FreeKB - Linux Fundamentals Understanding the SUID, SGID and Sticky Bit permissions
Linux Fundamentals - Understanding the SUID, SGID and Sticky Bit permissions

There are three special permissions in Linux.

  • Special User ID (SUID)
  • Special Group ID (SGID)
  • Sticky Bit 

The special permissions can be represented by a number.

Number Permission
7 SUID and SGID and Sticky Bit
6 SUID and SGID
5 SUID and Sticky Bit
4 SUID
3 SGID and Sticky Bit
2 SGID
1 Sticky Bit
0 No Special Permissions

 

SUID

When a file has the SUID, the user that executes the file becomes the owner of the file while the file is executing. For example, let's say file1 is owned by root. When john.doe executes file1, the owner of file1 will be john.doe while the file is executing. This is useful on script files, such as BASH scripts. SUID has no impact on a directory.

The chmod command with the u+s (user plus special) option can be used to add the SUID permission to a file. The u-s (user minus special) can be used to remove the SUID permission from a file.

[john.doe@server1 ]# chmod u+s /path/to/file1

 

Likewise, the number 4 can be used to add the SUID permission to a file, and the number 0 can be used to remove the SUID permission from a file.

[john.doe@server1 ]# chmod 4660 /path/to/file1

 

Whe a file has the SUID permission, the letter "s" or "S" willl be displayed instead of the x (execute) permissions. Lower case "s" means the x (execute) permission is enabled, and upper case "S" means the x (execute) permission is not enabled.

-rwsr-xr-x 3 john.doe john.doe 4096 Jun 26 08:21 file1

 

Example

The /usr/bin/passwd command has the SUID bit set. This allows non-root users to run the passwd command as root.

-rwsr-xr-x 1 root root 4096 Jun 26 08:21 /usr/bin/passwd

 

 

SGID

When a file has the SGID permission, the user that executes the file temporarily becomes a member of the group. For example, let's say file1 has the root group with permission r-x. If John Doe executes file1, John Doe will temporarily be a member of the root group, thus have the r-x permission on the file.

When a directory has the SGID permission, files added to the directory will be the group of the parent directory. For example, if the group of /var/www is webgroup, and then /var/www/foo is create, the group of /var/www/foo will be webgroup.

Let's say the /var/www directory does not have the SGID bit set.

-rwxrwxr-x 3 root root 4096 Jun 26 08:21 /var/www

 

And John Doe created foo.txt.

[john.doe@server1 ~] touch /var/www/foo.txt

 

In this scenario, foo.txt will contain John Doe's primary group, which is the john.doe group in this example.

-rw-r-r-- 3 john.doe john.doe 0 Jun 26 08:21 /var/www/foo.txt

 

Let's set the SGID bit on the /var/www directory.

[root@server1 ~]# chmod g+s /var/www

 

Now the /var/www directory has the SGID bit set, as indicated by the "s" character. Note that a lower case "s" means the execute permission is set and an upper case "S" means the execute permission is not set.

-rwxrwsr-x 3 root root 4096 Jun 26 08:21 /var/www

 

And John Doe created bar.txt.

[john.doe@server1 ~] touch /var/www/bar.txt

 

Now the bar.txt contains the group of the /var/www directory, which is root in this example.

-rw-r-r-- 3 john.doe root 0 Jun 26 08:21 /var/www/bar.txt

 

Sticky Bit

  • File: Sticky bit has no effect on files
  • Directory: If a directory has the write permission, sticky bit ensures that anyone can add files to the directory, but you can only delete files you own

The chmod command with the o+t (other plus sticky) option can be used to add the Sticky Bit permission to a file. The o-t (other minus sticky) can be used to remove the Sticky Bit permission from a file.

[john.doe@server1 ]# chmod o+t /path/to/file1

 

Likewise, the number 1 can be used to add the Sticky Bit permission to a file, and the number 0 can be used to remove the Sticky Bit permission from a file.

[john.doe@server1 ]# chmod 1660 /path/to/file1

 

Whe a file has the SGID permission, the letter "t" or "T" willl be displayed instead of the x (execute) permissions. Lower case "t" means the x (execute) permission is enabled, and upper case "T" means the x (execute) permission is not enabled.

-rwxr-xr-t 3 john.doe john.doe 4096 Jun 26 08:21 file1

 

Locating files

The find command with the -perm (permissions) option can be used to search for files with a certain set of permissions. For example, lets say file1 is 4660. 

[root@server1 ~]# find / -perm 4660
/home/user1/file1

 

Let's say file2 is 2660.

[root@server1 ~]# find / -perm 2660
/home/user1/file2

 

Let's say file3 is 1660.

[root@server1 ~]# find / -perm 1660
/home/user1/file3

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 6b7e4 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |