Understanding Special Permission SGID in Linux

In my earlier posts I had explained about other Special Permission used in Linux i.e. SUID and STICKY BIT

So let me help you understand SGID and its usage with some practical examples.

SGID:

This is an abbreviation used for Set Group ID. This is a permission assigned to any file or directory to give normal group members additional authority of running that file with a privilege of group owner.

 

This is something very similar to which I explained here for SUID with a little difference that this time you are assigning permission to a complete group and its group members instead of assigning the permission to one particular user.

 

For example you have some executable file and you want all the group members of sysadmin to be able to execute it but that file can only be run as root so you assign a SGID over that file and now all the members of sysadmin team will be able to run the file with the permission of root.

 

Assigning SGID permission :

There are two ways to assign SGID

1. Octal (2)
2. Symbolic (g+s)

Octal (2) :
# chmod 2755 /myscript.sh

# ls -l
-rwxr-sr-x. 1 root root      0 Oct 16 11:33 /myscript.sh
Symbolic (g+s) :
# chmod g+s /myscript.sh

# ls -l
-rwxr-sr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

Removing SGID permission

Octal (2) :
# chmod 0755 /myscript.sh

# ls -l
-rwxr-xr-x. 1 root root      0 Oct 16 11:33 /myscript.sh
Symbolic (g-s) :
# chmod g-s /myscript.sh

# ls -l
-rwxr-xr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

Understanding difference between Capital (S) and small (s) in SGID

Now when you assign SGID permission you might sometimes see a Capital (S) instead of a small (s) in the group permission section. This does not makes much difference instead if gives you an additional information if that file is having group executable permission or not. If you get Capital S it means there is not executable permission and the same if you have small s it means the file is having group executable permission.

 

For example:
Before applying SGID without executable permission on user owner
# chmod 655 /myscript.sh
# ls -l
 -rwxrw-rw-. 1 root root 0 Oct 16 11:35 /myscript.sh
After applying SGID without executable permission on user owner
# chmod 2655 /myscript.sh
# ls -l
-rwxrwSrw-. 1 root root 0 Oct 16 11:35 /myscript.sh
Before applying SGID with executable permission on user owner
# chmod 755 /myscript.sh
# ls -l
-rwxrwxrw-. 1 root root 0 Oct 16 11:36 /myscript.sh
After applying SGID with executable permission on user owner
# chmod 2755 /myscript.sh
# ls -l
-rwxrwsrw-. 1 root root 0 Oct 16 11:36 /myscript.sh
So I hope you have got my point of view and must have understood the difference between capital (S) and small (s)

Finding all the executable files with SGID
# find / -perm +2000
where +2000 is the ID we use for assigning permission in octal method.

Read More

Understanding Special Permission SUID in Linux

There are various blogs and websites available explaining about SUID and SGID now I won't say I will
tell you something extra instead just adding one more to the list see if it can make any difference.

 

Now above what I said you can skip that and returning to the point I will try to help you understand SUID, SGID and Sticky Bit along with some useful tips from my side in understanding the same.

SUID:

This is a abbreviation used for Set User ID which means that you are assigning a special permission on a user owner of any particular file or directory.

 

Now what does it means and why do we use SUID?

Assigning a user SUID means that you are giving him additional permission i.e user owner permission over the normal permission which he already has to run any executable file inside some directory on with the suid is applied. 

 

Let me be more clear about the above statement with an example:

By default there are a number of executable binary files in Linux which we use as commands which has to be run only as a super user i.e. root user but what if a normal user is allowed to run those commands. Now in that case even if you have given him sudo access he won't be able to run those commands as these are predefined to be run only as root and no one else.

 

For example :

mount, umount,ping, passwd, chage etc.

 

Now the above mentioned commands can only be run as a super user. So when you check the permission of these commands

# ls -l /bin/ping
-rwsr-xr-x. 1 root root 36892 Jul 19 2011 /bin/ping

# ls -l /bin/mount
-rwsr-xr-x. 1 root root 73996 Dec 8 2011 /bin/mount

# ls -l /bin/ping
-rwsr-xr-x. 1 root root 36892 Jul 19 2011 /bin/ping
Now as you see in the user permission section additional small (s) is there at the place of execute permission

 

This means that all these commands have SUID set on it and if a normal user is given sudo permission to run these commands, they will run it as user owner's permission which in all the above case is root.

 

Why do we use SUID?

I hope I have explained this part above but still let me add a description with another example. Now there is some executable file whose owner is Deepak and it can only be run by deepak but still you want Amit to run the file so in that case instead of changing the owner of that file I will assign a SUID on it so that Amit can also run that file using Deepak's permission. So this is going to remove the complexity part and not only Amit any other random user who is allowed to run that file will run the same using ownership of deepak as I do not need to change the owner every time for some one to run the same executable file.

 

Assigning SUID permission

There are two ways to assign suid

1. Octal (4)
2. Symbolic (u+s)

Octal method:

# chmod 4744 /myscrip.sh
# ls -l
-rwsr--r--. 1 root root 0 Oct 16 11:33 /myscript.sh

Symbolic method:

# chmod u+s /myscript.sh

# ls -l
-rwsr--r--. 1 root root 0 Oct 16 11:34 /myscript.sh

Removing SUID permission

Octal method:

# chmod 0744 /myscript.sh

# ls -l
-rwxr--r--. 1 root root 0 Oct 16 11:35 /myscript.sh

Symbolic method:

# chmod u-s /myscript.sh

# ls -l
-rwxrw-rw-. 1 root root 0 Oct 16 11:36 /myscript.sh

Understanding the difference between Capital (S) and small (s) in SUID

There might be time when you see a capital S and a small s after applying SUID on any file or directory

Now it does not makes much difference on its working but instead it tells you something about the permission currently applied on the file.

