Cheat for setuid, setgid, and sticky bits
1 setuid / setgid / sticky
Just like normal permissions, the special bits can be assigned with the chmod
command, using the numeric or the ugo/rwx format. In the former case the
setuid, setgid, and sticky bits are represented respectively by a value of 4,
2 and 1. So for example if we want to set the setgid bit on a directory we
would execute: $ chmod 2775 test With this command we set the setgid bit on
the directory, (identified by the first of the four numbers), and gave full
privileges on it to it's owner and to the user that are members of the group
the directory belongs to, plus read and execute permission for all the other
users (remember the execute bit on a directory means that a user is able to cd
into it or use ls to list its content).
The other way we can set the special permissions bits is to use the ugo/rwx syntax: $ chmod g+s test To apply the setuid bit to a file, we would have run: $ chmod u+s file While to apply the sticky bit: $ chmod o+t test
| setuid | setgid "t" | sticky "t" | |
|---|---|---|---|
| 4 | 2 | 1 | |
| Operating | Run as | Run as member | |
| on files | owner | of group | IGNORED on Linux |
| Operating | IGNORED on | all created files | allow anyone to create, |
| on directories | Linux systems | set to group of | but only the owner and |
| directory. | root to delete the file | ||
| "file giveaway" | The file is "Sticky" | ||
| not allowed | Group consistency | (see /tmp directory) |
So as an example, 2777 and 3777 are very close in that any user can create a
file but, 2777 means anyone can delete the file, but 3777 means only the user
who created the file can delete it. (other than root of course).
1.1 On directories
- Setuid on directories (ignored)
Ignored on most Unix systems including Linux.
Setuidandsetgidwere meant for completely different purposes. Setuid is for causing an executable to run with its owner's uid or gid, rather that the uid of the user calling the executable. Setuid has no function on directories. Does it make sense for a user to create a file in a directory only to have it owned by someone else? What happens to the creator? Will they still have access to the file? "File giveaways" are not allowed.
1.1.1 setgid on directories
All files created in this directory will have GID set to the /same/ GID as
the parent directory, and NOT the usual GID of the user creating the file.
It ensures group owner consistency on every file in a directory.
1.1.2 sticky bit on directories
All users allowed to create files in this directory. No other users can
delete these files. Only owner and root can delete them. (see /tmp dir)
1.2 On files
1.2.1 setuid on files
On executable files, will assume the rights and privileges of the owner of
the file, not the user running/executing
1.2.2 setgid on files
On executable files, will assume the rights and privileges of the group of
the file, not the user running the executable.