chmod Special Permissions Quiz

Questions and Answers

What happens when the Setuid bit is set on an executable file?

Users cannot execute the file.

Users can only read the file.

Users can run the file with their own permissions.

Users can run the file with the permissions of the file's owner. (correct)

The Setgid bit influences the permissions of an executable file only.

False (B)

What is an example of a command that uses the Setuid permission?

passwd

The Setgid bit ensures that files created in a directory inherit the directory's ______.

group

Match the following special permissions with their functions:

Setuid = Allows running a file with the owner's permissions Setgid = Allows running a file with the group's permissions Sticky Bit = Only file owner can delete their files in a directory SUID on directory = Files inherit the directory’s group

What will the file permissions look like when the Setuid bit is set for the owner?

rwsr-xr-x (D)

The Sticky Bit is specifically used to grant elevated permissions to executable files.

False (B)

Which command would you use to set the Setgid bit on a directory?

chmod g+s directory

What does the Setuid permission do?

Allows a file to run with the owner's permissions (C)

The Setgid permission ensures that newly created files within a directory inherit the owner's permissions.

False (B)

What command is used to add the Sticky Bit to a directory?

chmod o+t directory_name

PAM stands for __________.

Pluggable Authentication Modules

Match the PAM module with its purpose:

pam_unix.so = Handles traditional password-based authentication pam_ldap.so = Authenticates users against an LDAP directory pam_tally2.so = Tracks failed login attempts and locks accounts pam_cracklib.so = Enforces password strength rules

Which type of PAM module is responsible for checking if a user's account is valid?

account (D)

PAM allows only one authentication method to be used per service.

False (B)

What is the purpose of the Sticky Bit in a directory?

Restricts file deletion to the file owner and root

A configuration file for PAM is typically located in __________.

/etc/pam.d/

Match the following PAM types with their descriptions:

auth = Handles user authentication account = Verifies account validity password = Manages password updates session = Sets up user sessions

Which of the following is a common module for enforcing password strength?

pam_cracklib.so (A)

PAM allows system administrators to define authentication policies for applications in multiple locations.

False (B)

What happens when an application requests authentication through PAM?

PAM processes the request and determines the authentication result based on its configured modules.

The command to set Setgid on a directory is __________.

chmod g+s directory_name

Flashcards

What is Setuid?

A special permission in Linux/Unix for executables that temporarily allows users to run the file with the owner's permissions, not their own.

How does Setuid work?

When the Setuid bit is set, it allows users who execute the file to temporarily run it with the file's owner's permissions, regardless of their own permissions.

What is an example of a Setuid program?

The passwd command updates passwords using elevated privileges, so it needs Setuid to allow regular users to temporarily run as root.

What is Setgid?

A special permission in Linux/Unix that allows users to temporarily run with the group permissions of a file instead of their own.

How does Setgid work?

Similar to Setuid, but it allows users to run with the group permissions of the file, instead of the user's own.

What is a practical use case for Setgid?

It's useful when you have a shared directory where files created by users need to have the same group ownership. For example, a team shared directory.

What is the Sticky Bit?

The sticky bit, denoted by 't' in chmod, is a permission applied to directories that restricts file deletion or renaming to only the file owner or root.

How does the Sticky Bit work?

It prevents other users from deleting or renaming files in the directory, even if they have write permissions. This ensures that the owner or root maintain control.

Setuid (setuid bit)

Special permissions that allow a file to run with the owner's privileges.

Setgid (setgid bit)

Special permissions that allow a file to run with the group's privileges.

Setgid in directories

A directory with the Setgid bit set, so new files created inside inherit the group ownership of the directory.

Sticky bit in directories

A bit that, when set in a directory, prevents users from deleting or renaming files that aren't owned by them.

Pluggable Authentication Modules (PAM)

A framework that manages user authentication for various applications and services in Unix-like operating systems.

PAM Modules

Small, reusable components that handle specific authentication tasks in PAM.

PAM Configuration Files (/etc/pam.d)

A directory where PAM configuration files are located.

PAM Configuration Line

A PAM configuration line that defines how a module is used and what to do if it succeeds or fails.

PAM auth Module

Type of PAM module responsible for handling user authentication using passwords, etc.

