relation between chmod and sudo on an executable file
Solution 1
First the terminology. chmod
is a program (and a system call) which alows changing permission bits of a file in a filesystem. sudo
is a special program that allows running other programs with different credentials (typically with elevated privileges, most usually those of the root user). su
is similar but less (read "not") configurable than sudo
- most importantly it requires authenticates users based on the knowledge of the root password (which is security-wise rather appalling).
The executable bit says whether the contents of a file may be loaded into the memory and run (it doesn't say anything about whether it makes sense - you can set the executable bit of a JPEG image and watch it fail spectacularly when you try to run it).
Now for the questions:
the permissions are evaluated once the executable is being loaded. In the case of
su
andsudo
this happens with the effective IDs (user and group - the credentials used in privilege evaluation - see thecredentials(7)
man page) of the target user. Hence if the target user is allowed to execute the file it is executed.As mentioned above: when the executable bit is set for the effective UID or GID, then it can be executed. Otherwise not.
Generally, you don't. If you want, you can mark it as executable only for certain IDs and then prepare the
sudo
configuration so that it allows certain users to run that binary with the credentials of one of those that have executable rights on the file.No. It usually does not make much sense to prevent users from running programs that require special privileges - programs should handle lack of those (gracefully if possible). Some programs even have only some functionality that doesn't require special rights but offer more when run with special privileges - one example is
route
: unprivileged users may use it to display kernel routing tables, while administrators can also change those.
Solution 2
This may be splitting hairs, but: to execute a file,
you must have execute permission to the file
and all the directories you navigate to get to the file.
So, if Tom has a program (do_interesting_stuff
) in his home directory (/home/tom
),
and the directory is protected 700 (no access for anyone but owner)
but the file is protected 755 (read and execute permission for everybody),
you still will not be able to run /home/tom/do_interesting_stuff
“as yourself” –
you will need to become root (or “become tom”)
with sudo
or su
to be able to execute that file.
And of course the same thing would be true
if you wanted to read a file (interesting_stuff.txt
) in Tom’s home directory,
in the sense that you would need read access to the file
and execute permission on the directory.
Related videos on Youtube
![Tim](https://i.stack.imgur.com/3PCjR.png?s=256&g=1)
Tim
Elitists are oppressive, anti-intellectual, ultra-conservative, and cancerous to the society, environment, and humanity. Please help make Stack Exchange a better place. Expose elite supremacy, elitist brutality, and moderation injustice to https://stackoverflow.com/contact (complicit community managers), in comments, to meta, outside Stack Exchange, and by legal actions. Push back and don't let them normalize their behaviors. Changes always happen from the bottom up. Thank you very much! Just a curious self learner. Almost always upvote replies. Thanks for enlightenment! Meanwhile, Corruption and abuses have been rampantly coming from elitists. Supportive comments have been removed and attacks are kept to control the direction of discourse. Outright vicious comments have been removed only to conceal atrocities. Systematic discrimination has been made into policies. Countless users have been harassed, persecuted, and suffocated. Q&A sites are for everyone to learn and grow, not for elitists to indulge abusive oppression, and cover up for each other. https://softwareengineering.stackexchange.com/posts/419086/revisions https://math.meta.stackexchange.com/q/32539/ (https://i.stack.imgur.com/4knYh.png) and https://math.meta.stackexchange.com/q/32548/ (https://i.stack.imgur.com/9gaZ2.png) https://meta.stackexchange.com/posts/353417/timeline (The moderators defended continuous harassment comments showing no reading and understanding of my post) https://cs.stackexchange.com/posts/125651/timeline (a PLT academic had trouble with the books I am reading and disparaged my self learning posts, and a moderator with long abusive history added more insults.) https://stackoverflow.com/posts/61679659/revisions (homework libels) Much more that have happened.
Updated on September 18, 2022Comments
-
Tim almost 2 years
What is the relationship between
chmod
andsudo
on an executable file for a user?Are the cases that "a user needs sudo to run an executable" the same as the cases that "chmod hasn't set the execution mode bit for the user"?
Are the cases that "a user doesn't need sudo to run an executable" the same as the cases that "chmod has set the execution mode bit for the user"?
More specifically,
- For an executable file, If
chmod
doesn't set its execution permission for a user, must that user run the executable withsudo
orsu
? - if
chmod
sets its execution permission for a user, does that mean that the user can run the executable withoutsudo
orsu
? - How do you make an executable runnable only with
sudo
orsu
by a given user? - Conversely, if a user can run an executable only with
sudo
orsu
, does that meanchmod
hasn't set execution permission of the executable file for the user?
- For an executable file, If
-
Tim almost 10 yearsThanks. Are the cases that "a user needs sudo to run an executable" the same as the cases that "chmod hasn't set the execution mode bit for the user"? Are the cases that "a user doesn't need sudo to run an executable" the same as the cases that "chmod has set the execution mode bit for the user"?
-
Scott - Слава Україні almost 10 yearsStrictly speaking,
su
allows you to assume the identity of another user (i.e., run programs with different credentials). Unlikesudo
, it requires the password of the user whose identity you are assuming; by default, this is “root”. -
peterph almost 10 years@Tim no and no. If a program doesn't have any executable bits (there are three - for the user, group and everybody else) even root can't run it. For the second question it's even more complex, but if you read the answer and the
credentials
man page again and think it through you'll find out why. At least point 4. of the answer should give you one reason why the answer is no.