 

If the file where you are assigning SUID has user executable permission then after applying SUID you will get a small (s) but if the user doe not have execute permission before you apply SUID then you will end up with capital (S) after applying SUID.

 

Let me show you the same with an example

Before applying SUID without executable permission on user owner

# chmod 644 /myscript.sh

# ls -l-rw-r--r--. 1 root root 0 Oct 16 11:35 /myscript.sh

After applying SUID without executable permission on user owner
# chmod 4644 /myscript.sh

# ls -l
-rwSr--r--. 1 root root 0 Oct 16 11:35 /myscript.sh

Before applying SUID with executable permission on user owner

# chmod 744 /myscript.sh

# ls -l
-rwxr--r--. 1 root root 0 Oct 16 11:36 /myscript.sh
After applying SUID with executable permission on user owner
# chmod 4744 /myscript.sh

# ls -l
-rwsr--r--. 1 root root 0 Oct 16 11:36 /myscript.sh
So I hope you have got my point of view and must have understood the difference between capital (S) and small (s)

Finding all the executable files with SUID

# find / -perm +4000
where +4000 is the ID we use for assigning permission in octal method.

Read More

Understanding Special Permission Sticky Bit in Linux

Now there are few permissions which are used in Linux and are referred as special permission due to SUIDand SGID in their respective link their different functionality in terms of their usage. You can find details about

Sticky Bit
This special permission becomes very useful in most the cases. This is used when you are the owner of a particular file and you have give full permission to that file for all others but still you don't want any one of them to delete that file apart from the user and group owner. In that case sticky bit plays a very important role as once you assign this permission to some file or directory no one else apart from the user and group owner will be able to delete that file or directory.

Before showing you any example let me give you some helpful and important tips.
Sticky Bit can be assigned using two ways
1. Octal (1)
2. Symbolic (t)

Octal (1):
If you want to use octal method then this is the syntax which you need to follow
# chmod 1XXX /dirname
Here 1 means assigning sticky bit and XXX means the permission to be applied

For example:
# chmod 1775 /statusupdate
Here I am assigning full permission to user and group owner and read and execute permission to others including a sticky bit given by 1 at the beginning of permission.

Symbolic (t) :
If you want to assign sticky bit using symbolic way then this will be the syntax

# chmod +t /dirname
For example
# chmod o+t /statusupdate
Here I am not meshing with any other existing permission instead additionally I am assigning a sticky bit permissions for all others for statusupdate directory

Let me show you some practical example.

Scenario:
I have 2 users namely user1 and user2. A common directory is assigned to both of them by the root to put up their status update at the end of the day in this directory. Now being a root I will assign sticky bit to the main directory along with any sub directories if there is any.
# mkdir /statusupdate
# chmod 1777 /statusupdate
user1 statusupdate
$ cd /statusupdate
$ mkdir mywork
$ chmod 1777 mywork

$ ls -l
total 4
drwxrwxrwt. 2 user1 user1 4096 Oct 17 07:04 mywork
Now as in my case for the demo purpose I have given full permission to mywork directory which I don't think most will do but this is just an example. Now as you see addition (t) option is visible marked in red color in the permission section for others.

Now log in as user2
It seems user2 is not so friendly with user1 and wants to delete his statusdata to create his impression on the boss. Lets see if he can do that
$ cd /statusupdate
$ ls -l
total 4
drwxrwxrwt. 2 deepak deepak 4096 Oct 17 07:04 mywork
$ rm -rf mywork
rm: cannot remove `mywork': Operation not permitted
Ooops the operation is not permitted. So it seems user2 will have to honestly work hard to create an impression over his boss.

So this is how sticky bit works the same could have been done using symbolic way as well.

Removing sticky bit

# chmod 0775 /statusupdate
# ls -l
drwxrwxr-x.   3 root root  4096 Oct 17 07:07 statusupdate
The same can be done in symbolic way using the below command
# chmod -t /statusupdate

IMPORTANT NOTEMany a times you will observe a capital (T) at the others permission section instead of small (t) now you do not have to get confused regarding this as both of them signify sticky bit but with a little difference that if others have executable permission on them then after applying sticky bit you will get small (t) but if others do not have executable permission then others will get capital (T).

Let me show you with the help of one example

Before applying Sticky Bit with executable permission
# chmod 775 /statusupdate
# ls -l
drwxrwxr-x.   3 root root  4096 Oct 17 07:07 statusupdate
After Sticky Bit with executable permission
# chmod 1775 /statusupdate
# ls -l
drwxrwxr-t.   3 root root  4096 Oct 17 07:07 statusupdate
Now as you see a small (t) since the directory had executable permission

Before applying sticky bit without executable permission
# chmod 774 /statusupdate
# ls -l
drwxrwxr--.   3 root root  4096 Oct 17 07:07 statusupdate
After Sticky Bit without executable permission
# chmod 1774 /statusupdate
# ls -l
drwxrwxr-T.   3 root root  4096 Oct 17 07:07 statusupdate
So I hope I cleared my point on all the possible cases with sticky bit.

Now in case you want to search all the files and directories with sticky bit permission
# find / -perm +1000
where 1000 signifies files or dir having sticky bit as per the octal value we use. Now again you can use additional switch with find command like -type d or f to search more accurately.

Read More