setuid, setgid & sticky bit

Other than the standard permissions rwx applied to ugo, there are 3 extra special permissions that can be used: setuid, setgid & sticky bit.

The setuid only applies to files (if applied to directories it is ignored) and grants the executing user the same privileges as the owner of the file (provided that user can execute the file through standard permissions or ACLs!). The most typical example of setuid file is /usr/bin/passwd. This file requires setuid to let non-root users modify their own passwords by modifying /etc/shadow.

$ ls ­-l /usr/bin/passwd
-rwsr-­xr-­x 1 root root 47032 Jul 26 2013 /usr/bin/passwd

The “s” in the execute octet for the owner of the file denotes that setuid bit is set on this file. We can enable the setuid bit in a file in 2 ways:

$ chmod 4755 myscript.sh
$ chmod u+rws,g+rx,o+rx myscript.sh

The two commands above have exactly the same result: read-write-execute permissions to the owner plus read-execute permissions with setuid to group and other.

The setgid can be used for both files and directories. The way it works with files is analogous to setuid but instead of granting executing users the same privileges as the owner of the file, it grants the same permissions as the group owner.

When applied to directories it grants ownership to the setgid group of any files created in the directory from then on. Let's look at an example:

# mkdir /opt/accounting
# groupadd accounting
# chown root:accounting /opt/accounting
# chmod 2770 /opt/accounting

With the series of commands above we have created the accounting group as well as the directory accounting. By giving user ownership to root (or nobody) we are making sure that nobody in the accounting group actually owns the directory. Then by setting the setgid on /opt/accounting we are forcing any subsequent creation of files in the directory to be owned by the group accounting regardless of the main group membership of the user creating the file.

# id marc
uid=1000(marc) gid=1000(marc) groups=1000(marc),10(wheel),1002(accounting)
# touch /opt/accounting/test1
# ls -­l /opt/accounting/test1
-rw-­rw-­r--­­. 1 marc accounting 0 Mar 30 15:22 test1

In a normal directory, if user marc created a file the group ownership should be set to marc (marc's main group). But by using the setgid, that changes and ownership of the file is set to accounting. That makes it easier to setup shared areas where different users have the same group rights on the underlying files.

The sticky bit only applies to directories (if applied to files it is ignored) and it prevents users from deleting the sticky bit directory or those files not owned by them (ignoring the fact that they might have the right to do so). This feature is especially useful in temporary directories such as /tmp or ftp directories to which users can write their own files but should be prevented from deleting others'.

# ls ­-l / | grep tmp
drwxrwxrwt. 26 root root 4096 Mar 30 15:32 tmp
# touch /tmp/test2
# chmod 777 /tmp/test2
# ls -­l /tmp/test2
-rwxrwxrwx. 1 root root 0 Mar 30 15:32 test2

We see above that the /tmp folder has the sticky bit set on the execute octet for other users. As root, we create the file test2 in the sticky bit directory and give it 777 permissions so anybody should be able to delete it.

$ id
uid=1000(marc) gid=1000(marc) groups=1000(marc),10(wheel),1002(accounting)
$ rm /tmp/test2
rm: cannot remove ‘test2’: Operation not permitted

We see that the sticky bit prevents us from deleting another user file eventhough we have full permissions on that file.

 

<< user administration commands          su command >>