Understanding Special Permission SGID in Linux

In my earlier posts I had explained about other Special Permission used in Linux i.e. SUID and STICKY BIT

So let me help you understand SGID and its usage with some practical examples.

SGID:

This is an abbreviation used for Set Group ID. This is a permission assigned to any file or directory to give normal group members additional authority of running that file with a privilege of group owner.

 

This is something very similar to which I explained here for SUID with a little difference that this time you are assigning permission to a complete group and its group members instead of assigning the permission to one particular user.

 

For example you have some executable file and you want all the group members of sysadmin to be able to execute it but that file can only be run as root so you assign a SGID over that file and now all the members of sysadmin team will be able to run the file with the permission of root.

 

Assigning SGID permission :

There are two ways to assign SGID

1. Octal (2)
2. Symbolic (g+s)

Octal (2) :
# chmod 2755 /myscript.sh

# ls -l
-rwxr-sr-x. 1 root root      0 Oct 16 11:33 /myscript.sh
Symbolic (g+s) :
# chmod g+s /myscript.sh

# ls -l
-rwxr-sr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

Removing SGID permission

Octal (2) :
# chmod 0755 /myscript.sh

# ls -l
-rwxr-xr-x. 1 root root      0 Oct 16 11:33 /myscript.sh
Symbolic (g-s) :
# chmod g-s /myscript.sh

# ls -l
-rwxr-xr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

Understanding difference between Capital (S) and small (s) in SGID

Now when you assign SGID permission you might sometimes see a Capital (S) instead of a small (s) in the group permission section. This does not makes much difference instead if gives you an additional information if that file is having group executable permission or not. If you get Capital S it means there is not executable permission and the same if you have small s it means the file is having group executable permission.

 

For example:
Before applying SGID without executable permission on user owner
# chmod 655 /myscript.sh
# ls -l
 -rwxrw-rw-. 1 root root 0 Oct 16 11:35 /myscript.sh
After applying SGID without executable permission on user owner
# chmod 2655 /myscript.sh
# ls -l
-rwxrwSrw-. 1 root root 0 Oct 16 11:35 /myscript.sh
Before applying SGID with executable permission on user owner
# chmod 755 /myscript.sh
# ls -l
-rwxrwxrw-. 1 root root 0 Oct 16 11:36 /myscript.sh
After applying SGID with executable permission on user owner
# chmod 2755 /myscript.sh
# ls -l
-rwxrwsrw-. 1 root root 0 Oct 16 11:36 /myscript.sh
So I hope you have got my point of view and must have understood the difference between capital (S) and small (s)

Finding all the executable files with SGID
# find / -perm +2000
where +2000 is the ID we use for assigning permission in octal method.

Read More

Understanding Special Permission Sticky Bit in Linux

Now there are few permissions which are used in Linux and are referred as special permission due to SUIDand SGID in their respective link their different functionality in terms of their usage. You can find details about

Sticky Bit
This special permission becomes very useful in most the cases. This is used when you are the owner of a particular file and you have give full permission to that file for all others but still you don't want any one of them to delete that file apart from the user and group owner. In that case sticky bit plays a very important role as once you assign this permission to some file or directory no one else apart from the user and group owner will be able to delete that file or directory.

Before showing you any example let me give you some helpful and important tips.
Sticky Bit can be assigned using two ways
1. Octal (1)
2. Symbolic (t)

Octal (1):
If you want to use octal method then this is the syntax which you need to follow
# chmod 1XXX /dirname
Here 1 means assigning sticky bit and XXX means the permission to be applied

For example:
# chmod 1775 /statusupdate
Here I am assigning full permission to user and group owner and read and execute permission to others including a sticky bit given by 1 at the beginning of permission.

Symbolic (t) :
If you want to assign sticky bit using symbolic way then this will be the syntax

# chmod +t /dirname
For example
# chmod o+t /statusupdate
Here I am not meshing with any other existing permission instead additionally I am assigning a sticky bit permissions for all others for statusupdate directory

Let me show you some practical example.

Scenario:
I have 2 users namely user1 and user2. A common directory is assigned to both of them by the root to put up their status update at the end of the day in this directory. Now being a root I will assign sticky bit to the main directory along with any sub directories if there is any.
# mkdir /statusupdate
# chmod 1777 /statusupdate
user1 statusupdate
$ cd /statusupdate
$ mkdir mywork
$ chmod 1777 mywork

$ ls -l
total 4
drwxrwxrwt. 2 user1 user1 4096 Oct 17 07:04 mywork
Now as in my case for the demo purpose I have given full permission to mywork directory which I don't think most will do but this is just an example. Now as you see addition (t) option is visible marked in red color in the permission section for others.

Now log in as user2
It seems user2 is not so friendly with user1 and wants to delete his statusdata to create his impression on the boss. Lets see if he can do that
$ cd /statusupdate
$ ls -l
total 4
drwxrwxrwt. 2 deepak deepak 4096 Oct 17 07:04 mywork
$ rm -rf mywork
rm: cannot remove `mywork': Operation not permitted
Ooops the operation is not permitted. So it seems user2 will have to honestly work hard to create an impression over his boss.

So this is how sticky bit works the same could have been done using symbolic way as well.

Removing sticky bit

# chmod 0775 /statusupdate
# ls -l
drwxrwxr-x.   3 root root  4096 Oct 17 07:07 statusupdate
The same can be done in symbolic way using the below command
# chmod -t /statusupdate

IMPORTANT NOTEMany a times you will observe a capital (T) at the others permission section instead of small (t) now you do not have to get confused regarding this as both of them signify sticky bit but with a little difference that if others have executable permission on them then after applying sticky bit you will get small (t) but if others do not have executable permission then others will get capital (T).

Let me show you with the help of one example

Before applying Sticky Bit with executable permission
# chmod 775 /statusupdate
# ls -l
drwxrwxr-x.   3 root root  4096 Oct 17 07:07 statusupdate
After Sticky Bit with executable permission
# chmod 1775 /statusupdate
# ls -l
drwxrwxr-t.   3 root root  4096 Oct 17 07:07 statusupdate
Now as you see a small (t) since the directory had executable permission

Before applying sticky bit without executable permission
# chmod 774 /statusupdate
# ls -l
drwxrwxr--.   3 root root  4096 Oct 17 07:07 statusupdate
After Sticky Bit without executable permission
# chmod 1774 /statusupdate
# ls -l
drwxrwxr-T.   3 root root  4096 Oct 17 07:07 statusupdate
So I hope I cleared my point on all the possible cases with sticky bit.

Now in case you want to search all the files and directories with sticky bit permission
# find / -perm +1000
where 1000 signifies files or dir having sticky bit as per the octal value we use. Now again you can use additional switch with find command like -type d or f to search more accurately.

Read More