What are Set UID, Get UID, and Sticky Bits in Linux file permissions?

As a novice Linux user, you learn about the permissions and ownership associated with the file and directories. Linux / Unix-like operating systems allow you to set a combination of nine-bit permissions to prevent other users from accessing unnecessary files / directories. Special permissions for executable files are similar to these, called set UID, set GID, and sticky bits.

Understanding special permissions can be a bit overwhelming for aspiring Linux administrators. Here you will learn a bit of background about regular file permissions and explain how they differ from special permissions. We also demonstrate the SetID, GetID, and sticky bits functionality with examples for a global understanding.

Regular Linux file permissions

Linux uses the chmod command to assign / modify read (r = 4), write (w = 2), and run (x = 1) permissions on files and folders. That is, the nine bits mentioned above apply to the three main categories of permission groups. The first three are for the user who owns the file, the second is for the group assigned to the file / directory, and the last three are for all other users.

For example, a normal file will show all permission types for all user categories in the form -rwxrwxrwx. While – instead of letters represents the absence of this permission. Now chmod The command uses letters and numbers to change permissions as follows:

sudo chmod 755 file #for rwxr-xr-x 

sudo chmod 644 file #for rw-r--r-- 
sudo chmod a-w file #for r-xr-xr-x 
sudo chmod a+x file #for --x--x--x

Special Linux file permissions

the setuid bit represents the permission on an executable file that can be executed by other users with the permission of the owner. For example, when the user max run vi command as user Jeans, you will have read / write permissions for Jeans.

To identify files with setuid, use the ls order and search for the s bit instead of executable bit X, as following.

Set the UID bit

the setuid bit represents the permission on an executable file that can be executed by other users with the permission of the owner. For example, when the user max run the vi command as root, it will have read / write permissions of the root. To identify files with setuid, use the ls order and search for the s bit instead of execution bit X, as following:

ls -la /etc/passwd 
-rwsr-xr-x 1 root root 88464 Dec 14 12:46 passwd

Here are some more examples:

ls -la /bin/gpasswd
-rwsr-xr-x 1 root root 88464 Jul 14 15:08 gpasswd
ls -la /bin/su
-rwsr-xr-x 1 root root 67816 Jul 21 2020 su
ls -la /newgrp
-rwsr-xr-x 1 root root 44784 Jul 14 15:08 newgrp
ls -la /bin/sudo
-rwsr-xr-x 1 root root 166056 Jan 19 2021 sudo

To set the setuid bit for executable files, use the chmod command as follows:

chmod u+s /etc/passwd

To remove permission to run files from non-root users or owners:

chmod u-s /etc/passwd

Set the GID bit

As noted, the set uid bit controls file access for other users, while the setgid (GID) bit creates collaborative directories. This means that any file created in this directory is accessible to the directory group. Therefore, it allows all group members to run executable files without owner’s privileges and protects them from other users.

Follow these steps to create a collaborative directory in your Linux system:

Create a group using the group add order with group id 415 for collaboration:

groupadd -g 415 admins

Use the usermod command to add Jeans to the group for accessing / executing files.

usermod -aG admins john

Use the mkdir command to create a directory:

mkdir /tmp/collaborative_dir

Use the chgrp command to assign the directory to the administrators group:

chgrp admins /tmp/collaborative_dir

Use the chmod command to change directory permission to 2775. Bit 2 enables the defined gid, 7 to assign full rwx to user and group, while 5 (rw) for others.

chmod 2775 /tmp/collaborative_dir

Finally, change your user account to Jeans and create a file in the collaborative directory to verify file permissions.

su - john
touch /tmp/collaborative_dir/file.txt

The su command may give you an authentication error. In this case, type the sudo su command to root and rerun su – jeans to change the user account

The su command to pass to user john and an error may occur.

Now list the permissions to check the GID bit (s) set for the directory and newly created file.

ls -ld /tmp/collaborative_dir /tmp/collaborative_dir/file.txt 

Special Linux file authorization GID

In a typical scenario, a file created by john will be assigned a john group. Because you are creating the file in a defined GID bit directory, it assigns permissions to the administrators group, so that anyone belonging to the group, such as the user chris, will have access to it. Related: How to Create New Files on Linux Using Touch

Sticky bits

Unlike SID and GID bits, sticky bits differ in functionality because they protect files and directories from renaming and deletion by other users. Standard file permission allows any user with write access to delete or rename the file. While with the sticky bit set, this is only possible if you are the root user or the owner of the file.

The ideal scenario for using sticky bits is the directory accessible to all users for creating files. For example, use the ls -ld command to check the tmp Directory permissions, as follows:

You can notice that the sticky bit t replace execution bit X. Follow the instructions given to create a restricted delete directory:

Now create another directory in the / tmp case:

mkdir /tmp/new_dir

Change the file permissions to 1777 to set the sticky bit (t) and full access to the directory:

chmod 1777 /tmp/new_dir

Now copy any file from / etc folder to / tmp / new_dir and modify his permissions by 666:

cp /etc/ /tmp/new_dir
chmod 666 /tmp/new_dir/services

List the directory and all of its contents to view permissions:

ls -ld /tmp/new_dir /tmp/new_dir/services

Configure the sticky bit for a directory in tmp

You may notice the sticky bit instead of the run bit, which means that only root or user john can delete the file because the file is in the sticky bit directory.

Understanding Special File Permissions in Linux

The article shows how to set these bits to improve collaboration on shared files and directories and protect them from unauthorized access, execution, and deletion. Even if you don’t create files / directories with these bits, understanding special file permissions is useful in many situations, especially for troubleshooting or as a system administrator. Whereas careless use of these bits can lead to various security vulnerabilities.

preserve linux copy permissions
How to keep file permissions when copying files in Linux

Want to retain file permissions when copying files in Linux? Here’s how to do it using cp and rsync.

Read more

About the Author

Source link

Comments are closed.