| Lesson 8 | Additional access permission bits |
| Objective | Describe the Use of the save text and SUID/SGID access permission Bits. |
Describe Use of save text and SUID
- Save Text (Sticky) Bit:
The save text or sticky bit is an access permission bit used in Unix-like operating systems to control the behavior of executables and directories. When set on an executable file, it indicates that the kernel should retain the text segment of the program in swap space after execution. This helps improve the startup time of frequently used programs, as the text segment does not need to be reloaded from disk each time the program is executed.
For directories, the sticky bit restricts the deletion of files within the directory. When set, only the file owner, directory owner, or a privileged user can delete or rename a file, even if the directory's write permissions would otherwise allow such operations. This is particularly useful for shared directories, like /tmp, where it prevents users from inadvertently deleting or renaming files belonging to other users. - Set User ID (SUID) Bit: The Set User ID (SUID) bit is an access permission bit used in Unix-like operating systems to allow a user to execute a program with the privileges of the file owner rather than their own. When the SUID bit is set on an executable file, the process that runs the program temporarily assumes the file owner's user ID. This allows certain privileged operations, such as changing the system time or managing system processes, to be performed by non-privileged users through controlled interfaces.
It is important to note that the use of SUID should be limited to cases where it is absolutely necessary, as it can introduce potential security risks if not managed properly. - Set Group ID (SGID) Bit: The Set Group ID (SGID) bit is an access permission bit used in Unix-like operating systems to allow a user to execute a program with the privileges of the file's group owner, rather than their own primary group. When the SGID bit is set on an executable file, the process that runs the program temporarily assumes the file's group owner's group ID. For directories, the SGID bit ensures that newly created files and subdirectories inherit the parent directory's group ownership, rather than the primary group of the user who created them. This is useful for managing group-based access control and collaborative work environments.
- File Locking: File locking is a mechanism used in Unix-like operating systems to ensure that multiple processes do not access or modify a shared file simultaneously. File locking can be implemented using advisory or mandatory locking methods. The access permission bits for file locking are not directly set or manipulated by users, but they are used internally by the operating system.
Advisory locking allows cooperating processes to place locks on a file to signal their intention to access the file. Other processes can check for existing locks before accessing the file and choose to respect them or ignore them. Advisory locking is generally used for situations where processes can trust each other to coordinate access properly.
Mandatory locking enforces access restrictions on a file based on the file's permission bits. When a file is locked with mandatory locking, any process that attempts to access the file without the appropriate lock will be blocked until the lock is released. This is useful for situations where processes cannot trust each other to coordinate access properly or when strict data consistency is required.
In addition to the rwx bits we discussed in detail above, UNIX supports four other types of access:
- Save text (t)
- SUID,
- SGID and
- File locking (l)
Save text permission
Setting the save text bit (indicated by t) on an executable file is supposed to tell the kernel to leave a program in memory after it terminates.
This use is now largely obsolete. The save text permission on a directory means something slightly different. When this permission bit is set on a directory, a user may delete a file only if he or she has write permission (w) for that file,
even if he or she has write permission on the directory. This is a strengthening of the normal UNIX rules discussed in a previous lesson. To set this bit, use the command
To unset this bit, use the command
chmod u+t directory
To unset this bit, use the command
chmod u–t directory
Unix Operating System
SUID/SGID Permissions
When used on a file, these bits are extremely important, but are also relevant to running processes. Therefore, we will discuss them in further detail a bit later in this course when we discuss processes. The SGID bit has a special meaning when set on a directory. It forces new files created in that directory to be owned by the same group that owns the directory (instead of the group of the file's creator). This feature can be convenient if you want to force all files created in a certain directory (regardless of who creates them) to have the same group ownership. To set this bit on a directory, you would use
chmod g+s directory
File locking
File locking permissions in Unix-like systems (including Linux) provide a mechanism to control and synchronize access to files, especially when multiple processes or users are involved. Here's a breakdown of key concepts:
Purpose of File Locking:
Types of File Locks:
Lock Granularity:
Tools For File Locking:
Example Scenario: Imagine a log file being written to by multiple processes. With file locking, a process can acquire an exclusive lock on the log file before appending data. This prevents other processes from writing at the same time, ensuring the log's integrity.
Important Notes:
Purpose of File Locking:
- Prevent Data Corruption: Locking prevents multiple processes or users from modifying the same file simultaneously, leading to potential data loss or inconsistencies.
- Coordination: File locking allows processes to coordinate access to shared resources. For example, one process can lock a file, make changes, and then release the lock, signaling to other processes that the file is now safe to modify.
Types of File Locks:
- Advisory Locks:
- Cooperative in nature – processes are expected to check for locks before accessing a file.
- A process can technically violate an advisory lock, but well-behaved programs generally respect them.
- Mandatory Locks:
- Enforced by the operating system kernel.
- Even if a process tries to access a file with a mandatory lock, the kernel will deny access, ensuring strict protection.
Lock Granularity:
- Whole-file Locks: The entire file is locked. Simple, but less flexible if multiple processes need non-overlapping access to different parts of the file.
- Byte-range Locks: Allows locking of specific sections within a file, enabling finer-grained control for concurrent access.
Tools For File Locking:
- fcntl() : A system call used within programs to acquire and release locks.
- lockf() : A command-line utility simplified interface for file locking actions.
- Specific Commands: Some commands (like editors) might have built-in locking features to prevent conflicts while editing a file.
Example Scenario: Imagine a log file being written to by multiple processes. With file locking, a process can acquire an exclusive lock on the log file before appending data. This prevents other processes from writing at the same time, ensuring the log's integrity.
Important Notes:
- File locking is most effective when all processes accessing a shared file cooperate.
- Network file systems (NFS) add complexity, as locking mechanisms might need to function across systems.