I am doing a small experiment with special privilege bits as follows:
[root@localhost~]# useradd user1
[root@localhost~]# cp /bin/touch /home/
[root@localhost~]# chown user1:user1 /home/touch
[root@localhost~]# chmod u+s,g+s /home/touch
[root@localhost~]# ls -l /home/touch
-rwsr-sr-x 1 user1 user1 52656 Jun 26 14:17 /home/touch
[root@localhost~]# chmod o+w /usr/local/etc/
[root@localhost~]# ls -ld /usr/local/etc
drwxr-xrwx.2 root root 4096 Jun 26 14:14 /usr/local/etc/
[root@localhost~]# /home/touch /usr/local/etc/root.1
/home/touch: cannot touch '/usr/local/etc/root.1': Permission denied
Because both suid bit and sgid bit are set for the executable /home/touch, I expected that when root executes the command /home/touch /usr/local/etc/root.1, the effective user:group should be user1:user1, which should have the write access to /usr/local/etc directory (see o=rwx).
But the result made me puzzled. Actually, anyone belonging to the root group will fail like root, but other users can run the above command successfully.
Only after I changed the directory mode by chmod g+w /usr/local/etc, can users belonging to the root group run the command without permission error.
Should not the effective user:group for anyone running /home/touch be user1:user1? What's wrong with the root group? Did I miss anything?
I took the experiment on RHEL 6.4 64-bit
