SetUID, SetGID, and Sticky Bits in Linux File Permissions

File permissions in Linux provide privileges to owners and administrators to control access to programs and files. Standard permissions (read, write, execute) are set using chmod and chown commands. Beyond basic permissions, Linux provides special permissions: SetUID, SetGID, and sticky bits. These special permissions modify the default behavior of file execution and access, requiring careful consideration due to potential security implications.

SetUID (Set User ID)

When SetUID is enabled on an executable file, the program runs with the permissions of the file's owner, not the user executing it. This allows regular users to execute programs that require elevated privileges temporarily.

Example passwd Command

The passwd command needs to modify system files that regular users cannot access directly:

ls -l /usr/bin/passwd

-rwsr-xr-x 1 root root 59976 Nov 24 2022 /usr/bin/passwd

Notice the s in the owner's execute position, indicating SetUID is enabled. This allows any user to change their password while the program executes with root privileges.

Setting and Removing SetUID

# Enable SetUID
chmod u+s filename

# Disable SetUID  
chmod u-s filename

# Using octal notation (4000 + regular permissions)
chmod 4755 filename

SetGID (Set Group ID)

SetGID has different behaviors for files and directories:

• For executable files The program runs with the group privileges of the file's group

• For directories New files created inherit the directory's group ownership

SetGID on Directory Example

ls -ld /shared/project

drwxrwsr-x 2 user developers 4096 May 15 10:30 /shared/project

The s in the group's execute position indicates SetGID. Files created in this directory automatically belong to the developers group.

Setting and Removing SetGID

# Enable SetGID
chmod g+s filename_or_directory

# Disable SetGID
chmod g-s filename_or_directory

# Using octal notation (2000 + regular permissions)
chmod 2755 filename_or_directory

Sticky Bit

The sticky bit is typically set on directories to restrict deletion. When enabled, only the file owner, directory owner, or root can delete files within the directory, even if other users have write permissions.

Example /tmp Directory

ls -ld /tmp

drwxrwxrwt 12 root root 4096 May 17 15:09 /tmp

The t at the end indicates the sticky bit is set. This prevents users from deleting each other's temporary files.

Setting and Removing Sticky Bit

# Enable sticky bit
chmod +t directory_name

# Disable sticky bit
chmod -t directory_name

# Using octal notation (1000 + regular permissions)
chmod 1755 directory_name

Special Permission Combinations

Security Considerations

Special permissions can introduce security risks if misused:

• SetUID programs should be regularly audited for vulnerabilities

• Unnecessary SetUID/SetGID permissions should be removed

• Monitor changes to special permissions on critical files

# Find all SetUID files
find / -perm -4000 -type f 2>/dev/null

# Find all SetGID files  
find / -perm -2000 -type f 2>/dev/null

Conclusion

SetUID, SetGID, and sticky bits provide powerful mechanisms for managing file access beyond standard permissions. While useful for system administration and shared environments, these special permissions require careful implementation and regular monitoring to maintain system security.