Understanding the SUID, SGID and Sticky Bit permissions in Linux

Home > Search
  by

There are three special permissions in Linux.

  • Special User ID (SUID)
  • Special Group ID (SGID)
  • Sticky Bit 

The special permissions can be represented by a number.

Number Permission
7 SUID and SGID and Sticky Bit
6 SUID and SGID
5 SUID and Sticky Bit
4 SUID
3 SGID and Sticky Bit
2 SGID
1 Sticky Bit
0 No Special Permissions

 


SUID

When a file has the SUID, the user that executes the file becomes the owner of the file while the file is executing. For example, let's say file1 is owned by root. When john.doe executes file1, the owner of file1 will be john.doe while the file is executing. This is useful on script files, such as BASH scripts. SUID has no impact on a directory.

The chmod command with the u+s (user plus special) option can be used to add the SUID permission to a file. The u-s (user minus special) can be used to remove the SUID permission from a file.

[john.doe@server1 ]# chmod u+s /path/to/file1

 

Likewise, the number 4 can be used to add the SUID permission to a file, and the number 0 can be used to remove the SUID permission from a file.

[john.doe@server1 ]# chmod 4660 /path/to/file1

 

Whe a file has the SUID permission, the letter "s" or "S" willl be displayed instead of the x (execute) permissions. Lower case "s" means the x (execute) permission is enabled, and upper case "S" means the x (execute) permission is not enabled.

-rwsr-xr-x 3 john.doe john.doe 4096 Jun 26 08:21 file1

 

Example

The /usr/bin/passwd command has the SUID bit set. This allows non-root users to run the passwd command as root.

-rwsr-xr-x 1 root root 4096 Jun 26 08:21 /usr/bin/passwd

 


 

SGID

When a file has the SGID permission, the user that executes the file temporarily becomes a member of the group. For example, let's say file1 has the root group with permission r-x. If John Doe executes file1, John Doe will temporarily be a member of the root group, thus have the r-x permission on the file.

When a directory has the SGID permission, files added to the directory will have the user of the person that added the file. For example, if john.doe adds a file to a directory owned by the root group, the permissions of the file will be john.doe:root.

 

The chmod command with the g+s (group plus special) option can be used to add the SGID permission to a file. The g-s (group minus special) can be used to remove the SGID permission from a file.

[john.doe@server1 ]# chmod g+s /path/to/file1

 

Likewise, the number 2 can be used to add the SGID permission to a file, and the number 0 can be used to remove the SGID permission from a file.

[john.doe@server1 ]# chmod 2660 /path/to/file1

 

Whe a file has the SGID permission, the letter "s" or "S" willl be displayed instead of the x (execute) permissions. Lower case "s" means the x (execute) permission is enabled, and upper case "S" means the x (execute) permission is not enabled.

-rwxr-sr-x 3 john.doe john.doe 4096 Jun 26 08:21 file1

 

Example

Let's say root, John Doe, and Jane Doe are all members of myGroup, and they are sharing /var/SharedDirectory. Without SGID, when they create files in the directory, each file will have a unique owner and group.

-rwxr-sr-x 3 root root 4096 Jun 26 08:21 file1
-rwxr-sr-x 3 john.doe john.doe 4096 Jun 26 08:21 file2
-rwxr-sr-x 3 jane.doe jane.doe 4096 Jun 26 08:21 file3

 

Setting the SGID bit on the directories resolves this issue, so that the group is the same for every file. Now, root, John, and Jane can all interact with each others files.

-rwxr-sr-x 3 root myGroup4096 Jun 26 08:21 file1
-rwxr-sr-x 3 john.doe myGroup 4096 Jun 26 08:21 file2
-rwxr-sr-x 3 jane.doe myGroup 4096 Jun 26 08:21 file3

 


Sticky Bit

  • File: Sticky bit has no effect on files
  • Directory: If a directory has the write permission, sticky bit ensures that anyone can add files to the directory, but you can only delete files you own

The chmod command with the o+t (other plus sticky) option can be used to add the Sticky Bit permission to a file. The o-t (other minus sticky) can be used to remove the Sticky Bit permission from a file.

[john.doe@server1 ]# chmod o+t /path/to/file1

 

Likewise, the number 1 can be used to add the Sticky Bit permission to a file, and the number 0 can be used to remove the Sticky Bit permission from a file.

[john.doe@server1 ]# chmod 1660 /path/to/file1

 

Whe a file has the SGID permission, the letter "t" or "T" willl be displayed instead of the x (execute) permissions. Lower case "t" means the x (execute) permission is enabled, and upper case "T" means the x (execute) permission is not enabled.

-rwxr-xr-t 3 john.doe john.doe 4096 Jun 26 08:21 file1

 


Locating files

The find command with the -perm (permissions) option can be used to search for files with a certain set of permissions. For example, lets say file1 is 4660. 

[root@server1 ~]# find / -perm 4660
/home/user1/file1

 

Let's say file2 is 2660.

[root@server1 ~]# find / -perm 2660
/home/user1/file2

 

Let's say file3 is 1660.

[root@server1 ~]# find / -perm 1660
/home/user1/file3

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments