Pawan Sharma | August 28, 2012 | | 1 Comment so far

SUID, SGID and Sticky Bit in RHEL6

In the previous post I have explained about changing file/directory permissions using chmod command in two ways: symbolic and numeric mode. In this post we will discuss about three special file permissions: Sticky Bit, SUID Bit and SGID bit, using which we can make processes more secure and efficient:

In the previous post we have discussed about three file permissions: ream(r), write (w) and execute(x), besides these three are three more permissions: SUID(s), SGID(s) and Sticky Bit(t). First we will explain what these terms means.

Sticky Bit(t): Sticky bit is very simple and effective file permission; it increases security of a file/directory which is shared with other users. When sticky bit is enabled, only user (owner) of that file can remove or rename the file even if other users have full (rwx) permissions on that file. In the case of a directory, only user (owner) of the directory or the owner of the file in that directory can remove or rename the file. Mainly sticky bit is used on directories on which multiple users have access like /tmp. By default sticky bit is set on /tmp in Redhat Enterprise Linux 6(RHEL6).

[root@PawanS1 ~]# ls -ld /tmp
drwxrwxrwt.  96 root root  4096  Aug 28 12:06   /tmp

In the above example we can see that there is a “t” at execute permission for others. Sticky bit can be enabled using “chmod” command. Let’s take some examples of Sticky Bit.
  • Add sticky bit permission on a directory with all permissions using symbolic chmod.
[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwx  2  admin pawan  4096 Aug 28 10:22  Test_Dir/

[root@PawanS1 ~]# chmod +t Test_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwt  2  pawan admin  4096 Aug 28 10:22   Test_Dir/
  • Add sticky bit permission on a directory using numeric chmod.
[root@PawanS1 ~]# ls -ld My_Dir/
drwxr-xr-- 2 pawan admin 4096 Aug 28 10:27   My_Dir/

[root@PawanS1 ~]# chmod 1754 My_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxr-xr-T  2  pawan admin  4096 Aug 28 10:22   MY_Dir/

Note: This time we have a “T” instead of “t” because the directory does not have execute permission for others.

SUID (Set User ID) Bit(s): Mainly we enable SUID bit on files specially on executable scripts. When SUID bit is enabled on the script/ file, whenever someone executes the file it runs as the user who is owner of that file. It means the file is ensured to run as the owner, even if executed by anyone. This comes handy when you want to give execute rights of a root privileged script to some other user. In RHEL 6, SUID bit is set by default on commands like /usr/bin/passwd, /usr/bin/wall, /usr/bin/ssh-agent, etc. This is the reason a user can change its password itself.

[root@PawanS1 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 27936 Aug  3  2010  /usr/bin/passwd

In the above example we can see that there is a “s” at execute permission of user (owner). SUID bit can be enabled using “chmod” command. Let’s take some examples of SUID bit.
  • Add SUID bit on a script using symbolic chmod.
[root@PawanS1 ~]# ls -l test_script.sh
-rwxr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh

[root@PawanS1 ~]# chmod u+s test_script.sh

[root@PawanS1 ~]# ls -l test_script.sh
-rwsr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh
  • Add SUID bit on a script which does not have execute permission for user (owner) using numeric chmod.
[root@PawanS1 ~]# ls -l my_script.sh
-rw-r--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

[root@PawanS1 ~]# chmod  4644 my_script.sh

[root@PawanS1 ~]# ls -l my_script.sh
-rwSr--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

Note: This time we have a “S” instead of “s” because the script “my_script.sh does not have execute permission for user.

SGID (Set Group ID) Bit: SGID bit is very useful when you have to give access of a directory to a set of users in a group. When SGID bit is enabled on a directory any file/directory created under it by any user have the same group permissions as of the parent directory.

For example, you have created a group named “sales” and you have added three user pawan, siddharth, ramswaroop and usaid in group “sales”. Now you want that every file created by any of these four users under directory “/Sales” can be accessible by any of these users.

1. To do this first you have to create a directory “/Sales” and then change group owner and group permission to sales and rwx respectively.

[root@PawanS1 ~]# mkdir /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g=rwx /Sales/

[root@PawanS1 ~]# ghgrp sales /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwxr-x 2 root sales 4096 Aug 28 12:31 /Sales/

2. Then enable SGID Bit on “/Sales” directory

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g+s /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwsr-x 2 root root 4096 Aug 28 12:31 /Sales/

In the above example we can see that there is a “s” at execute permission of group. Now any file created under directory “/Sales” will have group user sales

Now login as user pawan and create a file in /Sales and check its permissions.

[pawan@PawanS1 Sales]# touch test.txt

[pawan@PawanS1 Sales]# chmod g+s /Sales/

[pawan@PawanS1 Sales]# ls -l test.txt
-rw-rw-r-- 1 pawan sales 8 Aug 28 12:43 test.txt
  • We can also enable SGID bit using chmod in numeric mode.
[root@PawanS1 ~]# ls -d /Purchase/
drwxrw-r-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

[root@PawanS1 ~]# chmod 2765 /Purchase/

[root@PawanS1 ~]# ls -d /Purchase/
drwxrwSr-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

Note: This time we have a “S” instead of “s” because directory “/Purchase” does not have execute permission for group.

Below table summarize the chmod for SUID, SGID and Sticky Bit.

Permission
Symbolic Mode
Numeric Mode
Sticky Bit
chmod +t file_name
chmod 1XXX file_name
SUID Bit
chmod u+s file_name
chmod 4XXX file_name
SGID Bit
chmod g+s file_name
chmod 2XXX file_name
where X is permission for user,group and other

If you have any doubts or queries please post comment.


1 comment: