Sticky Bit, SUID and SGID : Generalities & practical examples

file permissions bit

Introduction

Files and directories permissions scheme is not only a 3x3bits ([user, group, others] x [read, write, execute]) set (plus one for directories).
There is a fifth bit used to set “specials” permissions on directories and files :

  1. t : described as the “sticky bit

as well as a “hidden” value to the execute bit for the owner and group bit set :

  1. s or S : depending on its position can be known either as the “SUID” or “SGID

1 Sticky bit

1.1 Definition

A long time ago, at Unix time, the sticky Bit has been implemented to tells Unix that once the concerned application is executed, it should remain in memory : this was good back in those days with relatively slow drive and memory access (keep in memory that Unix was a multi-users designed system).

Nowadays usage of the sticky bit is quite different: it is used to prevent users from removing files they don’t own, regardless of the directory permissions set.

 

1.2 Octal / symbolic notation

  • Octal: 1
  • Symbolic: t

 

1.3 How to set a sticky bit

  • using absolute method:
    chmod 1775 <dir>
  • using symbolic method:
    chmod +t <dir>

 

1.4 Results

-rw-rw-r-T   1 pier pier        0 10 févr. 22:24 file.test # notice the "T" as last bit

 

1.5 Example

Take the example of a project within a company where people need to share data through a shared folder (i.e: using NFS) where they all need to have read permission but they must not have the ability of deleting someone else’s files. This can be achieve by setting the Sticky-bit on the parent directory.

  1. The (shared) directory as “test_dir“: no sticky bit (line 8) , and some useful infos :
    [pier@testmachine tmp]$ whoami
    pier
    [pier@testmachine tmp]$ groups
    pier
    [pier@testmachine tmp]$ pwd
    /tmp
    [pier@testmachine tmp]$ ls -dl test_dir/
    drwxrwxrwx 2 pier pier 4096 22 mars  00:05 test_dir/
  2. The user pier create a file “pier_file.txt” (line 1) in “test_dir“, with a umask=0002 (formore infos about umask see this page):
    [pier@testmachine tmp]$ touch test_dir/pier_file.txt
    [pier@testmachine tmp]$ ls -l test_dir/
    total 0
    -rw-rw-r-- 1 pier pier 0 22 mars  14:52 pier_file.txt
  3. The user sticky_user (whom is not in the same group as pier) should be able to delete the newly created file pier_file.txt:
    -bash-4.1$ rm -f test_dir/pier_file.txt
    -bash-4.1$                # No problem deleting the file created by another user
  4. Now let’s put the sticky bit in action (line 1) and check it (line 3):
    [pier@testmachine tmp]$ chmod +t test_dir/
    [pier@testmachine tmp]$ ls -ld test_dir/
    drwxrwxrwt 2 pier pier 4096 22 mars  14:59 test_dir/   # notice the "t" as last permissions bit
  5. And try to create and delete (line 6-7) a file created by pier (line 1) (same umask therefore same permissions for pier_file2.txt,see at line 3):
    [pier@testmachine tmp]$ touch test_dir/pier_file2.txt
    [pier@testmachine tmp]$ ls -l test_dir/
    total 0
    -rw-rw-r-- 1 pier pier 0 22 mars  15:02 pier_file2.txt
    su - sticky_user
    -bash-4.1$ rm -f test_dir/pier_file.txt
    rm: impossible de supprimer « test_dir/pier_file.txt » : Opération non permise # in english this means that the operation was not possible due to permissions issues
    -bash-4.1$

Here we are!

 

 

2 SUID

2.1 Definition

The Set-User-ID bit is used to execute a file with its owner permissions, not with the user-who-launch-the-executable permissions as it is with classic permissions set. It is often used to run shell scripts or any others executable file with root permissions. A well known example in Linux system is the /usr/bin/passwd binary, which allow any user to update its own passwd (contains in /etc/shadow file owned by root with 000 permissions).

 

2.2 Octal / symbolic notation

  • Octal: 4
  • Symbolic: s or S

Note : The case (upper or lower) of the “s” depends on if the file is also executable for the user or not. If it is executable then the “s” will be lower case, if not then the “S” will be upper case.

 

2.3 How to set a SUID bit

  • using absolute method:
    chmod 4775 <file>
  • using symbolic method:
    chmod u+s <file>

 

2.4 Result

-rwSrw-r--   1 pier pier        0 12 févr. 22:24 file.test

 

 

3 SGID

3.1 Definition

The Set-Group-ID bit is used to execute a file with its group permissions, not with the user-who-launch-the-executable group permissions as it is with classic permissions set. It is often used to run shell scripts or any others executable file with root group permissions.

 

3.2 Octal / symbolic notation

  • Octal: 2
  • Symbolic: s or S # (in group field: the second set of three bits)

Note : The case (upper or lower) of the “s” depends on if the file is also executable for the group or not. If it is executable then the “s” will be lower case, if not then the “S” will be upper case.

 

3.3 How to set a SGID bit

  • using absolute method:
    chmod 2775 <file>
  • using symbolic method:
    chmod g+s <file>

 

3.4 Result

-rw-rwSr--   1 pier pier        0 12 févr. 22:24 file.test

Leave a Reply

Your email address will not be published. Required fields are marked *

This site supports SyntaxHighlighter via WP SyntaxHighlighter. It can highlight your code.
How to highlight your code: Paste your code in the comment form, select it and then click the language link button below. This will wrap your code in a <pre> tag and format it when submitted.