SUID, SGID and Sticky bit

The basic security of a Linux computer is based on file permissions. In this article, I will explain some Linux special permissions which you can set for files and directories.

  1. SUID permission
  2. SGID permission
  3. Sticky bit

Set-user Identification (SUID)

If SUID bit is set on a file and a user executed it. The process will have the same rights as the owner of the file being executed.
For example: passwd command have SUID bit enabled. When a normal user change his password this script update few system files like /etc/passwd and /etc/shadow which can’t be update by non root account. So that passwd command process always run with root user rights.
ls -lrt /usr/bin/passwd
-r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd
If you check carefully, you would find the 2 S’s in the permission field. The first s stands for the SUID and the second one stands for SGID.
When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it. Another good example of SUID is the su command :
ls -l /bin/su
-rwsr-xr-x-x 1 root user 16384 Jan 12 2014 /bin/su
The setuid permission displayed as an “s” in the owner’s execute field.
How to set SUID on a file?
chmod 4555 [path_to_file]

Set-group identification (SGID)

SGID permission on executable file
SGID permission is similar to the SUID permission, only difference is when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member.
ls -l /usr/bin/write
-r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write
The setgid permission displays as an “s” in the group’s execute field.
Note :
If a lowercase letter “l” appears in the group’s execute field, it indicates that the setgid bit is on, and the execute bit for the group is off or denied.
How to set GUID on a file?
chmod 2555 [path_to_file]
SGID on a directory
When SGID permission is set on a directory, files created in the directory belong to the group of which the directory is a member. For example if a user having write permission in the directory creates a file there, that file is a member of the same group as the directory and not the user’s group.
This is very useful in creating shared directories.
How to set SGID on a directory
chmod g+s [path_to_directory]
or
chmod g+s /test/
ls -ld /test
drwxrwsrwx 2 root root 4096 Mar 8 03:12 /test

Sticky Bit

The sticky bit is primarily used on shared directories.
It is useful for shared directories such as /var/tmp and /tmp because users can create files, read and execute files owned by other users, but are not allowed to remove files owned by other users.
For example if user bob creates a file named /tmp/bob, other user tom can not delete this file even when the /tmp directory has permission of 777. If sticky bit is not set then tom can delete /tmp/bob, as the /tmp/bob file inherits the parent directory permissions.
root user (Off course!) and owner of the files can remove their own files.
Example of sticky bit :
ls -ld /var/tmp
drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp
T refers to when the execute permissions are off.
t refers to when the execute permissions are on.
How to set sticky bit permission?
chmod +t [path_to_directory]
or
chmod 1777 [path_to_directory]

Be the first to comment

Leave a Reply

Your email address will not be published.


*