|Lesson 8|| Additional access permission bits|
|Objective|| Describe the Use of the save text and SUID/SGID access permission Bits.|
Describe Use of save text and SUID
- Save Text (Sticky) Bit:
The save text or sticky bit is an access permission bit used in Unix-like operating systems to control the behavior of executables and directories. When set on an executable file, it indicates that the kernel should retain the text segment of the program in swap space after execution. This helps improve the startup time of frequently used programs, as the text segment does not need to be reloaded from disk each time the program is executed.
For directories, the sticky bit restricts the deletion of files within the directory. When set, only the file owner, directory owner, or a privileged user can delete or rename a file, even if the directory's write permissions would otherwise allow such operations. This is particularly useful for shared directories, like /tmp, where it prevents users from inadvertently deleting or renaming files belonging to other users.
- Set User ID (SUID) Bit: The Set User ID (SUID) bit is an access permission bit used in Unix-like operating systems to allow a user to execute a program with the privileges of the file owner rather than their own. When the SUID bit is set on an executable file, the process that runs the program temporarily assumes the file owner's user ID. This allows certain privileged operations, such as changing the system time or managing system processes, to be performed by non-privileged users through controlled interfaces.
It is important to note that the use of SUID should be limited to cases where it is absolutely necessary, as it can introduce potential security risks if not managed properly.
- Set Group ID (SGID) Bit: The Set Group ID (SGID) bit is an access permission bit used in Unix-like operating systems to allow a user to execute a program with the privileges of the file's group owner, rather than their own primary group. When the SGID bit is set on an executable file, the process that runs the program temporarily assumes the file's group owner's group ID.
For directories, the SGID bit ensures that newly created files and subdirectories inherit the parent directory's group ownership, rather than the primary group of the user who created them. This is useful for managing group-based access control and collaborative work environments.
- File Locking:
File locking is a mechanism used in Unix-like operating systems to ensure that multiple processes do not access or modify a shared file simultaneously. File locking can be implemented using advisory or mandatory locking methods. The access permission bits for file locking are not directly set or manipulated by users, but they are used internally by the operating system.
Advisory locking allows cooperating processes to place locks on a file to signal their intention to access the file. Other processes can check for existing locks before accessing the file and choose to respect them or ignore them. Advisory locking is generally used for situations where processes can trust each other to coordinate access properly.
Mandatory locking enforces access restrictions on a file based on the file's permission bits. When a file is locked with mandatory locking, any process that attempts to access the file without the appropriate lock will be blocked until the lock is released. This is useful for situations where processes cannot trust each other to coordinate access properly or when strict data consistency is required.
In addition to the rwx bits we discussed in detail above, UNIX supports four other types of access:
- Save text (t)
- SGID and
- File locking (l)
Save text permission
Setting the save text bit (indicated by t) on an executable file is supposed to tell the kernel to leave a program in memory after it terminates.
This use is now largely obsolete. The save text permission on a directory means something slightly different. When this permission bit is set on a directory, a user may delete a file only if he or she has write permission (w) for that file,
even if he or she has write permission on the directory. This is a strengthening of the normal UNIX rules discussed in a previous lesson. To set this bit, use the command
chmod u+t directory
To unset this bit, use the command
chmod u–t directory
When used on a file, these bits are extremely important, but are also relevant to running processes. Therefore, we will discuss them in further detail a bit later in this course when we discuss processes. The SGID bit has a special meaning when set on a directory. It forces new files created in that directory to be owned by the same group that owns the directory (instead of the group of the file's creator). This feature can be convenient if you want to force all files created in a certain directory (regardless of who creates them) to have the same group ownership. To set this bit on a directory, you would use
chmod g+s directory
The file locking permission is used in special circumstances outside the scope of this course.
Unix Operating System