1 (edited by mithat 2010-08-04 21:55:52)

Topic: setgid directories

I am trying to set up a CMS that is somewhat insistent about the file permissions it wants. One thing it doesn't seem to like is a '2' in front of the UGO permissions: it flags as insecure all 2755 directories--which happens to be all of them!

From what I've been able to Google, the '2' that I'm seeing means that the directories that are so assigned are in setgid mode.

I was just wondering why TuxFamily uses setgid and whether there is actually a security issue with which I should be concerned.

-M

2 (edited by xavier 2010-08-06 19:55:30)

Re: setgid directories

Hello,

As specified in the link you provided, the setgid mode has the following effect :

http://forums.oscommerce.com/topic/352153-is-chmod-2775-secure/ wrote:

any files or subdirectories created in that directory will inherit the parent directory's group id.

So, we do it to ensure that newly created files get the same group than their parent directory, which is good for collaboration between the member of a same project.
Look at the `id' command  using your SSH access : you'll see your user, your user group, and the additional groups you belong to, i.e. the projects you belong to.
Without the setgid flag on directories, newly created files would get your user group, so they would not be available for your co-workers. However, you still have to set g+w permissions on files (manually or through your umask) for your co-workers to edit them.

Note that we also use groups to handle quotas : your project group has a 100 MB quota, your user group has a 1 MB quota.

So, the setgid flag on directories is not insecure. However, the cursed o+w permission is insecure. Try to set it on your files ;)