Meaning of the access permissions "rws" and "root root" of /usr/bin/sudo
Solution 1:
The s
in rws
stands for setuid
meaning set user ID. This is a special permission bit that allows the program, when run by any user, to be run with the effective UID of the owner, in this case, root. So when you as a normal user run the sudo
executable, you effectively do so as root. This permission bit is a security risk, and should only be applied where absolutely necessary.
Explanation of the setuid
bit from The Linux Command Line by William E. Shotts Jr:
When applied to an executable file, it sets the effective user ID from that of the real user (the user actually running the program) to that of the program's owner. Most often this is given to a few programs owned by the superuser. When an ordinary user runs a program that is "setuid root" , the program runs with the effective privileges of the superuser. This allows the program to access files and directories that an ordinary user would normally be prohibited from accessing. Clearly, because this raises security concerns, the number of setuid programs must be held to an absolute minimum.
The second root
in the listing is the group that owns the file, and yes, only the user root is in the group root:
$ getent group root
root:x:0:
Here's an example of a file that has different user and group ownership:
-rw-r----- 1 root shadow 1456 Nov 22 20:08 /etc/shadow
This means that the file can be read and written to only by root, but members of the group shadow may also read the file.