Linux SUID and SGID Permission

SUID ( Set User ID ) or SGID ( Set Group ID ) upon execution are Linux access rights flags that allow users to run an executable with the permissions of the executable’s owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task.

While sticky bit permission used for all users (Others) and represented with letter ( t ) or binary ( 1 ) ,
SUID used for user to add permission for all others to execute that program or script as if they were the owner user and represented with letter ( s ) or binary ( 4 ),
SGID used for user to add permission for all others to execute that program or script as if they were the owner group and represented with letter ( s ) or binary ( 2 ).

If you are new to permissions please read permission tutorial , you may also be interested in reading about sticky bit tutorial

Setting SUID and SGID :

As it is a permission , we use chmod command,
and it is represented with letter ( s ) and used with user ( u ) or group ( g ) only, our commands will be like that: chmod u+s file , chmod g-s file , ….

And use ls -l command to show permissions.
If user or group have execute permissions, SUID/SGID will replace ( x ) with small letter ( s ).
If user or group DOESN’T have execute permissions, SUID/SGID will replace ( x ) with capital letter ( S ).

Examples:

passwd command can be used by any user to change his own password
which needs to modify /etc/shadow file , which is owned by root user , so normal users can’t modify it !!
the passwd program also owned by root , it can modify /etc/shadow , but again only root can run it !!
So to solve this problem , add SUID bit to passwd program to allow other users to run it with root privileges which gives them ability to modify /etc/shadow .
Thanks SUID bit.

~ $ ls -l /etc/shadow
-rw-r----- 1 root shadow 1795 Apr 26 00:22 /etc/shadow

~ $ ls -l /usr/bin/passwd 
-rwsr-xr-x 1 root root 54256 Mar 29  2016 /usr/bin/passwd

setting SUID OR SGID on scripts or files

chmod u+s script.sh
chmod 4750 script.sh

chmod g+s script.sh
chmod 2750 script.sh

Notice current permission of our testing script

~ $ ls -l test/script.sh 
-rwxr-xr-x 1 root root 0 Apr 26 02:04 test/script.sh

setting SUID , and show new permissions ( small s ) on user permissions

~ $ sudo chmod u+s test/script.sh
~ $ ls -l test/script.sh
-rwsr-xr-x 1 root root 0 Apr 26 02:04 test/script.sh

setting SGID and show new permissions ( small s ) on group permissions

~ $ sudo chmod g+s test/script.sh
~ $ ls -l test/script.sh
-rwsr-sr-x 1 root root 0 Apr 26 02:04 test/script.sh

remove execute permission from group and show permissions while SGID was set ( capital S)

~ $ sudo chmod g-x test/script.sh
~ $ ls -l test/script.sh
-rwsr-Sr-x 1 root root 0 Apr 26 02:04 test/script.sh

In abbreviation , SUID and SGID helps in protecting important files access by setting higher privileges on it and allow others to modify it only through trusted scripts or programs that have sufficient privileges.

That is it , I hope it was simple , thanks for using my tutorials.
Enjoy !.

 

 

Comments are closed.