Special Permissions suid sgid sticky bit in Linux

Special permission (suid, sgid and sticky bit)

Sometimes when you execute a command you need special privileges or permissions in order to accomplish its task. 

Three special types of permissions (suid, sgid, sticky bit) are available for executable files and directories.

For example, when you change your password with the passwd command, your new password is stored in the file /etc/shadow.

As a regular user, you do not have read or write access to this file for security reasons, but when you change your password, you need to have write permission to this file. For this the passwd program has to give you additional permissions so that you can write to the file /etc/shadow. This is done by special permissions.

setuid Permission (suid)

SUID stands for Set User ID. When set-user id (suid) permission is set on an executable file, the process that runs this file is granted access based on the owner of the file, rather than the user who is running the executable file. This special permission allows a user to access files and directories that are normally only available to the owner.

For example, file /usr/bin/passwd have suid permission, if we check permissions on this file we get the following output.

$ ls -l /usr/bin/passwd

-r-sr-xr-x  1   root   bin  19031 Feb 7 13:47  /usr/bin/passwd

$

The owner of this file is root, for owner it has r-s permission. This s in place of x tells that it has suid permission is set. Because of this suid permission the other users are able to change their password. If S is there in place of s then it says that file don’t have execute permission but it have suid permission.

setgid Permission (sgid)

SGID stands for set group ID. The set-group id (sgid) permission is similar to setuid, except that the process for group ID (GID) is changed to the group owner of the file, and a user is granted access based on permissions granted to that group.

For Example, file /usr/bin/mail have sgid permission, if we check permissions on this file we get the following output.

$ ls -l /usr/bin/mail

-r-x--s--x   1 root     mail       63628 Feb 16 12:01 /usr/bin/mail

When setgid permission is set to a directory, files that were created in this directory belong to the group to which the directory belongs, not the group to which the creating process belongs. Any user who has write and execute permissions in the directory can create a file there. But, the file belongs to the group that owns the directory, not to the user's group ownership.

Sticky Bit (t)

The sticky bit protects the files within a directory. If the directory has the sticky bit set, a file can be deleted only by the owner of the file, the owner of the directory, or by root. This special permission prevents a user from deleting other user’s files.

For Example, directory tmp have sticky bit permission, if we check permissions on this directory we get the following output.

$ ls -ld /tmp

drwxrwxrwt  7 root root 212992 Dec  4 04:02 /tmp

Here in the last place t shows the directory has sticky bit permission on.

Different Permissions Meaning

S              SGID is set, but group execute is not set.

s              SGID and group execute are both set.

T              Sticky bit is set, but other execute is not set.

t              Sticky bit and other execute are both set.

File Permissions                                            File types in Linux