Setuid, Setguid and the Sticky Bit

Before getting into setups, let’s quickly review the permission bits as they are displayed by the classic “ls -l” command:

  • The first bit is the file/folder flag: ‘-‘ for file and ‘d’ for folders
  • The rest 9 bits are grouped in 3-bits groups:
    • The 3 groups are:
      • Owner: the rights for the owner of the file / folder
      • Group: the right for the group that was assigned for the file / folder
      • Others: all the users in the system (you will default here if you do not fit into the previous 2 lists)
    • The 3-bit permission groups are:
      • Read: you have the permission to read the file or to list the content of a folder
      • Write: you have the permission to write the file or to create, rename, or delete files within the folder, and modify the folder’s attributes
      • Execute: you can execute the file or enter the folder, and see the files and directories inside

By default, if a user is allowed to execute a file (according to the permission rules described above) the file will be executed with the rights of that user. Sometimes this is not enough. Sometimes, you need some special / specific rights during that process execution just because that process is accessing a special resource you normally do not have the rights to access it (usually this is about executing processes with root access but you can actually execute processes with non-root rights too). The classic example is the “passwd” executable which needs to edit some system configuration files (owned by too) like /etc/passwd, /etc/shadow etc. Displaying the permission bits for “passwd” shows the following:

> -rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd

The bit that is interesting for us is the ’s’ one that is shown instead of the expected ‘x’ one in the “Owner” group. This bit combined with the ‘x’ bit on the “others” group means the following: any user in the system is allowed to execute the “passwd” executable (this right is provided by the ‘x’ bit in the “others” group) but the process execution will be performed with the rights of the file owner (this right is provided by the ’s’ bit in the “Owner” group), which, in this case, means that the “passwd” executable will be executed with “root” access right even if the execution can be initiated by any user in the system.

The example above referred to executing an executable with the right of the executable (file) owner. A similar workflow can be defined around the group ownership: you can execute an executable using the rights of the group assigned to that executable / file. The process is similar: the “Execute” permission bit in the “Group” category needs to be set to ’s’.

How to set the ’s’ bit for “Owner” and “Group”? Using chmod:

  • “chmod u+s filename” – sets the “Owner” execution bit to ’s’
    • Octal form: add a ‘4’ in front of the classic permission values: “chmod 4777 filename”
  • “chmod g+s filename” – sets the “Group” execution bit to ’s’
    • Octal form: add a ‘2’ in front of the classic permission values: “chmod 2777 filename”

NOTE: If, after setting the ’s’ bit you see a capital ’S’ when listing the permission bits, this means that you do not have the “execution right” set too. Just add the execution rights too to transform the ‘S’ into an ’s’.

Sticky bit

The most common use of the sticky bit is on folders. When a folder’s sticky bit is set, the filesystem treats the files/folders from it in a special way so only the file/folder owner or root can rename or delete the file. Without the sticky bit set, any user with write and execute permissions for the folder can rename or delete contained files, regardless of the file’s owner. Typically, this is set on the /tmp directory to prevent ordinary users from deleting or moving other users’ files.

How to set the sticky bit:

  • “chmod +t foldername”: when the sticky bit is set, you will see a ’t’ instead of the ‘x’ permission bit for the “Others” group
    • Octal form: add a ‘1’ in front of the classic permission values: “chmod 1777 foldername”

NOTE: If, after setting the ’t’ bit you see a capital ’T’ when listing the permission bits, this means that you do not have the “execution right” for the “Others”category set too. Just add the execution rights too to transform the ’T’ into an ’t’.

This entry was posted in Unix. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s