quite dangerous. If you have a setuid shell owned by yourself, and I execute it, I essentially inherit your file permissions, hence have the ability to remove all your files.

In the above output, the reason for the small s means there's an x (execute) under it that's hidden. If it were a large S as in:

-rwSrw-rw-  1 tot        2437 Sep  8 18:12 foo

This means there's no x under the S. In order to make a file setuid, you prepend the three digits given chown with a 4, or use the s option. For example to get the first output:

-rwsr-xr-x  1 tot        2437 Sep  8 18:12 foo

I did a chmod 4755. The same is true for group, except use a 2 instead. If you want both, add them, to get 6. Hence a file with chmod 6755 would look like:

-rwsr-sr-x  1 tot        2437 Sep  8 18:12 foo


 

The Linux Files can be setuid or setgid. When a user executes a setuid file, the program runs with the effective user ID of the file’s owner, rather than that of the user. Similarly, when a user executes a setgid file, the program runs with the effective group ID of the file’s group owner, rather than that of the user.

Directories can also be setgid. When a user creates a file in a non-setgid directory, the group ownership of the file is set to the user’s group ID. However, when a user creates a file in a setgid directory, the group ownership of the file is set to the group owner of the directory.

To enable setuid you can use Linux chmod command as shown below.

chmod u+s file_name

Example:

[root@RHEL2 setuidtest]# ls -l
total 0
-rwxr--r-- 1 root root 0 Jul 6 07:34 setuidtest
[root@RHEL2 setuidtest]# chmod u+s setuidtest
[root@RHEL2 setuidtest]# ls -l
total 0
-rwsr--r-- 1 root root 0 Jul 6 07:34 setuidtest
[root@RHEL2 setuidtest]#

To disable setuid you can use Linux chmod command as shown below.

Example:

chmod u-s file_name

[root@RHEL2 setuidtest]# ls -l
total 0
-rwsr--r-- 1 root root 0 Jul 6 07:34 setuidtest
[root@RHEL2 setuidtest]# chmod u-s setuidtest
[root@RHEL2 setuidtest]# ls -l
total 0
-rwxr--r-- 1 root root 0 Jul 6 07:34 setuidtest
[root@RHEL2 setuidtest]#

To enable setgid you can use Linux chmod command as shown below.

chmod g+s file_name

Example:

[root@RHEL2 setgidtest]# ls -l
total 0
-rwxrwxr-- 1 root root 0 Jul 6 08:13 setgidtest
[root@RHEL2 setgidtest]# chmod g+s setgidtest
[root@RHEL2 setgidtest]# ls -l
total 0
-rwxrwsr-- 1 root root 0 Jul 6 08:13 setgidtest
[root@RHEL2 setgidtest]#

To enable setgid you can use Linux chmod command as shown below.

chmod g-s file_name

Example:

[root@RHEL2 setgidtest]# ls -l
total 0
-rwxrwsr-- 1 root root 0 Jul 6 08:13 setgidtest
[root@RHEL2 setgidtest]# chmod g-s setgidtest
[root@RHEL2 setgidtest]# ls -l
total 0
-rwxrwxr-- 1 root root 0 Jul 6 08:13 setgidtest
[root@RHEL2 setgidtest]#

Note: Also Octal values 4 and 2 can be used for setuid and setgid respectively.

 


In most Unix-like operating systems, the ps program (short for "process status") displays the currently-running processes. A related Unix utility named top provides a real-time view of the running processes.

For example:

# ps
  PID TTY          TIME CMD
 7431 pts/0    00:00:00 su
 7434 pts/0    00:00:00 bash
18585 pts/0    00:00:00 ps

Users can also utilize the ps command in conjunction with the grep(see the pgrep and pkill commands) command to find information about one process, such as its process id:

$ # Trying to find the PID of `firefox-bin` which is 2701
$ ps -A | grep firefox-bin
2701 ?        22:16:04 firefox-bin

and the easier version with pgrep:

$ pgrep -l firefox-bin
2701 firefox-bin

To see every process running as root (real & effective ID) in user format:

# ps -U root -u root u
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  10348   640 ?        Ss    2009   0:06 init [5]

Options

ps has many options. On operating systems that support the SUS and POSIX standards, ps commonly runs with the options -ef, where "-e" selects every process and "-f" chooses the "full" output format. Another common option on these systems is -l, which specifies the "long" output format.

Most systems derived from BSD fail to accept the SUS and POSIX standard options because of historical conflicts (for example, the "e" or "-e" option will cause the display of environment variables). On such systems, ps commonly runs with the non-standard options aux, where "a" lists all processes on a terminal, including those of other users, "x" lists all processes without controlling terminals and "u" adds a column for the controlling user for each process. Note that, for maximum compatibility when using this syntax, there is no "-" in front of the "aux". Also you can add 'ww' after aux, like "ps auxww" for complete information about the process including all parameters.


df (abbreviation for disk free) is a standard Unix computer program used to display the amount of available disk space for filesystems on which the invoking user has appropriate read access. df is usually implemented by reading the mtab file or using statfs.

