Linux

How to Set Special File Permissions in Linux using SUID, GUID, and Sticky Bit

SUID-GUID-Sticky-Bit-1

Linux is a multi-user operating system that allows you to create multiple users and grant user-level access to all files and directories. Certain files and directories, such as the /tmp directory, can be accessed by all users on your system. The issue with such directories is that any user can modify or delete files created by other Linux users, either intentionally or unintentionally. To avoid such problems, Linux supports special permission such as SUID, GUID, and Sticky Bit. Sticky Bit allows only the owner or the root to modify/delete files. You can also set permissions on executable files to allow the file being executed to be executed with the privileges of the owner or the group user.

In this write-up, you will learn about SUID, GUID, and Sticky Bit and they work. It is important to know that, in Linux, everything has an owner and is a file. The root user, who has exceptional permissions to run anything and everything, is known as the root. Everyone else has very limited rights and access to certain files and directories. One needs to utilize the sudo command in order to work with elevated privileges. Giving out the root password to haphazard individuals whenever they need to perform tasks requiring greater privileges is not a good idea, though.

You can review the following posts to learn more about Linux commands: How to Rename or Move a File or Directory in Linux – Bash Terminal Command, Locate, Find, and Grep: How to search for files and patterns in Linux or Unix like OS, Linux Cheat Sheet: The Linux Command Line, How to Switch between Users in Linux, and how to Save Read-Only Files in VIM Editor in Linux/Unix-like OS

It is assumed that you have already familiarize yourself with the regular read-write and execute permissions in Linux as shown in the image below:

Permissions-in-Linux
Regular Permission in Linux

Apart from these regular permissions, there are a few special file permissions and not many Linux users are aware of it. This is where SUID, GUID, and Sticky Bit come into the picture. Now let’s look at each special permission one after the other.

What is SUID

SUID which stands for Set User Owner ID is an executable’s permission bit flag that enables an alternate user to run an executable with the same permissions as the file’s owner rather than the alternate user’s permissions. If the SUID bit on an executable file is set, the executable file will be executed with the same permissions as its owner.

For instance, if you look using the ls -l command at the binary executable file of the passwd command, it has the SUID bit set.

ls -l /usr/bin/passwd

See the screenshot below for more information.

SUID-set

From the screenshot above, it means any user running the passwd command will be running it with the same permission as the root. The SUID special file permission for executable files. This enables other users to run the file with the effective permissions of the file owner. You will notice that instead of normal x which represents executable permissions, the SUID is represented with the letter “s” which indicates  special permission for the user.

The benefit is that the passwd command needs to edit files like /etc/passwd, /etc/shadow to change the password. These files are owned by root and can only be modified by root. But with the help of setuid flag (SUID bit), a regular user will also be able to modify these files (that are owned by root) and change his/her password. This is the reason why you can use the passwd command to change your own password despite of the fact that the files are owned by root.

Setting SUID bit

The chmod command in symboli mode can be used to set SUID bit. For example to set SUID bit, run:

chmod u+s <file_name>
Setting-SUID-with-Sudo-Permission
Setting SUID in a File

The letter small letter “s” indicate that the SUID has been set on the file.

How to remove SUID?

To remove SUID from a file, run:

chmod u-s <file_name>
Removing-SUID-1
Removing SUID from a file

Alternatively, you can use the numeric method with 0 instead of 4 with the permissions you want to set:

chmod 0766 <file_name>
Alternative-way-to-remove-SUID
Alternate way

Difference between small “s” and capital “S” as SUID bit

The meaning of SUID of allowing the execution of a file with the same permissions as its owner. If you set the SUID bit, it will show a capital S, not small s:

Setting-SUID-on-a-file
Wrong Way of Setting SUID

The capital S as SUID flag indicates that there is a problem that has to be investigated. There is no executable permission on the file, despite the fact that you want it to be executed with the same permissions as the owner. The owner cannot even execute the file, and if the file cannot be executed, you will not be granted permission. The entire purpose of setting the SUID bit is defeated by this.

What is SGID?

The sole difference between the SGID permission and the SUID permission is that when a script or command with the SGID permission is run, it behaves as though it is a member of the same group as the file.

It’s useful for managing directories. When SGID permission is granted to a directory, any files and subdirectories created inside of it will have the same group ownership as the directory’s primary directory (not the group ownership of the user that created the files and directories).

ls -ld /var/local

Open your terminal and check the permission on the file /var/local:

Check-SGID
Checking SGID on a Directory

The letter “s” appears in this folder, /var/local, where you would expect to see “x” or “-” for group rights.

How to set SGID?

You can set the SGID bit in symbolic mode like this:

chmod g+s <directory_name>
Setting-SGID-in-Directory
Setting SGID on a Directory

The numerical approach is an alternative. Simply add a fourth digit to the standard permissions. The octal number that SGID always uses is 2.

chmod 2775 <directory_name>

Removing SGID

Just use the -s instead of +s as shown below:

chmod g-s <directory_name>
Removing-SGID
Removing SGID

Removing SGID numerically is the same as removing SUID. Use the additional 0 before the permissions you want to set:

chmod 0755 folder1
Removing-SGID-Numerically
Removing SGID using Numerical Method

Note: If a lowercase letter “l” appears in the group’s execute field, it indicates that the setgid bit is on, and the execute bit for the group is off or denied.

What is a Sticky Bit?

The sticky bit works on the directory. When a directory’s sticky bit is enabled, only the root user or the file owners can delete or rename any of the files in the directory.

image-60

This is frequently used in the /tmp directory, which serves as the temporary files’ trash bin.

Checking-Sticky-Bit
Checking Sticky Bit Permission

As you can see, the folder /tmp, has the letter t in the same place we expect to see x or – for others’ permissions. This means that a user (except root) cannot delete the temporary files created by other users in the /tmp directory.

How to set the sticky bit?

As usual, the sticky bit in Linux can be set using both symbolic and numeric modes.

Adding-Removing-sticky-bit
Adding-Removing Sticky Bit

The numeric way is to add a fourth digit to the normal permissions As shown in the screenshot above. The octal number used for the sticky bit is always 1. Removing Stick Bit is also described in the image above. It can be achieved symbolically by adding the -t flag instead of +t.

You can also remove Sticky Bit using the numerical mode as shown below:

chmod 0775 <directory_name>
Using-Numerical-Mode-to-remove-sticky-bit
Using Numerical Mode to Remove Sticky Bit

From what we have discussed so in the post, you could see those specific permissions are easy to understand while working on your favorite Linux Disto, but they should still be utilized with extreme caution.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x