relation between chmod and sudo on an executable file

permissions sudo chmod
7,190

Solution 1

First the terminology. chmod is a program (and a system call) which alows changing permission bits of a file in a filesystem. sudo is a special program that allows running other programs with different credentials (typically with elevated privileges, most usually those of the root user). su is similar but less (read "not") configurable than sudo - most importantly it requires authenticates users based on the knowledge of the root password (which is security-wise rather appalling).

The executable bit says whether the contents of a file may be loaded into the memory and run (it doesn't say anything about whether it makes sense - you can set the executable bit of a JPEG image and watch it fail spectacularly when you try to run it).

Now for the questions:

  1. the permissions are evaluated once the executable is being loaded. In the case of su and sudo this happens with the effective IDs (user and group - the credentials used in privilege evaluation - see the credentials(7) man page) of the target user. Hence if the target user is allowed to execute the file it is executed.

  2. As mentioned above: when the executable bit is set for the effective UID or GID, then it can be executed. Otherwise not.

  3. Generally, you don't. If you want, you can mark it as executable only for certain IDs and then prepare the sudo configuration so that it allows certain users to run that binary with the credentials of one of those that have executable rights on the file.

  4. No. It usually does not make much sense to prevent users from running programs that require special privileges - programs should handle lack of those (gracefully if possible). Some programs even have only some functionality that doesn't require special rights but offer more when run with special privileges - one example is route: unprivileged users may use it to display kernel routing tables, while administrators can also change those.

Solution 2

This may be splitting hairs, but: to execute a file, you must have execute permission to the file and all the directories you navigate to get to the file.  So, if Tom has a program (do_interesting_stuff) in his home directory (/home/tom), and the directory is protected 700 (no access for anyone but owner) but the file is protected 755 (read and execute permission for everybody), you still will not be able to run /home/tom/do_interesting_stuff “as yourself” – you will need to become root (or “become tom”) with sudo or su to be able to execute that file.

And of course the same thing would be true if you wanted to read a file (interesting_stuff.txt) in Tom’s home directory, in the sense that you would need read access to the file and execute permission on the directory.

Share:
7,190

Related videos on Youtube

Tim
Author by

Tim

Elitists are oppressive, anti-intellectual, ultra-conservative, and cancerous to the society, environment, and humanity. Please help make Stack Exchange a better place. Expose elite supremacy, elitist brutality, and moderation injustice to https://stackoverflow.com/contact (complicit community managers), in comments, to meta, outside Stack Exchange, and by legal actions. Push back and don't let them normalize their behaviors. Changes always happen from the bottom up. Thank you very much! Just a curious self learner. Almost always upvote replies. Thanks for enlightenment! Meanwhile, Corruption and abuses have been rampantly coming from elitists. Supportive comments have been removed and attacks are kept to control the direction of discourse. Outright vicious comments have been removed only to conceal atrocities. Systematic discrimination has been made into policies. Countless users have been harassed, persecuted, and suffocated. Q&A sites are for everyone to learn and grow, not for elitists to indulge abusive oppression, and cover up for each other. https://softwareengineering.stackexchange.com/posts/419086/revisions https://math.meta.stackexchange.com/q/32539/ (https://i.stack.imgur.com/4knYh.png) and https://math.meta.stackexchange.com/q/32548/ (https://i.stack.imgur.com/9gaZ2.png) https://meta.stackexchange.com/posts/353417/timeline (The moderators defended continuous harassment comments showing no reading and understanding of my post) https://cs.stackexchange.com/posts/125651/timeline (a PLT academic had trouble with the books I am reading and disparaged my self learning posts, and a moderator with long abusive history added more insults.) https://stackoverflow.com/posts/61679659/revisions (homework libels) Much more that have happened.

Updated on September 18, 2022

Comments

  • Tim
    Tim almost 2 years

    What is the relationship between chmod and sudo on an executable file for a user?

    Are the cases that "a user needs sudo to run an executable" the same as the cases that "chmod hasn't set the execution mode bit for the user"?

    Are the cases that "a user doesn't need sudo to run an executable" the same as the cases that "chmod has set the execution mode bit for the user"?

    More specifically,

    1. For an executable file, If chmod doesn't set its execution permission for a user, must that user run the executable with sudo or su?
    2. if chmod sets its execution permission for a user, does that mean that the user can run the executable without sudo or su?
    3. How do you make an executable runnable only with sudo or su by a given user?
    4. Conversely, if a user can run an executable only with sudo or su, does that mean chmod hasn't set execution permission of the executable file for the user?
  • Tim
    Tim almost 10 years
    Thanks. Are the cases that "a user needs sudo to run an executable" the same as the cases that "chmod hasn't set the execution mode bit for the user"? Are the cases that "a user doesn't need sudo to run an executable" the same as the cases that "chmod has set the execution mode bit for the user"?
  • Scott - Слава Україні
    Scott - Слава Україні almost 10 years
    Strictly speaking, su allows you to assume the identity of another user (i.e., run programs with different credentials). Unlike sudo, it requires the password of the user whose identity you are assuming; by default, this is “root”.
  • peterph
    peterph almost 10 years
    @Tim no and no. If a program doesn't have any executable bits (there are three - for the user, group and everybody else) even root can't run it. For the second question it's even more complex, but if you read the answer and the credentials man page again and think it through you'll find out why. At least point 4. of the answer should give you one reason why the answer is no.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Sudoers.d Permissions denied
sudo: /var/lib/sudo writable by non-owner (040777), should be mode 0700
Not able to install *.run file in Ubuntu?
Error after sudo-ing "sudo: must be setuid root"
How to fix sudo after "chmod -R 777 /usr/bin"?
What if I accidentally run command "chmod -R" on system directories (/, /etc, ...)
Unable to run 'sudo chmod +w /etc/hosts'
Unable to run sudo command on linux
How to sudo chmod -R 777 * including hidden files?
How to solve this error `sudo: /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set` without reinstalling ubuntu?