Special File Permissions in Linux (SUID, SGID and Sticky Bit)

Edumotivation Team

3 years ago

In this lesson we’re going to discuss special file permissions.

In my previous article, I had explained how the Linux Permission works and I would request you to read that guide first.

Table of Contents

Toggle

Introduction

Now honestly most of the time when you’re working with permissions on a Linux system, you’re going to be working with the standard read, write and execute permissions.

But be aware that there are other special permissions that are available that you can assign to a file or directory in the Linux file system if you need to.

Now be aware that you probably won’t actually use these permissions very often.

These are designed for very specific purposes and because of that if you use them incorrectly, they could actually represent a grave security risk to your system.

So, make sure you know what you’re doing before you go about setting them.

Special Permissions Explained

Now these special permissions are listed here.

Permission	Effect when applied to a File	Effect when applied to a Directory
SUID	User who runs the file temporarily becomes the files owner.	None
SGID	User who runs the file temporarily becomes a member of the file's owning group.	When a user creates a file in the directory the owning Group is set to the owning group of the parent directory.
Sticky Bit	None	Users can only delete files within the directory for which they are the owner of the file or the directory itself.

setuid Bit (SUID)

The first one we want to look at SUID which stands for Set user ID.

Now the Set User ID permission can only be applied to a binary executable file in the file system.

It can’t be applied to a directory, it can’t be applied to word processing file, and it cannot be applied to a shell script.

Now if you do assign the Set User ID permission to an executable file and then a user runs that file then the user who ran the file temporarily becomes that files owner.

Now as we said you can’t actually apply this permission to a directory.

setgid Bit (SGID)

There’s another special permission you need to be familiar with the SGID permission which stands for Set Group ID.

Now like the Set User ID permission, the Set Group ID permission is applied to binary executable files or directories in the file system.

If you assign the Set Group ID permission to an executable file and then a user runs that executable file the user who ran the file temporarily becomes a member of the files owning group.

Unlike Set User ID you can assign the set group ID permission to a directory and when you do something special happens.

if a user then creates a file in the directory that has the set group ID permission set then the files owner is set to the users account which is the normal behavior.

But the owning group assigned to the new file is not set to the user’s primary group but is instead set to the owning group of the parent directory.

Sticky Bit

The last special permission we want to look at here is Sticky Bit.

Now Sticky Bit is only assigned to directories that’s not assigned to files.

When the Sticky Bits permission is assigned to a directory then users can only delete files within the directory for which they are the owner of the file or the parent directory itself.

And this is very important because it basically negates the effect of having the right permission to a directory.

If a user has the write permission to a directory, then that user could potentially delete files in that directory that they don’t actually own.

if you want to prevent that from happening then assign the Sticky Bit permission to that directory.

Now be aware that these special permissions are referenced as an extra digit that gets added to the beginning of the file or directories mode.

Numeric Notations

Now just like with regular permissions each of these special permissions also has a numeric value assigned to it.

Permission	Value
SUID	4
SGID	2
Sticky Bit	1

Set User ID has a numeric value of 4, Set Group ID has a numeric value of 2, while Sticky Bit has a value of 1.

How to set SUID and SGID in Linux

For example let’s suppose we want to add the SUID(Set User ID) and the SGID(Set Group ID) permissions to a file in my home directory.

It’s an executable file named script.

In addition to setting these permissions I also want my files owner to have read and execute permissions to the file so it gets a value of 5.

I want group to have read and execute permissions to the file so we get to 5 and I want other authenticated users just to have read permission to the file so they get a 4. they won’t be allowed to run it.

So remember that SUID has a numeric value of 4 and SGID has a numeric value of 2 therefore to assign both Set User ID(SUID) and Set Group ID(SGID) to the same file I would combine these two to get a value of 6 and specify it as the first number in the mode.

So, in this case I would enter the following command at the shell prompt.

# chmod 6554 script

# ls -l script
-r-sr-sr--. 1 linuxadmin developer 0 Mar 18 06:08 script

Read Also: ls Command Examples in Linux

Now because I assigned these permissions to script file, the user who ends up running this file will temporarily become the script files owner and likewise because we’ve set the SGID permission on it that user will also become temporarily a member of that files owning group.

Notice in the output of the command we have an s now where we should have an x for both owner and for group.

If you see s for owner, you know that we have the Set UserID permission set if you see s for group you know that you have the Set Group ID permission set.

How to set Sticky Bit in Linux

Let’s look at another example.

Suppose we granted owner and group read, write and execute permissions to a directory named mydata.

So, we would use 7 for owner and 7 for group as read is 4, write is 2 and execute is 1 so we have a sum of 7 for both owner and for group.

But if we do this then having the right permission to the directory allows anyone in the owning group to go ahead and delete any file that they want to in that directory.

We don’t want this to happen so we want to reconfigure the directory so that the users in the owning group can still create files in that directory but we want to block them from deleting files that they don’t actually own to do this.

We assign the Sticky Bit permission to the mydata directory.

Remember Sticky Bit has a value of 1.

So the first number in the mode is a 1 followed by read, write and execute for user and read write and execute for group and we don’t want to let others have any access to the directory at all.

We don’t want prying eyes in it so we’re going to actually assign others 0.

And as a result, you’ll notice that the mode now has:

Read, Write, and Execute for User
Read, Write, and Execute for Group
No permissions for others
And we have a T at the end of the mode.

When you see a T as the last digit of the mode it indicates that the Sticky Bit has been set.

# chmod 1770 mydata/

# ls -l
drwxrwx--T. 2 linuxadmin developer 6 Mar 18 06:27 mydata

Symbolic Notations

Alternatively, You can use Symbolic Notations to assign or remove Special Linux Permissions.

Permission	Value
SUID	s
SGID	s
Sticky Bit	t

Let’s take some examples.

1. Set SUID permission to a file.

# chmod u+s file

# ls -l
-rwsrwxr--. 1 root root 0 Mar 18 08:01 file

2. Remove SUID permission from a file.

# chmod u-s file

3. Set SGID permission to a file.

# chmod g+s file

# ls -l
-rwxrwsr--. 1 root root 0 Mar 18 08:01 file

4. Remove SGID permission from a file.

# chmod g-s file

5. Set Sticky Bit permission to a file.

# chmod +t mydata/

# ls -l
drwxr-xr-t. 2 root root 6 Mar 18 08:29 mydata

6. Remove Sticky Bit permission from a file.

# chmod -t mydata/

Quick Checklist:

SUID only works on files.
You can apply SGID to directories and files.
You can only apply the Sticky bit to directories.
If the s, g, or t indicators appear in uppercase, the executable bit (x) hasn’t been set.

You can visit at the following website to get more information on Special File Permissions.

Special File Permissions

Conclusion

I hope that now you have a good understanding of how the Special File Permission works and you have some ideas for how you can use this within your workflow.

If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.