Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 1 of 7

Share Report Abuse Next Blog» Create Blog Sign In

Linux / Aix Administration - Tips & Stuff

Government Careers in SG Free Sun Solaris Training
Join Us & Start An Exciting Career In Civil Be prepared for the SCSAS exam Register
Service Employment Today! now for new free courses!

Wednesday, March 19, 2008

Search This Blog

About SUID, SGID and Sticky bit
Set user ID, set group ID, sticky bit Search
powered by

In addition to the basic permissions discussed above, there are also three bits of information
defined for files in Linux:

About Me
* SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be
executed by a user, the process will have the same rights as the owner of the file being Satish
executed. Dubai, United
* SGID or setgid: change group ID on execution. Same as above, but inherits rights of the Arab Emirates
group of the owner of the file on execution. For directories it also may mean that when a Unix Admin
new file is created in the directory it will inherit the group of the directory (and not of the user
View my complete profile
who created the file).
* Sticky bit: It was used to trigger process to "stick" in memory after it is finished, now this
usage is obsolete. Currently its use is system dependent and it is mostly used to
suppress deletion of the files that belong to other users in the folder where you
have "write" access to.
Free Welcome
Bonus
Numeric representation Open Account &
Trade Forex Choose:
$3000 or 30% Bonus.
Octal digit Binary value Meaning www.XForex.com
0 000 setuid, setgid, sticky bits are cleared
1 001 sticky bit is set
Change a life with a
2 010 setgid bit is set loan
3 011 setgid and sticky bits are set Grow their business -
Transform their lives -
4 100 setuid bit is set Start by lending £15.
5 101 setuid and sticky bits are set www.lendwithcare.org
6 110 setuid and setgid bits are set
7 111 setuid, setgid, sticky bits are set

Textual representation
Labels

SUID, If set, then replaces "x" in the owner permissions to "s", if owner has execute AIX (43)
permissions, or to "S" otherwise.
Linux (18)
Examples:
Solaris (8)
-rws------ both owner execute and SUID are set
-r-S------ SUID is set, but owner execute is not set Windows (2)

SGID, If set, then replaces "x" in the group permissions to "s", if group has execute
permissions, or to "S" otherwise.
Blog Archive
Examples:
-rwxrws--- both group execute and SGID are set ► 2010 (37)
-rwxr-S--- SGID is set, but group execute is not set
► 2009 (1)
Sticky, If set, then replaces "x" in the others permissions to "t", if others have execute ▼ 2008 (57)
permissions, or to "T" otherwise. ► August (36)

Examples: ► May (1)

-rwxrwxrwt both others execute and sticky bit are set ► April (6)
-rwxrwxr-T sticky bit is set, but others execute is not set
▼ March (14)
Setting the sticky bit on a directory : chmod +t find command

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010
Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 2 of 7

real time
examples
If you have a look at the /tmp permissions, in most GNU/Linux distributions, you'll see the
Simple Port
following:
Forwarding
using
lokams@tempsrv# ls -l | grep tmp IPTABLES
drwxrwxrwt 10 root root 4096 2006-03-10 12:40 tmp
Using Hamachi
The "t" in the end of the permissions is called the "sticky bit". It replaces the "x" and indicates on Linux
that in this directory, files can only be deleted by their owners, the owner of the directory or Hardware and
the root superuser. This way, it is not enough for a user to have write permission on /tmp, he System
also needs to be the owner of the file to be able to delete it. information
tools in Linux
In order to set or to remove the sticky bit, use the following commands:
Ethernet bonding
in Linux
# chmod +t tmp
# chmod -t tmp About SUID,
SGID and
Setting the SGID attribute on a directory : chmod g+s Sticky bit
About umask
If the SGID (Set Group Identification) attribute is set on a directory, files created in that
directory inherit its group ownership. If the SGID is not set the file's group ownership RPM Packages
corresponds to the user's default group. installation and
usage
In order to set the SGID on a directory or to remove it, use the following commands: How to forcefully
unmount a
# chmod g+s directory Linux /
# chmod g-s directory AIX /Solaris d...
List folders /
When set, the SGID attribute is represented by the letter "s" which replaces the "x" in the directories by
group permissions: size in Linux /
AIX ...
# ls -l directory
drwxrwsr-x 10 george administrators 4096 2006-03-10 12:50 directory tar and gzip/bzip
on a single
command on
Setting SUID and SGID attributes on executable files : chmod u+s, chmod g+s
AIX
By default, when a user executes a file, the process which results in this execution has the Search and
same permissions as those of the user. In fact, the process inherits his default group and replace
user identification. recursively on a
directory in L...
If you set the SUID attribute on an executable file, the process resulting in its execution How to make
doesn't use the user's identification but the user identification of the file owner. LiveCD detect
and mount LVM
For instance, consider the script myscript.sh which tries to write things into mylog.log : partition...
Why is the
# ls -l
difference
-rwxrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh between du
-rwxrwx--- 10 george administrators 4096 2006-03-10 12:50 mylog.log and df output?

