Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
SetUID, SetGID, and Sticky Bits in Linux File Permissions
File permission in a Linux environment provides privileges to the owner or administrators to execute programs or applications. Permissions are set for the files or directories using chmod and chown commands with read, write and execute notations. Special permissions such as setuid, setgid, and sticky bits are initiated for executable files or directories; the user needs to pay more attention when these special permissions are set because they may impose security risks to all other users. Each file present in the directories has userId termed as uid and groupId as gid specified by the owner of the file, to execute a process both uid and gid are checked against the authorized user to avoid security risks. To get a better understanding of setting uid, gid, and a sticky bit (special file permissions), one should have a certain level of knowledge of basic Linux file permissions.
SetUID
When SetUID is set then the program executes with the permissions set by the owner of the file. It does not execute with the user who is currently processing it. This SetUID can be changed using chmod command by the owner of the application or with root access. Consider an example, when the user executes a file that has SetUID enabled then the file is executed with the root privileges predefined and not with the user permissions.
We could know whether setuid is enabled using the ls command
The above command would return
In the file permission above, notice the lowercase character ‘s’ is set which defines the SetUID bit set for the password command. This executable file has UID set by the owner of the file.
The owner of the file can use the commands below to set the uid for the needed files
To disable the uid which is already set use the below commands for the executable files
ls -l /user/bin/passwd
-rwsr-xr-x root root 34487 May 15 20:22 /user/bin/passwd
chmod u+s file_ name
chmod u-s file_ name
SetGID
SetGID permission belongs to the group of files that are located in a directory. This permission is enabled for all the executable files and their directories. When SetGID is enabled for a directory, files present inside it belong to the group where the directory is located and it does not belong to the users who are executing it. Based on the permissions provided to the users to write and execute to the group, they can create files in the directory and access them.
The file_name specified has gid set which could be seen in the group permission section of the command
Use the commands below to set the gid for the needed files
To disable the uid which is already set use the below commands for the executable files.
-rwxrwsr-x root root 2433 May 15 20:22 file_name
chmod g+s file_ name
chmod g-s file_ name
Permissions like SetUID and SetGID have more security threats and executable files which have these permissions set by the owner can be traced by the attacker on gaining access to the root directory. Frequent monitoring has to be made by the administrator or the owner of the group to detect any suspicious activity change in file permissions.
Sticky Bits
Sticky bits are provided for the files within the directory. When it is set for a directory, only the owner of the file or directory can remove or delete the file and other users who do not have privilege cannot delete the files inside the directory. This protects files from unwanted deletion from public users who do not have any privileges to the files. tmp directory is most commonly used for sticky bits and users cannot delete other users tmp files when the sticky bit is set.
Use the ls command to list the permissions for the given directory or file
ls command along with the given directory name will produce the result below.
lowercase ’t’ is set here which means the sticky bit is enabled for all the files in the directory replacing the usual execute permission ‘x’.
Use the commands below to set the sticky bit for the needed directory.
To disable the sticky bit which is already set use the below commands for the respective directories.
ls -ld/directory_name
drwxrwxrwt. 10 root root 539 May 17 15:09/directory_name/
chmod +t directory_ name
chmod -t directory_ name
Conclusion
Linux special file permissions are enabled for the root user or the owner who has all the privileges on defining whom to grant access for what operations like read, write, and execute. When using special permissions like uid and gid, files or directories have to be monitored as they may be hacked by any illegal users rather than accessing files that belong to the root or bin.
440 Views
