This is a quick guide on how to configure and use SGID, SUID and the sticky bit on Linux. I will not get into a lot of details, but I will add comments and notes that might help you understand or overcome a few common issues.
SUID - Set-user Identification
When a command or script with SUID bit set is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.
-rws-----
Note: SUID does not work on scripts that start with a shebang (#!)
# chmod u+s [file]
-rwsr--r--. 1 root root 0 Mar 16 21:48 test
# chmod 4744 [file]
-rwsr--r--. 1 root root 0 Mar 16 21:48 test
Note: A capital ’S’ (-rwSr–r–) indicates that the execute bit is not set
SGID - Set-group identification
SGID permission is similar to the SUID permission. The main difference is that when a script or command with SGID set is run, it runs as if it were a member of the same group in which the file is a member.
-rwxr-sr--
Setting SGID
# chmod g+s [file]
-rwxr-sr--. 1 root root 0 Mar 16 21:48 test
# chmod 2754 [file]
-rwxr-sr--. 1 root root 0 Mar 16 21:48 test
Note: A capital ’S’ (-rwxr-Sr–) indicates that the execute bit is not set
Sticky bit
Anyone can write, but only the owner can delete the files (just like /tmp).
drwxrwxrwt
Sticky bit is usually set on directories. Setting the sticky bit on a folder does nothing (on Linux).
Setting sticky bit
# chmod o+t [dir]
-rwxr-r-t. 1 root root 0 Mar 16 21:48 test
# chmod 1755 [dir]
-rwxr-xr-t. 1 root root 0 Mar 16 21:48 test
Notes:
- A capital ’T’ indicates that the execute bit is not set
- You should give write permission to make sure that the target users can write to the folder
Additional Special Permissions
A . can represent special permissions (SELinux related).
-rw-rw-rw-.
A + indicates ACLs are applied.
-rw-rw-rw-+
Cheat Table
| Mode | Octal | Symbolic |
|---|---|---|
| SUID | 4755 | u+s |
| SGID | 2775 | g+s |
| Sticky Bit | 1777 | o+t |
Note: Octal mode is not an absolute translation to symbolic mode as symbolic changes only the specified permission set (user, group OR others), while octal overwrites all permission sets (user, group AND others)
