EXPLAINING SPECIAL LINUX PERMISSIONS ( SUID | SGID | STICKY BIT )

Introduction

In this article we are going to discuss on Special Linux Permissions i.e. SUID , SGID  and Sticky Bit. Before we discuss about Special Linux Permissions let’s have look at basic Linux Permissions. In Linux There are three types of permission we can apply i.e. Read, Write & Execute. And each files and directories comes with three set of Users i.e. User (Owner), Group and Others. We can change permission by using chmod command.

SUID (Super User ID)

SUID Stands for Super User ID. We know that root is the Super User in Linux and have all the rights to do administrative tasks but have you noticed that normal user also can do some administrative tasks such as reset the Password and as we know that by reseting the password two files getting updated i.e. /etc/passwd and /etc/shadow which is only can be done by root user. Let’s take another example i.e. Normal user can use ping command to check network connectivity. Now let’s Understand what is the use of SUID. First of all SUID should be applied to a binary file or to a script and we can apply SUID from root user only using chmod command. We are applying SUID to any binary file or script means we are allowing that binary file to execute in any logged in user as a owner of that file. Means if i run the ping command by logging in with a normal user i.e. user1 still it will run as root user only. Let’s take an example to understand the concept properly. SUID alphabetically identified by letter “s” and Numerically Identified by “4“.

Logging as a normal user i.e. user1 and try to use ping command to check the connectivity.

[user1@localhost ~]$ whoami   # To check currently Logged in User
user1
[user1@localhost ~]$ ping -c 3 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.042 ms

--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.027/0.037/0.042/0.007 ms

As we can see on above sample output we able to use ping command in normal user. The reason behind that is SUID special permission is applied to ping binary file. we can use ls -l command to check the permission.

First check the path of ping binary file by which command and then check the permission of that file by using ls -l command.

[root@localhost ~]# which ping   # Checking the Path of the File
/bin/ping
[root@localhost ~]# ls -l /bin/ping   # Checking the Permission of the File
-rwsr-xr-x. 1 root root 40760 Sep 26  2013 /bin/ping

As per Sample output above Owner of ping binary is root (Highlighted in Red Color) and belongs to group root (Highlighted in Skyblue Color) and has -rwsr-xr-x permission. Here “s” is nothing but SUID which is applied to Owner. So whenever we run ping command in normal user it still runs as a owner of the file and has nothing concerned with that normal user.

To apply SUID Special Permission you can use chmod command. There are two ways by which we can apply SUID permission i.e. Alphabetically and Numerically. Follow the sample output below.

Apply SUID Alphabetically :

[root@localhost ~]# chmod u+s /bin/ping   # Applying SUID Permission to ping binary file Alphabetically
[root@localhost ~]# ls -l /bin/ping
-rwsr-xr-x. 1 root root 40760 Sep 26  2013 /bin/ping

Apply SUID Numerically :

[root@localhost ~]# chmod 4755 /bin/ping   # Applying SUID Permission Numerically
[root@localhost ~]# ls -l /bin/ping
-rwsr-xr-x. 1 root root 40760 Sep 26  2013 /bin/ping

Let’s check what will happen if we remove the SUID permission from ping binary file.

[root@localhost ~]# chmod u-s /bin/ping   # Removing SUID Permission
[root@localhost ~]# ls -l /bin/ping
-rwxr-xr-x. 1 root root 40760 Sep 26  2013 /bin/ping

To remove SUID numerically add “0” at beginning with whatever your files permission. For example Here my file has full access for Owner and Read and Execute permission for Group and Others So the command would be as shown below.

[root@localhost ~]# chmod 0755 /bin/ping   # Removing SUID by Numerically

Where :

0 – to remove SUID permission
755  – is the files permission

As you can see above SUID permission has been removed, Now let’s logging as a normal user and check by running ping command.

[user1@localhost ~]$ ping -c 3 localhost
ping: icmp open socket: Operation not permitted

It’s not working as it don’t have SUID Permission.

