Special Permissions: Sticky Bit, SUID and SGID

security permissions

Sticky Bit, SUID and SGID are special permissions used in Unix-like systems, hence in Linux. Knowing how to use and why one should use them isn’t necessarily fundamental to understand basic permissions in Linux, however they can prove useful in some situations.

Sticky Bit

The first one is the Sticky Bit. Let’s suppose you have a folder where everyone has full permissions, but files that are not important for a user may be important for another one. A user could easily delete a file that is important to another user, and that’s a bit of a problem. That’s what sticky bit is used for: when a sticky bit is used only the owner/root can delete or rename that file. Usually the sticky bit is used on folders. A typical example can be found inĀ /tmp directory

# ls -la
drwxrwxrwt. 20 root root  4096 Nov 20 14:41 .         
drwxr-xr-x  18 root root  4096 Nov  6 20:19 ..              
drwxrwxrwt   2 root root  4096 Jan  1  2010 .font-unix
drwxrwxrwt   2 root root  4096 Jan  1  2010 .ICE-unix 
drwx------   3 root root  4096 Jan  1  2010 systemd...
drwx------   3 root root  4096 Jan  1  2010 systemd...
drwx------   3 root root  4096 Jan  1  2010 systemd...
drwxrwxrwt   2 root root  4096 Jan  1  2010 .Test-unix
-r--r--r--   1 root root    11 Jan  1  2010 .X0-lock  
drwxrwxrwt   2 root root  4096 Jan  1  2010 .X11-unix 
drwxrwxrwt   2 root root  4096 Jan  1  2010 .XIM-unix

Can you notice that t in the place of the x permission on some lines? That’s the sticky bit. And now how to set the sticky bit: it can be set by using the chmod command:

$ chmod +t /path/to/file

or

$ chmod 1777 /path/to/file

Notice the 1 in 1777.

SUID

Now you’ve probably been wondering if it is “super user id” or “switch user id” or whatever, it actually stands for Set User ID. SUID is a special permissions that allows anyone who executes the program to run it as if he were the owner (it will be loaded with the same permissions).

Let’s take a look at my brand new test file:

# ls -l
-rwxrwxrwx 1 root root      0 Nov 20 17:12 test

Test file has now 777 permissions; let’s apply the SUID:

# chmod u+s test
# ls -l
-rwsrwxrwx 1 root root      0 Nov 20 17:12 test

The x bit of the owner has changed to s: that means SUID is active. But what if it isn’t executable?

# chmod u-x test
# ls -l
-rwSrwxrwx 1 root root      0 Nov 20 17:12 test

The s has changed to S.

Tip: You can set SUID issuing chmod 4777 .

SGID

As for SUID it stands for Set Group ID. When SGID is set, whoever will run the program will execute it as if he were in the group of the program.

I restored the test file to 777 without SUID.

# ls -l
-rwxrwxrwx 1 root root      0 Nov 20 17:12 test

Now let’s apply SGID:

# chmod g+s test
# ls -l
-rwxrwsrwx 1 root root      0 Nov 20 17:12 test

The x bit has switched to s, but this time in the group permission: that means SGID is active. And as for the SUID we can disable its execution:

# chmod g-x test
# ls -l
-rwxrwSrwx 1 root root      0 Nov 20 17:12 test

The s has changed to S.

Tip: You can set SGID issuing chmod 2777 .

 

Image courtesy of mark | marksei

The following two tabs change content below.
The IT guy with a little boredom look in his eyes, fond of computers since forever he now works as a freelancer in the IT and shares his experiences through this blog.

Latest posts by mark (see all)

You may also like...