Sticky Bit, SUID, SGID Bit in Linux.

Today in this post, we will look at the concepts of SUID, SGID, and Sticky Bit.

And how they work differently when applied to files and directories.

Lets have a look at these points one by one to understand it clearly.

1. SUID (Set User IDentification)
SUID Bit modifies the file/directory permission or behavior in following ways.

a. SUID Bit on a File
When we turn on SUID bit permission on a file, it is executed with the owner’s set of permissions or power.

Note:- SUID, SGID, or STicky Bit are only useful when they are applied on executable files.

A very interesting example of SUID Bit is “passwd” command which changes a user password and runs each time with root user i.e. owners’ power.

[root@nglinux ~]# ls -l /usr/bin/passwd 
-rwsr-xr-x. 1 root root 25980 Nov 23  2015 /usr/bin/passwd

If the executable permission is not set on a file, then the SUID bit is displayed using capital letter S instead of small letter.

### Lets see the permission of an executable file
[root@nglinux c_programs]# ls -l a.out 
-rwxr-xr-x. 1 root root 6098 Aug  5 04:22 a.out

### Set SUID bit on the file.
[root@nglinux c_programs]# chmod u+s a.out 
[root@nglinux c_programs]# ls -l a.out 
-rwsr-xr-x. 1 root root 6098 Aug  5 04:22 a.out

### Now remove executable permission from the file.
### Observe the file now has capital S showing in permissions.
[root@nglinux c_programs]# chmod u-x a.out 
[root@nglinux c_programs]# ls -l a.out 
-rwSr-xr-x. 1 root root 6098 Aug  5 04:22 a.out

b. SUID Bit on a directory
If Set-user-ID bit set on a directory, it would change the ownership of new sub-files or sub directories with the set-user-ID bits of the parent directory. This way we can make sure a directory structure do have the same ownership and set of permissions and make the sharing of the files convenient.

2. SGID (Set Group identification)
SGID Bit can be set on a file or directory and has different effects on both.

a. SGID effect on a file
When SGID Bit is set on a file, it is executed with the same permission as of group regardless of the user who is executing the file.

b. SGID effect on Directory
–> SGID bit when set on a directory, for example chmod -R 2770 /testdirectory then all new files and directories created in /testdirectory/ will inherit the same group as of this directory even if the user’s primary group is something different.
–> One more effect is that the sub-directories will inherit the SGID bit by default.

### Lets see the current permission of a directory
[root@nglinux c_programs]# ls -ld .
drwsr-xr-x. 2 root root 4096 Aug  5 04:22 .

### Set the SGID Bit 
[root@nglinux c_programs]# chmod g+s .
[root@nglinux c_programs]# ls -ld .
drwsr-sr-x. 2 root root 4096 Aug  5 04:22 .

### Now lets create new file and dir
[nglinux@nglinux c_programs]$ touch testfile1
[nglinux@nglinux c_programs]$ mkdir testdir2

### Now view the permissions
### File & dir has group root instead og nglinux
### the dir has setGID bit set by default.
[nglinux@nglinux c_programs]$ ls -ltr
total 20
-rw-r--r--. 1 root    root   58 Aug  4 19:34 1hello.c
-rw-r--r--. 1 root    root  417 Aug  5 04:22 2forloop.c
-rwSr-xr-x. 1 root    root 6098 Aug  5 04:22 a.out
-rw-rw-r--. 1 nglinux root    0 Nov 18 04:52 testfile1
drwxrwsr-x. 2 nglinux root 4096 Nov 18 04:52 testdir2

3. Sticky Bit
Sticky Bit also known as the “restricted deletion bit”.

a. Sticky Bit effect on Files
Sticky bit got its name as sticky since it makes the executable file to stick in system swap memory and hence makes the file execution fast every other time its called.
Today most of the Unix OS ignore this sticky bit feature.

b. Sticky Bit effect on Directories
Sticky Bit when set on a directory, it prevents unprivileged users from deleting or renaming a file in the directory until and unless they are the owner of the file or the directory.

