Regular permission can be overridden by special permissions like SUID, SGID, and sticky bit. When you use the special permissions on a file, then only the owner of the file or group owner can manipulate the file.
In some cases where you just want only the owner or group can execute the file then SUID and SGID are the best way.
And if you want to protect your file from being deleted by any other user then go for a sticky bit permission which can be a savior in a shareable space.
Table of Contents
What is SUID?
In simple terms, SUID is a special permission that allows you to execute files only if you own them. Otherwise, you cannot execute it.
This can be handy when you just want to restrict permission to yourself. And the prime example is passwd command, which has SUID permission, so, the question arises of how to identify it.
If you want to check permission stats in detail run the stat command or you can use the ls command.
$ stat /usr/bin/passwd
$ ls -l /usr/bin/passwd
Output:
File: /usr/bin/passwd
Size: 63960 Blocks: 128 IO Block: 4096 regular file
Device: 80ah/2058d Inode: 1441892 Links: 1
Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-03-01 14:07:48.377112656 +0530
Modify: 2020-02-07 20:24:14.000000000 +0530
Change: 2021-10-30 19:29:05.076144777 +0530
Birth: 2021-07-28 00:59:20.060264859 +0530
A SUID can be identified by number four or “s” in case of executable permission or “S” in non-executable permission.
Because of that passwd
command is only executable by currently logged in user along with you are restricted to change the password of any other user unless you are the root. So how do I implement it on a system?
$ passwd trendoceans
Output:
passwd: You may not view or modify password information for trendoceans.
How to implement SUID on a file
To implement SUID on a file is pretty straightforward, you just need to use bit number 4 which stands for SUID, or use symbolic modes “s”.
$ chmod 4XXX [FILE-NAME]
$ chmod u+s [FILE-NAME]
You should read Permission Command in Linux: chmod
For e.g. I do have created a bash script that should be executed by me and no other user can execute then pass the below command:
$ chmod 4744 trendoceans.sh
$ ls -l trendoceans.sh
Output:
-rwsr--r-- 1 ankit nogroup 2232 Feb 22 12:27 trendoceans.sh
How to revoke SUID from a file
You can simply revoke the SUID permission by just passing the below command which will untouched the rest of the permission value and purges the SUID permission from a file:
Command syntax:
$ chmod u-s [FILE-NAME]
$ chmod u-s trendoceans.sh
$ ls -l trendoceans.sh
What is SGID?
A SUID is applicable for a single user, if you want multiple or groups of users can execute a file then use SGID permission which is similar to SUID.
You can identify SGID permission when group permission is enclosed with “s” instead of x or “S” if it is a non-executable file or number two in bit permissions.
To check we will run the following command on a wall, which is used to broadcast messages to all users.
$ stat /usr/bin/wall
$ ls -l /usr/bin/wall
Output:
File: /usr/bin/wall
Size: 35048 Blocks: 72 IO Block: 4096 regular file
Device: 80ah/2058d Inode: 1498570 Links: 1
Access: (2755/-rwxr-sr-x) Uid: ( 0/ root) Gid: ( 5/ tty)
Access: 2022-03-01 15:18:16.220769208 +0530
Modify: 2022-01-21 01:40:35.000000000 +0530
Change: 2022-01-25 15:15:52.750996972 +0530
Birth: 2022-01-25 15:15:52.498994272 +0530
How to implement SGUID on a file
To implement GUID on a file is pretty straightforward, you just need to use bit number 2 which stands for SUID, or use symbolic modes “s”.
$ chmod 2XXX [FILE-NAME]
$ chmod g+s [FILE-NAME]
I’ll modify the permission of “trendoceans.sh” to SGID using a below command:
$ chmod 2755 trendoceans.sh
$ ls -l trendoceans.sh
Output:
-rw-r-sr-- 1 ankit nogroup 2232 Feb 22 12:27 trendoceans.sh
How to revoke SGID from a file
You can refer to the below command syntax to remove SGID from a corresponding file, and run ls
-l
to verify permission stats.
$ chmod g-s [FILE-NAME]
$ ls -l [FILE-NAME]
I’ll revert to regular permission by entering the following command:
$ chmod g-s trendoceans.sh
$ ls -l trendoceans.sh
-rw-r-xr-- 1 ankit nogroup 2232 Feb 22 12:27 trendoceans.sh
Wrap up
That’s all to know about SUID and SGID in Linux. I recommend you read chattr command to modify file permission.
A man with a tech effusive who has explored some of the amazing technology stuff and is exploring more. While moving towards, I had a chance to work on Android development, Linux, AWS, and DevOps with several open-source tools.
I just like the helpful information you provide in your articles
I like the efforts you have put in this, regards for all the great content.
I just like the helpful information you provide in your articles