Linux System Administration for Beginners
Essential Commands
SUID SGID and Sticky Bit
In Linux, special permission bits—SUID, SGID, and the sticky bit—modify how executables and directories behave for different users and groups. Mastering these bits is essential for secure system administration and proper access control.
What Are Special Permission Bits?
- SUID (Set User ID)
Runs an executable with the file owner’s user ID. - SGID (Set Group ID)
Runs an executable with the owning group’s privileges. - Sticky Bit
Restricts deletion of files in shared directories to the file owner or root.
Octal Prefix | Permission Bit | Effect |
---|---|---|
4xxx | SUID | Execute file as file owner |
2xxx | SGID | Execute file as file’s group owner |
1xxx | Sticky Bit | Restrict deletion in directories |
1. Set User ID (SUID)
When SUID is set on an executable, the process runs with the file owner’s privileges. Common use cases include su
, passwd
, and other administrative tools.
Step-by-Step
Create a test file and view its default permissions:
touch suidfile ls -l suidfile # -rw-rw-r--. 1 aaron aaron 0 Apr 26 05:08 suidfile
Enable SUID without execute for the owner (octal
4664
):chmod 4664 suidfile ls -l suidfile # -rwSrw-r--. 1 aaron aaron 0 Apr 26 05:08 suidfile
Note
The uppercase
S
indicates SUID is set but the owner’s execute bit is not enabled.Grant both execute and SUID for the owner (octal
4764
):chmod 4764 suidfile ls -l suidfile # -rwsrwxr--. 1 aaron aaron 0 Apr 26 05:08 suidfile
The lowercase
s
shows both SUID and execute bits are active.
Warning
Carefully review which binaries receive the SUID bit. Misconfigured SUID files can introduce security vulnerabilities.
2. Set Group ID (SGID)
SGID works similarly to SUID but applies to group privileges.
Step-by-Step
- Create a test file and inspect permissions:
touch sgidfile ls -l sgidfile # -rw-rw-r--. 1 aaron aaron 0 Apr 26 05:11 sgidfile
- Set SGID without group execute (octal
2664
):chmod 2664 sgidfile ls -l sgidfile # -rw-rwSr--. 1 aaron aaron 0 Apr 26 05:11 sgidfile
- Uppercase
S
in the group’s execute position shows SGID is set but no execute.
- Uppercase
- Add both group execute and SGID (octal
2764
):chmod 2764 sgidfile ls -l sgidfile # -rw-rwsr--. 1 aaron aaron 0 Apr 26 05:11 sgidfile
- Lowercase
s
indicates SGID and execute bits are set for the group.
- Lowercase
3. Finding SUID/SGID Files
Quickly locate files with SUID or SGID bits:
# Find all SUID files
find / -perm /4000
# Find all SGID files
find / -perm /2000
# Find files with either SUID or SGID (or both)
find / -perm /6000
4. Sticky Bit on Directories
The sticky bit ensures that only the file owner (or root) can delete or rename files within a shared directory.
Step-by-Step
- Create a directory and view its default permissions:
mkdir stickydir ls -ld stickydir # drwxrwxr-x. 2 aaron aaron 6 Apr 26 05:14 stickydir
- Set the sticky bit with execute (octal
1777
):chmod 1777 stickydir ls -ld stickydir # drwxrwxr-t. 2 aaron aaron 6 Apr 26 05:14 stickydir
- The lowercase
t
shows both execute and sticky bits are set.
- The lowercase
- Demonstrate sticky without execute (octal
1666
):chmod 1666 stickydir ls -ld stickydir # drw-rw-rwT. 2 aaron aaron 6 Apr 26 05:14 stickydir
- Uppercase
T
indicates sticky is set but execute is not.
- Uppercase
Links and References
Watch Video
Watch video content