Setting the SUID/SGID bits: Giving a program YOUR permissions when it runs

Want to support HowtoForge? Become a subscriber!
 
Submitted by VirtualEntity (Contact Author) (Forums) on Fri, 2007-03-02 14:57. :: Linux | Linux

Setting the SUID/SGID bits: Giving a program YOUR permissions when it runs

Version 1.0
Author: VirtualEntity <lafeyette_management [at] comast [dot] net>
Last edited 02/03/2007

How and why would I set a SUID/SGID bit on a file? What is such a bit?

Normally, when a program runs under Linux, it inherits the permissions of the user who is running it, thus if I run a program under my account, the program runs with the same permissions that I would have if that program were me. Thus, if I cannot open a certain file, the program I am running also cannot open the file in question.

If I set the SUID or SGID bit for a file, this causes any persons or processes that run the file to have access to system resources as though they are the owner of the file.

To do this, we can use letters, e.g.:

chmod u+s freddy

This changes the situation so that if user X runs freddy, fredy will execute with MY permissions, rather than his or her own. (Whose permissions the program gets "stuck" with is dependant upon who runs the chmod command.)

You can see the effect of this change like so:

ls -l freddy

-rwSrwxr-x 1 mike mike 0 Dec 5 11:24 freddy
[mike@berlin mike]$

The other way to run this is to chmod the group instead of the user permissions octet, e.g.

chmod g+s freddy

This confers the permissions of my group (g group, not additional "G" groups) to the file, so that when it runs, it runs as someone in my group, rather than as the user who executes it.

The effect of this looks like so:

ls -l freddy

-rwSrwSr-x 1 mike mike 0 Dec 5 11:24 freddy
[mike@berlin mike]$


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Fri, 2014-07-18 21:58.
this really helped me understand. Apprciate it.
Submitted by linuxidiot (registered user) on Fri, 2008-01-04 06:27.

After setting SUID

-rwSrwxr-x 1 mike mike 0 Dec 5 11:24 freddy

if you see 'S' then it means that the file has no executable permissions for that user.

consider that if the file has executable permissions already and you are setting SUID

chmod u+s freddy

-rwsrwxr-x 1 mike mike 0 Dec 5 11:24 freddy

you should see a smaller 's' in the executable permission position.

 

 

Submitted by tmib (registered user) on Sun, 2007-03-04 07:10.

Setting the SUID/SGID bit for a program to the 'root' user should actually be discouraged. If the program is badly written and can be manipulated via (malicious) input, it could allow a normal user to gain root privileges or access to files which that user should not be able to access.
When setting the sticky bit to a normal userid, it could allow other users access to all the other user's files, which may not really be what you want.
So please think about the security implications before randomly using this feature.

If you are facing a permissions dilemma for multiple users/groups, please consider looking into MAC (Mandatory Access Control).

Submitted by nicolargo (registered user) on Fri, 2007-03-02 15:17.

Another solution to give permissions to a user is to use sudo. The file is easyly configurable via a sudoers configuration file.

Here is a tuto:

http://www.developertutorials.com/tutorials/linux/using-sudo-050511/page1.html

 

Nicolargo

--== blog.Nicolargo.com ==-- 

Submitted by kvmreddy (registered user) on Tue, 2010-12-21 19:46.

Check bellow link for explanation with example

http://bashscript.blogspot.com/2010/03/unixlinux-advanced-file-permissions.html