Thursday, April 25, 2013

Set Setuid, Setgid and Sticky bit in Linux

Special permissions on files and directories in linux are : SetUID, SetGID and Sticky bit.

With the help of “chmod” command  we can implement the special permissions on file and directories.

SUID / Set User ID : A program is executed with the file owner's permissions (rather than with the permissions of the user who executes it).

SGID / Set Group ID : Files created in the directory inherit its GID, i.e When a directory is shared between the users , and sgid is implemented on that shared directory , when these users creates  directory, then the created directory has the same gid or group owner of its parent directory.

Sticky Bit :  It is used mainly used on folders in order to avoid deletion of a folder and its content by other user though he/she is having write permissions. If Sticky bit is enabled on a folder, the folder is deleted by only owner of the folder and super user(root). This is a security measure to suppress deletion of critical folders where it is having full permissions by others.


When we implement these permissions ,we get the below symbols in permissions field :

Permissions
Meaning
--S------ SUID is set, but user (owner) execute is not set.
--s------ SUID and user execute are both set.
-----S--- SGID is set, but group execute is not set.
-----s--- SGID and group execute are both set.
--------T Sticky bit is set, but Other execute is not set.
--------t Sticky bit and other execute are both set.


SUID Example : passwd command
When normal user  try to change his/her  password  , passwd command is used ,  which is owned by root. This passwd command file will try to edit some system config files such as /etc/passwd, /etc/shadow etc. So passwd command is set with SUID to give root user permissions to normal user so that it can update /etc/shadow and other files.


Assign  suid to a File :

# chmod  u+s testfile.txt OR #  chmod 4750  testfile.txt


In this example , 4 indicates SUID bitset, 7 for full permissions for owner, 5 for read and execute permissions for group, and no permissions for others.

SGID Example :

# chmod g+s OR # chmod 2750

Here in 2750, 2 indicates SGID bitset, 7 for full permissions for owner, 5 for read and execute permissions for group, and no permissions for others.

StickyBit Example :

# chmod o+t /opt/ftp-data  or # chmod +t /opt/ftp-data OR # chmod 1757 /opt/ftp-dta

In this example , 1 indicates Sticky Bit set, 7 for full permissions for owner, 5 for read and execute permissions for group, and ful permissions for others.

Note : To check the special permissions , use these commands :

# ls   -l 

# ls -ld  


11 comments:

  1. Just a friendly note. you have 5 as having write and execute permissions twice in this article. vs. being Read and Execute.

    ReplyDelete
  2. TO THE POINT. gOOD JOB MAN

    ReplyDelete
  3. Please explain what are the roles of bits 4(SUID), 2(SGID) and 1(Sticky bit).

    ReplyDelete
  4. Great way to describe it. Thanks

    ReplyDelete
  5. ROLES OF SUID,SGID,STICKY BIT

    SUID

    For an example let's say there's a folder under /root folder call "share". /root/share. So normally only root has the access to that folder. If you want to allow non-root user john to get a backup everyday. so you can get a /bin/cp command to john's home folder and set suid for that cp script(you are the root user). Then john will be able to copy files from /root/share using cp command in his home folder without any permission issues.

    SGID

    Let's say there is a share folder called HR. Which is accessed by HR people. So HR group has the ownership. But when HR users creating files inside the HR share folder all the files will be created with there primary group.(when we add a user to system there will be a group with same name as user's name. that is that user's primary group.) so because of that other HR users can't edit that file. So what we can do it wen cat set sgid to that folder. Then anytime HR user create a new file inside that folder will get HR group ad the primary group of that file.So other HR people can edit that. (But already created files group ownership won't get changed.only the newly created files after setting sgid).

    STICKY BIT

    Let's say we are giving write permission for a file to a user called john. Then john can even delete the file. So if we set the Sticky bit then only john can edit the file but can't delete the file. Only the root user and the owner of the file can delete that file.

    ReplyDelete
  6. Nice Explanation..

    ReplyDelete
  7. Why would I ever need to use both setuid and setgid on the same file? E.g. chmod 6755 file

    ReplyDelete
  8. You have one typo in "Sticky bit is set, bot other execute is not set.", you should change "bot" to "but".

    ReplyDelete