How to use SUID and SGID in Linux with examples

Regular permission can be overridden by special permissions like SUID, SGID, and sticky bit. When you use the special permissions on a file, then only the owner of the file or group owner can manipulate the file.

In some cases where you just want only the owner or group can execute the file then SUID and SGID are the best way.

And if you want to protect your file from being deleted by any other user then go for a sticky bit permission which can be a savior in a shareable space.

What is SUID?

In simple terms, SUID is a special permission that allows you to execute files only if you own them. Otherwise, you cannot execute it.

This can be handy when you just want to restrict permission to yourself. And the prime example is passwd command, which has SUID permission, so, the question arises of how to identify it.

If you want to check permission stats in detail run the stat command or you can use the ls command.

$ stat /usr/bin/passwd 
$ ls -l /usr/bin/passwd

Output:
File: /usr/bin/passwd
  Size: 63960           Blocks: 128        IO Block: 4096   regular file
Device: 80ah/2058d      Inode: 1441892     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-03-01 14:07:48.377112656 +0530
Modify: 2020-02-07 20:24:14.000000000 +0530
Change: 2021-10-30 19:29:05.076144777 +0530
 Birth: 2021-07-28 00:59:20.060264859 +0530

A SUID can be identified by number four or “s” in case of executable permission or “S” in non-executable permission.

Because of that passwd command is only executable by currently logged in user along with you are restricted to change the password of any other user unless you are the root. So how do I implement it on a system?

$ passwd trendoceans 

Output:
passwd: You may not view or modify password information for trendoceans.

How to implement SUID on a file

To implement SUID on a file is pretty straightforward, you just need to use bit number 4 which stands for SUID, or use symbolic modes “s”.

$ chmod 4XXX [FILE-NAME]
$ chmod u+s [FILE-NAME]

You should read Permission Command in Linux: chmod

For e.g. I do have created a bash script that should be executed by me and no other user can execute then pass the below command:

$ chmod 4744 trendoceans.sh
$ ls -l trendoceans.sh

Output:
-rwsr--r-- 1 ankit nogroup 2232 Feb 22 12:27 trendoceans.sh

How to revoke SUID from a file

You can simply revoke the SUID permission by just passing the below command which will untouched the rest of the permission value and purges the SUID permission from a file:

Command syntax:

$ chmod u-s [FILE-NAME]
$ chmod u-s trendoceans.sh
$ ls -l trendoceans.sh

What is SGID?

A SUID is applicable for a single user, if you want multiple or groups of users can execute a file then use SGID permission which is similar to SUID.

You can identify SGID permission when group permission is enclosed with “s” instead of x or “S” if it is a non-executable file or number two in bit permissions.

To check we will run the following command on a wall, which is used to broadcast messages to all users.

$ stat /usr/bin/wall
$ ls -l /usr/bin/wall

Output:
File: /usr/bin/wall
  Size: 35048           Blocks: 72         IO Block: 4096   regular file
Device: 80ah/2058d      Inode: 1498570     Links: 1
Access: (2755/-rwxr-sr-x)  Uid: (    0/    root)   Gid: (    5/     tty)
Access: 2022-03-01 15:18:16.220769208 +0530
Modify: 2022-01-21 01:40:35.000000000 +0530
Change: 2022-01-25 15:15:52.750996972 +0530
 Birth: 2022-01-25 15:15:52.498994272 +0530

How to implement SGUID on a file

To implement GUID on a file is pretty straightforward, you just need to use bit number 2 which stands for SUID, or use symbolic modes “s”.

$ chmod 2XXX [FILE-NAME]
$ chmod g+s [FILE-NAME]

I’ll modify the permission of “trendoceans.sh” to SGID using a below command:

$ chmod 2755 trendoceans.sh
$ ls -l trendoceans.sh

Output:
-rw-r-sr-- 1 ankit nogroup 2232 Feb 22 12:27 trendoceans.sh

How to revoke SGID from a file

You can refer to the below command syntax to remove SGID from a corresponding file, and run ls -l to verify permission stats.

$ chmod g-s [FILE-NAME]
$ ls -l [FILE-NAME]

I’ll revert to regular permission by entering the following command:

$ chmod g-s trendoceans.sh
$ ls -l trendoceans.sh

-rw-r-xr-- 1 ankit nogroup 2232 Feb 22 12:27 trendoceans.sh

Wrap up

That’s all to know about SUID and SGID in Linux. I recommend you read chattr command to modify file permission.

Leave a Reply