What is SUID, SGID and Sticky bit ?
There are 3 special permission that are available for executable files and directories. These are :
1. SUID permission
2. SGID permission
3. Sticky bit
2. SGID permission
3. Sticky bit
Set-user Identification (SUID)
Have you ever thought, how a non-root user can change his own password when he does not have write permission to the /etc/shadow file. hmmm… interesting isn’t it? Well to understand the trick check for the permission of /usr/bin/passwd command :
# ls -lrt /usr/bin/passwd -r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd
– If you check carefully, you would find the 2 S’s in the permission field. The first s stands for the SUID and the second one stands for SGID.
– When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.
– Another good example of SUID is the su command :
– When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.
– Another good example of SUID is the su command :
# ls -l /bin/su
-rwsr-xr-x-x 1 root user 16384 Jan 12 2014 /bin/su
– The setuid permission displayed as an “s” in the owner’s execute field.
How to set SUID on a file?
# chmod 4555 [path_to_file]
Set-group identification (SGID)
SGID permission on executable file
– SGID permission is similar to the SUID permission, only difference is – when the script or command with SGID on is run, it runs as if it were a member of the same group in which the file is a member.
# ls -l /usr/bin/write -r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write
– The setgid permission displays as an “s” in the group’s execute field.
Note :
– If a lowercase letter “l” appears in the group’s execute field, it indicates that the setgid bit is on, and the execute bit for the group is off or denied.
– If a lowercase letter “l” appears in the group’s execute field, it indicates that the setgid bit is on, and the execute bit for the group is off or denied.
How to set GUID on a file?
# chmod 2555 [path_to_file]
SGID on a directory
– When SGID permission is set on a directory, files created in the directory belong to the group of which the directory is a member.
– For example if a user having write permission in the directory creates a file there, that file is a member of the same group as the directory and not the user’s group.
– This is very useful in creating shared directories.
– For example if a user having write permission in the directory creates a file there, that file is a member of the same group as the directory and not the user’s group.
– This is very useful in creating shared directories.
How to set SGID on a directory
# chmod g+s [path_to_directory]
Sticky Bit
– The sticky bit is primarily used on shared directories.
– It is useful for shared directories such as /var/tmp and /tmp because users can create files, read and execute files owned by other users, but are not allowed to remove files owned by other users.
– For example if user bob creates a file named /tmp/bob, other user tom can not delete this file even when the /tmp directory has permission of 777. If sticky bit is not set then tom can delete /tmp/bob, as the /tmp/bob file inherits the parent directory permissions.
– root user (Off course!) and owner of the files can remove their own files.
– It is useful for shared directories such as /var/tmp and /tmp because users can create files, read and execute files owned by other users, but are not allowed to remove files owned by other users.
– For example if user bob creates a file named /tmp/bob, other user tom can not delete this file even when the /tmp directory has permission of 777. If sticky bit is not set then tom can delete /tmp/bob, as the /tmp/bob file inherits the parent directory permissions.
– root user (Off course!) and owner of the files can remove their own files.
Example of sticky bit :
# ls -ld /var/tmp
drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp
- T refers to when the execute permissions are off. - t refers to when the execute permissions are on.
How to set sticky bit permission?
# chmod +t [path_to_directory] or # chmod 1777 [path_to_directory]
No comments:
Post a Comment