Setting the SUID/SGID bits: Giving a program YOUR permissions when it runs

Version 1.0
Author: VirtualEntity <lafeyette_management [at] comast [dot] net>
Last edited 02/03/2007

How and why would I set a SUID/SGID bit on a file? What is such a bit?

Normally, when a program runs under Linux, it inherits the permissions of the user who is running it, thus if I run a program under my account, the program runs with the same permissions that I would have if that program were me. Thus, if I cannot open a certain file, the program I am running also cannot open the file in question.

If I set the SUID or SGID bit for a file, this causes any persons or processes that run the file to have access to system resources as though they are the owner of the file.

To do this, we can use letters, e.g.:

chmod u+s freddy

This changes the situation so that if user X runs freddy, fredy will execute with MY permissions, rather than his or her own. (Whose permissions the program gets "stuck" with is dependant upon who runs the chmod command.)

You can see the effect of this change like so:

ls -l freddy

-rwSrwxr-x 1 mike mike 0 Dec 5 11:24 freddy
[mike@berlin mike]$

The other way to run this is to chmod the group instead of the user permissions octet, e.g.

chmod g+s freddy

This confers the permissions of my group (g group, not additional "G" groups) to the file, so that when it runs, it runs as someone in my group, rather than as the user who executes it.

The effect of this looks like so:

ls -l freddy

-rwSrwSr-x 1 mike mike 0 Dec 5 11:24 freddy
[mike@berlin mike]$

Share this page:

5 Comment(s)

Add comment

Comments

From: at: 2007-03-02 14:17:49

Another solution to give permissions to a user is to use sudo. The file is easyly configurable via a sudoers configuration file.


Here is a tuto:


http://www.developertutorials.com/tutorials/linux/using-sudo-050511/page1.html


 


Nicolargo


--== blog.Nicolargo.com ==-- 

From: at: 2007-03-04 06:10:53

Setting the SUID/SGID bit for a program to the 'root' user should actually be discouraged. If the program is badly written and can be manipulated via (malicious) input, it could allow a normal user to gain root privileges or access to files which that user should not be able to access.
When setting the sticky bit to a normal userid, it could allow other users access to all the other user's files, which may not really be what you want.
So please think about the security implications before randomly using this feature.


If you are facing a permissions dilemma for multiple users/groups, please consider looking into MAC (Mandatory Access Control).

From: at: 2008-01-04 05:27:08

After setting SUID


-rwSrwxr-x 1 mike mike 0 Dec 5 11:24 freddy


if you see 'S' then it means that the file has no executable permissions for that user.


consider that if the file has executable permissions already and you are setting SUID


chmod u+s freddy


-rwsrwxr-x 1 mike mike 0 Dec 5 11:24 freddy


you should see a smaller 's' in the executable permission position.


 


 

From: at: 2010-12-21 18:46:56

Check bellow link for explanation with example


http://bashscript.blogspot.com/2010/03/unixlinux-advanced-file-permissions.html


 

From: Anonymous at: 2014-07-18 20:58:54

this really helped me understand. Apprciate it.