It symbolizes the sticky flag or restricted deletion flag for the directory is ON.

It is commonly found on world-writable directories like /tmp or /var/tmp.

When this bit is enabled, only owners can delete files & directories and other users can’t make modifications to any other file/dir.

### We can see sticky bit is "ON" on /tmp directory
[nglinux@nglinux c_programs]$ ls -ld /tmp/
drwxrwxrwt. 30 root root 4096 Nov 18 03:09 /tmp/

### see the effect 
[nglinux@nglinux c_programs]$ cd /tmp/
[nglinux@nglinux tmp]$ ls -ltr
drwx------. 2 gdm     gdm     4096 Nov 17 17:51 orbit-gdm
drwx------. 2 gdm     gdm     4096 Nov 17 17:51 pulse-YKyKKebDVvBa
drwx------. 2 gdm     gdm     4096 Nov 17 17:51 gconfd-gdm
[nglinux@nglinux tmp]$ rm -rf gconfd-gdm/
rm: cannot remove `gconfd-gdm': Permission denied
[nglinux@nglinux tmp]$ touch hello
[nglinux@nglinux tmp]$ 

4. How to set SUID SGID and Sticky Bit using chmod command.
Lets have a look at chmod command to set SUID, SGID and sticky Bit.

a. Sticky Bit
### Check current permissions
[root@nglinux testdir]# ls -ltr
total 0
-rw-r--r--. 1 root root 0 Nov 18 05:10 file1
-rw-r--r--. 1 root root 0 Nov 18 05:10 dir1

### Set Sticky Bit on file and dir using bit 1
[root@nglinux testdir]# chmod 1770 file1
[root@nglinux testdir]# chmod 1770 dir1
[root@nglinux testdir]# ls -ltr
total 0
-rwxrwx--T. 1 root root 0 Nov 18 05:10 file1
-rwxrwx--T. 1 root root 0 Nov 18 05:10 dir1

### make the file executable to see T becomes t
[root@nglinux testdir]# chmod +x file1
[root@nglinux testdir]# ls -ltr
total 0
-rwxrwx--t. 1 root root 0 Nov 18 05:10 file1
-rwxrwx--T. 1 root root 0 Nov 18 05:10 dir1
[root@nglinux testdir]# 



b. SGID
#### Set SGID using permission bit 2
[root@nglinux testdir]# chmod 2770 file1
[root@nglinux testdir]# chmod 2770 dir1
[root@nglinux testdir]# ls -ltr
total 0
-rwxrws---. 1 root root 0 Nov 18 05:10 file1
-rwxrws---. 1 root root 0 Nov 18 05:10 dir1
[root@nglinux testdir]# 



c. SUID
### Setting SUID bit using bit 4
[root@nglinux testdir]# chmod 4770 file1 
[root@nglinux testdir]# chmod 4770 dir1
[root@nglinux testdir]# chmod 4770 file1 
[root@nglinux testdir]# ls -ltr
total 0
-rwsrwx---. 1 root root 0 Nov 18 05:10 file1
-rwsrwx---. 1 root root 0 Nov 18 05:10 dir1


d. Removing and setting SUID+SGID+Sticky Bits together
### Set default permissions of a file and dir and removing special bits
[root@nglinux testdir]# chmod 755 *
[root@nglinux testdir]# ls -ltr
total 0
-rwxr-xr-x. 1 root root 0 Nov 18 05:10 file1
-rwxr-xr-x. 1 root root 0 Nov 18 05:10 dir1

### Now add suid, sgid, and sticky bit on the file and dir.
[root@nglinux testdir]# chmod 7777 file1 dir1
[root@nglinux testdir]# ls -ltr
total 0
-rwsrwsrwt. 1 root root 0 Nov 18 05:10 file1
-rwsrwsrwt. 1 root root 0 Nov 18 05:10 dir1
[root@nglinux testdir]# 

Leave a Reply

Your email address will not be published.