such as before or during backup operations.Note that the programs do not necessarily have to be removed from your
system. If your users really do not need to use the program, you can remove a
program’s execute permission for anyone. As the root operator, you have to
decide whether your users are allowed, for example, to mount and unmount
CD-ROMs or other media on your system. Although Linux-based operating
systems can be set up to accommodate ease of use and convenience, allowing
programs such as mount to be suid might not be the best security policy.
Other candidates for suid permission change could include the chsh, at, or
chage commands.
An additional setting called the sticky bit is available using this same
additional first digit. A sticky bit limits who may rename or delete files within
a directory. When it is set, files in that directory may be unlinked or renamed
only by a super user, the directory owner, or the file owner. Set the sticky bit
to on by using a 1 , like this for a directory with 755 permissions:
Click here to view code image
matthew@seymour:~$ chmod 1755 directoryname
You can set the sticky bit concurrently with suid and sgid, like this ( 4 + 2 +
1 ):
Click here to view code image
matthew@seymour:~$ chmod 7755 directoryname
Setting Permissions with Access Control Lists
POSIX is a family of standards created to maintain stability and consistency
across operating systems for UNIX and UNIX-like systems, such as Linux.
One important feature of POSIX is the access control list (ACL; often
pronounced “AK-el”). ACLs permit even more fine-grained control over
access permissions.
By default, all files have an ACL. To view the ACL for a file, use this:
Click here to view code image
matthew@seymour:~$ getfacl filename
Typical getfacl output includes multiple lines, like this for
filename.txt:
Click here to view code image