Quick Guide to SUID, SGID and Sticky Bit

· by Victor Mendonça · Read in about 2 min · (382 words) ·

This is a quick guide on how to configure and use SGID, SUID and the sticky bit on Linux. I will not get into a lot of details, but I will add comments and notes that might help you understand or overcome a few common issues.

SUID - Set-user Identification

When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.

-rws-----


Note: SUID does not work on scripts that start with a shebang (#!)

# chmod u+s [file]
-rwsr--r--. 1 root root 0 Mar 16 21:48 test

# chmod 4744 [file]
-rwsr--r--. 1 root root 0 Mar 16 21:48 test


Note: A capital ’S’ (-rwSr–r–) indicates that the execute bit is not set

SGID - Set-group identification

SGID permission is similar to the SUID permission. The main difference is that when a script or command with SGID set is run, it runs as if it were a member of the same group in which the file is a member.

-rwxr-sr--


Setting SGID

# chmod g+s [file]
-rwxr-sr--. 1 root root 0 Mar 16 21:48 test

# chmod 2754 [file]
-rwxr-sr--. 1 root root 0 Mar 16 21:48 test


Note: A capital ’S’ (-rwxr-Sr–) indicates that the execute bit is not set

Sticky bit

Anyone can write, but only the owner can delete the files (just like /tmp).

drwxrwxrwt


Sticky bit is usually set on directories. Setting the sticky bit on a folder does nothing (on Linux).

Setting sticky bit

# chmod o+t [dir]
-rwxr-r-t. 1 root root 0 Mar 16 21:48 test

# chmod 1755 [dir]
-rwxr-xr-t. 1 root root 0 Mar 16 21:48 test


Notes:

• A capital ’T’ indicates that the execute bit is not set
• You should give write permission to make sure that the target users can write to the folder

A . can represent special permissions (SELinux related).

-rw-rw-rw-.


A + indicates ACLs are applied.

-rw-rw-rw-+


Cheat Table

Mode Octal Symbolic
SUID 4755 u+s
SGID 2775 g+s
Sticky Bit 1777 o+t

Note: Octal mode is not an absolute translation to symbolic mode as symbolic changes only the specified permission set (user, group OR others), while octal overwrites all permission sets (user, group AND others)

Latest Posts