As you can see in this example, George gave full permissions to everybody on myscript.sh
but he forgot to do so on mylog.log. When Robert executes myscript.sh, the process runs
using Robert's user identification and Robert's default group (robert:senioradmin). As a
consequence, myscript fails and reports that it can't write in mylog.log.

In order to fix this problem George could simply give full permissions to everybody on
mylog.log. But this would make it possible for anybody to write in mylog.log, and George only
wants this file to be updated by his myscript.sh program. For this he sets the SUID bit on
myscript.sh:

# chmod u+s myscript.sh

As a consequence, when a user executes the script the resulting process uses George's
user identification rather than the user's. If set on an executable file, the SUID makes the
process inherit the owner's user identification rather than the one of the user who executed
it. This fixes the problem, and even though nobody but George can write directly in
mylog.log, anybody can execute myscript.sh which updates the file content.

Similarly, it is possible to set the SGID attribute on an executable file. This makes the

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010
Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 3 of 7

Start by lending £15.

www.lendwithcare.org

process use the owner's default group instead of the user's one. This is done by:
Make Money Online
# chmod g+s myscript.sh Earn up to $1,000
trading Forex With a
$100 initial
By setting SUID and SGID attributes the owner makes it possible for other users to execute
Investment!
the file as if they were him or members of his default group. www.AvaFX.com

The SUID and GUID are represented by a "s" which replaces the "x" character respectively Facebook Status
in the user and group permissions: QuickView
Update FB Status On
Y! Homepage. Set
# chmod u+s myscript.sh Yahoo! Your
# ls -l Homepage Today.
-rwsrwxrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh www.sg.yahoo.com/Set_Homepage
# chmod u-s myscript.sh
# chmod g+s myscript.sh
# ls -l
-rwxrwsrwx 10 george administrators 4096 2006-03-10 12:50 myscript.sh

Posted by Satish at 8:04 PM

Labels: AIX, Linux, Solaris

3 comments:
raulgh76 said...
If I do the following as root:

# chown root /usr/local/bin/script.sh

# chgrp root /usr/local/bin/script.sh
# chmod a+x /usr/local/bin/script.sh
# chmod u+s /usr/local/bin/script.sh

and the script binds a server socket to a port less than 1024

Could I root the scripts as a different user from root so that the scripts binds a
server socker in a port less than 1024? Or binding to a port less than 1024 is
only possible if the script is run as root?

Thank you in advace for your attention.

September 29, 2008 1:07 PM

Satish said...
# chown root:root /usr/local/bin/script.sh
# chmod 4755 /usr/local/bin/script.sh

The above commands will do the following:

1) Change the script /usr/local/bin/script.sh ownership to root

2) Read, write and execute permissions to root

3) Read and execute permissions to other users

4) Run as root user even when you execute with non-privileged user id.
September 29, 2008 5:51 PM

Anonymous said...
This is just plain incorrect.
Please, do yourself a favor and research on how Unix executes shell scripts.
Changing suid bit on shell script doesn't help because the actual executable
is /bin/sh or /bin/ksh or whatever shell is specified in the script. And that /bin/sh
and /bin/ksh don't have suid bit set.
September 10, 2010 7:33 PM

Post a Comment

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010
Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 4 of 7

Newer Post Home Older Post

Subscribe to: Post Comments (Atom)

Awesome Inc. template by Tina Chen. Powered by Blogger.

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010
Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 5 of 7

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010
Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 6 of 7

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010
Linux / Aix Administration - Tips & Stuff: About SUID, SGID and Sticky bit Page 7 of 7

http://lokams.blogspot.com/2008/03/about-suid-sgid-and-sticky-bit.html 15/09/2010