Linux permissions: SUID, SGID, and sticky bit | Enable Sysadmin

Linux s permission

Linux permissions are a concept that every user becomes intimately familiar with early in their development. We need to run scripts, modify files, and run processes to manage systems effectively, but what happens when we see Permission Denied? Do you know why we see this message? If you know the cause of the problem, do you know how to implement the solution?

I’ll give a quick explanation of the various ways to calculate permissions, and then we’ll focus on special permissions within Linux. If you want an in-depth look at the chmod command, check out this article by Sudoer Shashank Hegde, Linux Permissions: An Introduction to chmod.

The TL;DR is that there are two main ways to assign permissions.

[ Download Now: Linux Advanced Command Cheat Sheet. ]

Symbolic

method

The symbolic method uses the following syntax:

[tcarrigan@server ~]$ chmod WhoWhatWhich | directory

Where

: Who – represents identities: u,g,o,a (user, group, other, all) What – represents actions: +, -, = (add,

    delete,

  • set exact) Which – represents access levels: r, w, x (read, write, execute) An example of this is if I want to add read and write permissions to a file called test.txt for user and group,
  • I use the following command

  • :

[tcarrigan@server ~]$ chmod ug + rw test.txt Full disclosure, this is not my preferred method of assigning permissions, and

if you want to learn more about this method, I recommend your nearest search engine

.

The

numerical method is, in my experience, the best way to learn and practice permissions. It is based on the following syntax:

[tcarrigan@server ~]$ chmod ### file | directory Here, from

left to right, the # character represents an access level. There are three levels of access: user, group, and others. To determine what each digit is, we use the following:

Start at 0 If read permission must be set, add 4 If write permission must be set, add

  • 2 If execute permission must be set
  • , add
  • 1

This is calculated per access level. Let’s interpret this example of permissions:

-rw-r-x-

Permissions are represented as 650. How did I arrive at those numbers?

The permissions of the user are: rw- or 4+2=6 The permissions of the group are:

  • r-x or 4+1=5 The
  • permissions of the

  • others are: – or 0 To put this in the syntax of the command, it looks like this:
  • [tcarrigan@server ~]$ chmod 650 test.txt

Now that you understand the basics of calculating permissions in Linux, let’s take a look at the special permissions included in the operating system.

[ You may also be interested in An introduction to Linux access control lists (ACLs). ]

Special permission explained

Special permissions constitute a fourth level of access in addition to user, group, and others. Special permissions allow additional privileges over standard permission sets (as the name suggests). There is a special permission option for each access level discussed above. Let’s take a look at each individually, starting with Set UID

: user

+ s (special)

Commonly known as SUID, the

special permission for the user access level has only one function: A file with SUID always runs as the user who owns the file, regardless of whether the user passes the command. If the owner of the file does not have execute permissions, use a capital S here.

Now, to see this in a practical light, let’s look at the /usr/bin/passwd command. This command, by default, has the SUID permission set:

[tcarrigan@server ~]$ ls -l /usr/bin/passwd -rwsr-xr-x. 1 root root 33544 December 13, 2019 /usr/bin/passwd

Note the s where x would normally indicate execute permissions for the user.

Group

+ S

(special)

Commonly known as SGID, this special permission has a couple of functions:

if set to a file allows the file to

  • run as the group that owns the file (similar to suid) if
  • set to

  • a directory any file created in the directory will have its group property set to that of the directory owner

[tcarrigan@server article_submissions]$ ls -l total 0 drwxrws-. 2 tcarrigan tcarrigan 69 7 Apr 11:31 my_articles

This permission set is observed with a lowercase s where the x would normally indicate execute privileges for the group. It is also especially useful for directories that are often used in collaborative efforts between members of a group. Any member of the group can access any new file. This also applies to file execution. SGID is very powerful when used correctly.

As noted earlier for SUID, if the owner group does not have execute permissions, a capital S is used.

Other + T (sticky)

The last special permission has been named “sticky bit.” This permission does not affect individual files. However, at the directory level, it restricts the deletion of files. Only the owner (and root) of a file can delete the file within that directory. A common example of this is the /tmp directory:

[tcarrigan@server article_submissions]$ ls -ld /tmp/ drwxrwxrwt. 15 root root 4096 Sep 22 15:28 /tmp/

The permission set is annotated with the lowercase t, where the x would normally indicate the execute privilege

.

To

set special permissions on

a file or directory, you can use either of the two methods described above for standard permissions: symbolic or numeric

.

Suppose we want to set SGID in the community_content directory.

To do this using the symbolic method, we

do the following:

[tcarrigan@server article_submissions]$ chmod g+s community_content/

Using the numeric method, we need to pass a fourth digit above in our chmod command. The digit used is calculated similarly to standard permission digits

:

  • Start at 0
  • SUID = 4 SGID
  • =

  • 2
  • Sticky = 1

The syntax is:

[tcarrigan@server ~]$ chmod X### file | directory

where X is the special permission digit

.

Here is the command to set SGID to community_content using the numeric method:

[tcarrigan@server article_submissions]$ chmod 2770 community_content/ [tcarrigan@server article_submissions]$ ls -ld community_content/ drwxrws-. 2 Tcarrigan Tcarrigan 113 Apr 7 11:32 community_content/

[ Get the guide to installing applications on

Linux. ]

Summary To

conclude, permissions are fundamentally important to being an effective Linux administrator. There are two defined ways to set permissions using the chmod command: symbolic and numeric. We examined the syntax and calculations required for both methods. We also consider special permits and their role in the system. Now that you understand the permissions and underlying concepts, you can resolve the always annoying permission denied error when you try to impede your work.