Usage of suid and sgid in linux

So when it comes to certain files and executable scripts, as a linux admin you may want to allow certain users to run these scripts with elevated privileges.

setuid and setgid allow you to grant limited elevated privileges (root) without having to add the users to the sudoers file.

Similar to chmod, where you indicate where you want to set the user id bit, you can set the permissions with 4, 2 and 1: suid = 4 sgid = 2 stickybit = 1

To do a suid:

$chmod 4777 script  – would give you permissions of

-rwsrwxrwx 1 jason jason

to do sgid use:

$chmod 2777 script – would give you

-rwxrwsrwx 1 jason jason

by using $chmod 6777 script – you would get

-rwsrwsrwx 1 jason jason

For setting back to normal you would use

$chmod 0777 script

SGID is often used with folders for example

$mkdir groupFolder

#chmod 2775 groupFolder

would give you:

-drwxrwsr-x 2 jason jason

when you set groupid on the folder, anyone that adds a file to that folder, the group ownership of the file will receive the group ownership of that folder.

If you have a file that is suid, and is malicious, you can find files on your system that have the suid and/or sgid bit set:

find .  -perm +6000

find .  -perm +2000

find .  -perm +4000

You should occasionally look for these files so you know which files and/or folders are automatically setting permissions.

Exchange/SBS 2003 – You do not have permission to send to this recipient. -Solved!

There are a lot of variables where a problem like this can take a while to track down and resolve, so hopefully if you encounter this issue again, the resolution will be easy.

A user called complaining they would receive a bounceback message from Exchange whenever trying to send an email as a different user, for example, “[email protected]”. They had not previously experienced this problem trying to send on behalf of that user and “something suddenly changed.”

To make a long story short, in this case, the resolution was that the From: field contained a corrupt .NK2/NickName entry for the “Promoter” address. When auto-resolving the email address for the “From” field, I had to type in the first letter of the bad entry, arrow down to the corrupt entry in the nickname list, so that it was highlighted and hit the Delete button. Next, to put in the correct “From: Promoter” address, I had to manually click the “From” button, go to the Global Address List and select “Promoter”. This resolved the correct entry and the From: field was now populated with “Promoter” instead of “[email protected]”. The message could now be sent without a failure/bounceback/error message.

Read below for the workflow that caused the problem and what I had to do to resolve it:

The user opened a new mail message. The From field is “shown” and the user typed in the first letter of the address who the email is from. In this case, “p”. This auto-resolved the nickname as an email address “[email protected]”. The user would then type in the recipients name into the To: field (in this case [email protected]) and then supply a subject, a message body, and hit send. A moment later the following email arrived from the Exchange System:

Your message did not reach some or all of the intended recipients.

Subject: test Sent: 4/27/2011 11:43 AM
The following recipient(s) cannot be reached:
example@hotmail.com on 4/27/2011 11:42 AM            You do not have permission to send to this recipient.  For assistance, contact your system administrator.            MSEXCH:MSExchangeIS:/DC=local/DC=domain:servername

Solution:

The first thing to check was that the user has the ability to send on behalf of the “Promoter” account:

On the SBS2003 server, go to Server Management. Click on the View menu and checkmark the “Advanced Features”. Then browse   -> Active Directory Users and Computers -> Domain.local ->MyBusiness ->Users -> SBSUsers

Right click on the account that the user is trying to send on behalf of (in this case “Promoter”). Click on the Exchange General tab. Click on the Delivery Options… button. Under Send on behalf, make sure the user that is trying to send as is listed under “Grant this permission to:”. If not, click the Add button… and add the user.

Next, in Server Management, browse to Advanced Management -> EXCHANGESERVERNAME (Exchange) ->Servers -> SERVERNAME -> Protocols -> SMTP

Right-click on “Default SMTP Virtual Server” and click Properties.

SMTP Properties.jpg
Click image to enlarge

Under the Access tab, click on the Relay… button

Under Relay Restrictions, “Only the list below” should be selected and Granted: the server’s IP address/SNM; and Granted loopback 127.0.0.1

Uncheck “Allow all computers which successfully authenticate to relay, regardless of the list above. Click on the Users… button. Under Permissions – Group or user names, make sure Authenticated Users has both Submit and Relay permission set to Allow. Click OK, OK, OK.

If any changes have been made to SMTP, right-click on Default SMTP Virtual Server under Protocols/SMTP and Stop/Start the Default SMTP Virtual Server.

Now, on the client, open a new mail message, remove the bad auto-resolving address, click on the From: button, select the account you wish to send from, and hit “Send”. See the 2nd paragraph of this post for further details on how to accomplish this part. The message should now be sent to the recipeint with the correct “From” address.