PAM account Module

Type of PAM module responsible for checking if a user's account is valid.

PAM password Module

Type of PAM module responsible for managing password updates.

PAM session Module

Type of PAM module responsible for managing user sessions.

pam_unix.so module

A PAM module that handles traditional password-based authentication.

pam_ldap.so module

A PAM module that authenticates users against an LDAP directory.

pam_cracklib.so Module

This module enforces password strength rules, like minimum length or character types.

PAM Flexibility

PAM's flexibility lets you customize authentication processes to suit specific needs.

Study Notes

chmod Special Permissions

• s in chmod refers to Setuid or Setgid permissions, affecting file/directory access.

Setuid (Set User ID)

• Purpose: Allows running an executable with the owner's permissions, temporarily.
• How it Works: Executes a file as if run by the owner of the file.
• Example: passwd command—updates passwords with root privileges.
• Setting Setuid: chmod u+s file (adds to owner)

Setgid (Set Group ID)

• Purpose: Allows running an executable with the group's permissions, temporarily. Applies group ownership to newly created files/directories inside.
• How it Works: Temporarily runs with group permissions. Used for shared directories; ensures created files inherit the same group ownership.
• Example: Shared team directory where all files belong to the team.
• Setting Setgid: chmod g+s directory (adds to group)

Sticky Bit (t)

• Sticky bit, although not an s, is a special permission frequently used with chmod. On directories, only owner or root can delete/rename files, even if others have write access.

Examples and Use Cases

1. Setuid (Binary): Example program requiring temporary root privileges.

   • Owner: root
   • Permissions appear as: -rwsr-xr-x 1 root root 12345 Jan 7 14:00 program

2. Setgid (Directory): Shared team directory with group ownership inheritance.

   • Permissions appear as: drwxrwsr-x 2 user team 4096 Jan 7 14:00 directory

3. Sticky Bit with Setgid: Group collaboration with file security in a directory.

• Permissions appear as: drwxrwsr-t 2 user team 4096 Jan 7 14:00 dir

Pluggable Authentication Modules (PAM)

• Purpose: A framework for flexible & centralized user authentication in Unix-like systems.

Key Features of PAM

• Pluggable: Uses modular "plugins" (modules) for authentication tasks.
• Centralized: Defines policies for all applications in one place (config files).
• Customizable: Services (e.g., SSH, sudo, login), can have unique authentication rules.

How PAM Works

1. Application Request: Application requests authentication from PAM.
2. PAM Processes: PAM consults its config files to determine modules needed.
3. Results: Modules handle specific tasks, and PAM returns a success/fail result to the application.

PAM Configuration

• Location: /etc/pam.d/ (or /etc/pam.conf)
• Syntax: [type] [control] [module-path] [arguments] describes each module and its behavior—controls, module path, etc.

PAM Module Types and Examples

• auth: User authentication.
• account: Checks account validity.
• password: Manages password updates.
• session: Sets up/tears down user sessions.
• pam_unix.so: Traditional password authentication.
• pam_ldap.so: LDAP (directory service) authentication.
• pam_tally2.so: Tracks failed login attempts, locks accounts after failures.
• pam_cracklib.so: Enforces password strength rules.
• pam_mkhomedir.so: Automatically creates home directories on initial login.

PAM Examples in Action

• SSH Authentication (/etc/pam.d/sshd): Combining modules for flexible authentication.
• Password Strength: Enforces strong passwords using pam_cracklib.
• Account Lockout: Locks accounts after repeated login failures using pam_tally2.

Advantages of PAM

• Flexible: Customize authentication policies easily.
• Centralized: Manage authentication across multiple services uniformly.
• Extensible: Add new authentication methods (e.g, biometric).
• Interoperable: Integrates with outside systems (e.g., LDAP, Kerberos).

Conclusion

• PAM provides centralized & flexible user authentication in Unix-like systems, enhancing security and simplifying system administration.

Description

Test your knowledge on special permissions in Unix using chmod, including Setuid, Setgid, and the Sticky Bit. This quiz will help you understand how these permissions affect file access and group ownership. Perfect for anyone looking to deepen their understanding of Unix permissions.