The Single UNIX Specification specifications for df are:

 df [-k] [-P|-t] [-del] [file...]
-k
Use 1024-byte units, instead of the default 512-byte units, when writing space figures.
-P
Use a standard, portable, output format
-t
If XSI compliant, show allocated space as well[dubious discuss]
-h
Display in KB, MB, or GB
file
Write the amount of free space of the file system containing the specified file

Most Unix and Unix-like operating systems add extra options. The BSD and GNU coreutils versions include -h, where free space is listed in human readable format, adding units with the appropriate SI prefix (e.g. 10MB), -i, listing inode usage, and -l, restricting display to only local filesystems. GNU df includes -T as well, listing filesystem type information, but the GNU df shows the sizes in 1K blocks by default.

Specification

The Single Unix Specification (SUS) specifies by default space is reported in blocks of 512 bytes, and that at a minimum, the file system names and the amount of free space.

The use of 512-byte units is historical practice and maintains compatibility with ls and other utilities. This does not mandate that the file system itself be based on 512-byte blocks. The -k option was added as a compromise measure. It was agreed by the standard developers that 512 bytes was the best default unit because of its complete historical consistency on System V (versus the mixed 512/1024-byte usage on BSD systems), and that a -k option to switch to 1024-byte units was a good compromise. Users who prefer the more logical 1024-byte quantity can easily alias df to df -k without breaking many historical scripts relying on the 512-byte units.

The output with -P shall consist of one line of information for each specified file system. These lines shall be formatted as follows:

, , , , , 

In the following list, all quantities expressed in 512-byte units (1024-byte when -k is specified) shall be rounded up to the next higher unit. The fields are:

The name of the file system, in an implementation-defined format.

The total size of the file system in 512-byte units. The exact meaning of this figure is implementation-defined, but should include , , plus any space reserved by the system not normally available to a user.

The total amount of space allocated to existing files in the file system, in 512-byte units.

The total amount of space available within the file system for the creation of new files by unprivileged users, in 512-byte units. When this figure is less than or equal to zero, it shall not be possible to create any new files on the file system without first deleting others, unless the process has appropriate privileges. The figure written may be less than zero.

The percentage of the normally available space that is currently allocated to all files on the file system. This shall be calculated using the fraction:

/ (+ )

expressed as a percentage. This percentage may be greater than 100 if is less than zero. The percentage value shall be expressed as a positive integer, with any fractional result causing it to be rounded to the next highest integer.

The directory below which the file system hierarchy appear

Example

 $ df -k
 Filesystem    1024-blocks      Free %Used    Iused %Iused Mounted on
 /dev/hd4            32768     16016   52%     2271    14% /
 /dev/hd2          4587520   1889420   59%    37791     4% /usr
 /dev/hd9var         65536     12032   82%      518     4% /var
 /dev/hd3           819200    637832   23%     1829     1% /tmp
 /dev/hd1           524288    395848   25%      421     1% /home
 /proc                   -         -    -         -     -  /proc
 /dev/hd10opt        65536     26004   61%      654     4% /opt


ulimit command- Limit user resources
Syntax: ulimit [-acdfHlmnpsStuv] [limit]

Description: The shell contains a built-in command to limit file sizes, ulimit, which can also be used to display limitations on system resources
A second method for limiting the potential impact of runaway processes is to set limits on a per process basis. This can be achieved by setting the ulimit command in /etc/profile.
To set a soft limit on the maximum amount of memory available to a given process to a value that is less than the total amount of memory on the system on a system with 1 gig of real memory and 500 megs of virtual memory you would set the following values in /etc/profile:

ulimit -S -m 1000000
ulimit -S -v 500000

With this value set, the system will kill any process that tries to take up more resources than you have set as a limit.

Example: 

cindy:~> ulimit -a
core file size (blocks)0
data seg size (kbytes) unlimited
file size (blocks) unlimited
max locked memory (kbytes) unlimited
max memory size (kbytes) unlimited
open files 1024
pipe size (512 bytes) 8
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes 512
virtual memory (kbytes) unlimited




A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a "chroot jail".

chroot changes the root directory to that specified in path. This directory will be used for path names beginning with /. The root directory is inherited by all children of the current process.

Only the super-user may change the root directory.

Note that this call does not change the current working directory, so that `.' can be outside the tree rooted at `/'. In particular, the super-user can escape from a `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.  

RETURN VALUE

On success, zero is returned. On error, -1 is returned, and errno is set appropriately.  

ERRORS

Depending on the file system, other errors can be returned. The more general errors are listed below:

 

EPERM
The effective UID is not zero.
EFAULT
path points outside your accessible address space.
ENAMETOOLONG
path is too long.
ENOENT
The file does not exist.
ENOMEM
Insufficient kernel memory was available.
ENOTDIR
A component of path is not a directory.
EACCES
Search permission is denied on a component of the path prefix.
ELOOP
Too many symbolic links were encountered in resolving path.
EIO
An I/O error occurred.
 

 

 For Support