Special permissions on files and directories in linux are : SetUID, SetGID and Sticky bit. With the help of “chmod” command we can implement the special permissions on file and directories.
SUID / Set User ID
A program is executed with the file owner’s permissions (rather than with the permissions of the user who executes it).
SGID / Set Group ID
Files created in the directory inherit their GID, i.e When a directory is shared between the users, and sgid is implemented on that shared directory , when these users creates directory, then the created directory has the same gid or group owner of its parent directory.
It is used mainly used on folders in order to avoid deletion of a folder and its content by other user though he/she is having write permissions. If Sticky bit is enabled on a folder, the folder is deleted by only owner of the folder and super user(root). This is a security measure to suppress deletion of critical folders where it is having full permissions by others.
When we implement these permissions ,we get the below symbols in permissions field:
|-S——||SUID is set, but user (owner) execute is not set.|
|-s——||SUID and user execute are both set.|
|—-S—||SGID is set, but group execute is not set.|
|—-s—||SGID and group execute are both set.|
|——-T||Sticky bit is set, bot other execute is not set.|
|——-t||Sticky bit and other execute are both set.|
SUID Example: passwd command
When normal user try to change his/her password, passwd command is used, which is owned by root. This passwd command file will try to edit some system config files such as /etc/passwd, /etc/shadow etc. So passwd command is set with SUID to give root user permissions to normal user so that it can update /etc/shadow and other files.
Assign suid to a File:
# chmod u+s testfile.txt
# chmod 4750 testfile.txt
In this example, 4 indicates SUID bitset, 7 for full permissions for owner, 5 for write and execute permissions for group, and no permissions for others.
# chmod g+s [file/Directory]
# chmod 2750 [file/Directory]
Here in 2750, 2 indicates SGID bitset, 7 for full permissions for owner, 5 for write and execute permissions for group, and no permissions for others.
# chmod o+t /opt/ftp-data
# chmod +t /opt/ftp-data
# chmod 1757 /opt/ftp-dta
In this example, 1 indicates Sticky Bit set, 7 for full permissions for owner, 5 for read and execute permissions for group, and full permissions for others.
Note: To check the special permissions , use these commands:
# ls -l [file-name] # ls -ld [directory/folder-name]