Also Read :

• COMPLETE UNIX COMMANDS AND BASIC LINUX COMMANDS WITH EXAMPLES FOR BEGINNERS
• HOW TO CREATE SYMLINK (SYMBOLIC LINK) AND HARDLINK IN LINUX

SGID (Super Group ID)

SGID  stands for Super Group ID. This special Linux Permissions is same as SUID with little difference. The difference is when we apply SUID means that is belongs to a particular user and a particular user will be effected by that permission but when we apply SGID permission then that will effect to a Group and Group means Multiple users. Here below I explained an example related to a SGID so that you will find more easy to understand the concept. SGID alphabetically identified by letter “s” and Numerically Identified by “2“.

Let’s say I have two users i.e. member1 and member2 and a group named admins. The users member1 and member2 are the member of group admins.

[root@localhost ~]# cat /etc/group | grep admins
admins:x:502:member1,member2

Now let’s create a directory named database in / and give appropriate permission. Here I am giving rwx to user, rwx to group and rx to others Follow the sample output.

[root@localhost ~]# mkdir /database   # Creating a Directory
[root@localhost ~]# chmod 775 /database/   # Giving Permissions
[root@localhost ~]# ls -l /
total 110
dr-xr-xr-x.   2 root root  4096 Apr  8 04:32 bin
dr-xr-xr-x.   5 root root  1024 Apr  8  2017 boot
drwxrwxr-x.   2 root root  4096 Apr  8 07:14 data
drwxrwxr-x.   2 root root  4096 Apr  8 07:19 database
drwxr-xr-x.  18 root root  3960 Apr  8 03:15 dev
drwxr-xr-x. 101 root root 12288 Apr  8 07:18 etc
drwxr-xr-x.   9 root root  4096 Apr  8 07:17 home

I am going to change the group ownership of the directory by using chgrp command, So that the owner of the directory would be root and admins.

[root@localhost ~]# chgrp admins /database/   # Changing Group Ownership
[root@localhost ~]# ls -l /
total 110
dr-xr-xr-x.   2 root root    4096 Apr  8 04:32 bin
dr-xr-xr-x.   5 root root    1024 Apr  8  2017 boot
drwxrwxr-x.   2 root root    4096 Apr  8 07:14 data
drwxrwxr-x.   2 root admins  4096 Apr  8 07:19 database
drwxr-xr-x.  18 root root    3960 Apr  8 03:15 dev
drwxr-xr-x. 101 root root   12288 Apr  8 07:18 etc
drwxr-xr-x.   9 root root    4096 Apr  8 07:17 home

Now let’s apply SGID Special Linux Permissions to the directory using chmod command.

After applying the SGID permission you will able to notice a letter “s” (Highlighted in orange color) on group permission section on directory.

[root@localhost ~]# chmod g+s /database/   # Applying SGID Permission
[root@localhost ~]# ls -l /
total 110
dr-xr-xr-x.   2 root root    4096 Apr  8 04:32 bin
dr-xr-xr-x.   5 root root    1024 Apr  8  2017 boot
drwxrwxr-x.   2 root root    4096 Apr  8 07:14 data
drwxrwsr-x.   2 root admins  4096 Apr  8 07:19 database
drwxr-xr-x.  18 root root    3960 Apr  8 03:15 dev
drwxr-xr-x. 101 root root   12288 Apr  8 07:18 etc
drwxr-xr-x.   9 root root    4096 Apr  8 07:17 home

Now login by any normal user i.e. member1 and create a file in /database.

[root@localhost ~]# su - member1
[member1@localhost ~]$ whoami
member1
[member1@localhost ~]$ cd /database/
[member1@localhost database]$ touch file1
# A you can see below the owner of the file is member1 and admins
[member1@localhost database]$ ls -l
total 0
-rw-rw-r--. 1 member1 admins 0 Apr  8 07:29 file1     

Now let’s login through a different user that is member2 and try to edit that file.

[root@localhost ~]# su - member2
[member2@localhost ~]$ whoami
member2
[member2@localhost ~]$ cd /database/
[member2@localhost database]$ vi file1

[member2@localhost database]$ cat file1 
Welcome to ElinuxBook

As you can see on output above we are able to successfully edit the file by logging in by user “member2“which was created by user “member1” because “member2” is also a member of group “admins“.

Like that you can create a file in /database directory by logging in member2 and it is possible to edit that file by logging in member1.

So the main purpose of SGID is if a team is working on some data which needs to edit or executed by all team members then in that case you can use SGID.

To remove SGID follow below commands :

chmod g-s /database/   # Remove SGID Alphabetically

chmod 0775 /database   # Remove SGID Numerically

Also Read :

• BEST YUM COMMAND WITH EXAMPLES A PACKAGE MANAGER IN RHEL/CENTOS/FEDORA
• MOST USEFUL SSH COMMAND AND SCP COMMAND WITH EXAMPLES

Sticky Bit :

Sticky bit Special Linux Permissions is very simple to learn and understand as compared to SUID and SGID. Suppose you stored some data in some directory let’s say in /database directory which is accessible to everyone, Which means your data is on high risk and any one can delete your data. To avoid such situation you can use Sticky Bit permission.Sticky Bit alphabetically identified by letter “t” and Numerically Identified by “1“.

What is the use of Sticky Bit ?

Let’s take a scenario that we have a directory i.e. /database to which everyone has full access. suppose user1 creates a file named user1.txt. as all users has full access to the directory any one can come and delete the file created by user1 as we have no control over it. So to avoid such situation we can apply Sticky Bit special Linux Permissions to that directory by which user1 (Owner of user1.txt file) only able to delete or edit that file even after everyone has full access to the /database directory.

Such situation is possible in a large organisation where all users allowed one share drive to store data so In that case we can apply Sticky Bit.

Practical :

Create a Directory named /database and give full access to everyone.

[root@localhost ~]# mkdir /database
[root@localhost ~]# chmod 777 /database/
[root@localhost ~]# ls -l /
total 102
dr-xr-xr-x.   2 root root  4096 Apr  8 04:32 bin
dr-xr-xr-x.   5 root root  1024 Apr  8  2017 boot
drwxrwxrwx.   2 root root  4096 Apr  8 05:19 database
drwxr-xr-x.  18 root root  3960 Apr  8 03:15 dev
drwxr-xr-x. 101 root root 12288 Apr  8 05:17 etc
drwxr-xr-x.   6 root root  4096 Apr  8 05:17 home
dr-xr-xr-x.  10 root root  4096 Apr  8  2017 lib
dr-xr-xr-x.   9 root root 12288 Apr  8 04:31 lib64

Now apply sticky bit permission to it. you can apply Sticky permission by two ways :

Alphabetical Way :

[root@localhost ~]# chmod +t /database/

[root@localhost ~]# chmod o+t /database/

Numerical Way :

[root@localhost ~]# chmod 1777 /database/

After applied Sticky Bit you will notice the letter “t” on other permission section of /database

[root@localhost ~]# ls -l /
total 102
dr-xr-xr-x.   2 root root  4096 Apr  8 04:32 bin
dr-xr-xr-x.   5 root root  1024 Apr  8  2017 boot
drwxrwxrwt.   2 root root  4096 Apr  8 05:19 database
drwxr-xr-x.  18 root root  3960 Apr  8 03:15 dev
drwxr-xr-x. 101 root root 12288 Apr  8 05:17 etc
drwxr-xr-x.   6 root root  4096 Apr  8 05:17 home
dr-xr-xr-x.  10 root root  4096 Apr  8  2017 lib
dr-xr-xr-x.   9 root root 12288 Apr  8 04:31 lib64

Now log in as user1 and create a file in /database and check the the permission.

[root@localhost ~]# su - user1
[user1@localhost ~]$ whoami
user1


[user1@localhost ~]$ cd /database/
[user1@localhost database]$ touch user1.txt
[user1@localhost database]$ ls -l
total 0
-rw-rw-r--. 1 user1 user1 0 Apr  8 05:22 user1.txt

As you can see above owner of user1.txt user1.

Now login by user2 and try to delete the file created by user1.

[root@localhost ~]# su - user2
[user2@localhost ~]$ whoami
user2

[user2@localhost ~]$ cd /database/
[user2@localhost database]$ ls
user1.txt
[user2@localhost database]$ rm user1.txt 
rm: remove write-protected regular empty file `user1.txt'? y
rm: cannot remove `user1.txt': Operation not permitted

So as you can see on the output above user2 is unable to delete the file as we have applied Sticky bit to it.

chmod o-t /database/   # Remove Sticky Bit Alphabetically

chmod 0777 /database   # Remove Sticky Bit Numerically

If you found this article then Like Us, Follow Us or Subscribe us for more Latest Linux Tutorials, guides and News directly in to your Email ID.