Permissions

Special Permissions

There are two special permissions that can be set on executable files: Set User ID (setuid) and Set Group ID (sgid). These permissions allow the file being executed to be executed with the privileges of the owner or the group. For example, if a file was owned by the root user and has the setuid bit set, no matter who executed the file it would always run with root user privileges.

Set User ID (setuid)

You must be the owner of the file or the root user to set the setuid bit. Run the following command to set the setuid bit:

chmod u+s file1

View the permissions using the ls -l command:

ls -l file1
-rwSrw-r-- 1 user1 user1 0 2007-10-29 21:41 file1

Note the capital S. This means there are no execute permissions. Run the following command to add execute permissions to the file1 file, noting the lower case s:

chmod u+x file1

ls -l file1
-rwsrw-r-- 1 user1 user1 0 2007-10-29 21:41 file1

Note the lower case s. This means there are execute permissions.

Alternatively, you can set the setuid bit using the numeric method by prepending a 4 to the mode. For example, to set the setuid bit, read, write, and execute permissions for owner of the file1 file, run the following command:

chmod 4700 file1

Set Group ID (setgid)

When the Set Group ID bit is set, the executable is run with the authority of the group. For example, if a file was owned by the users group, no matter who executed that file it would always run with the authority of the users group. For example, run the following command as to set the setgid bit on the file1 file:

chmod g+s

Note that both the setuid and setgid bits are set using the s symbol. Alternatively, prepend a 2 to the mode. For example, run the following command as root to set the setgid bit, and read, write, and execute permissions for the owner of the file1 file:

chmod 2700 file1

The setgid is represented the same as the setuid bit, except in the group section of the permissions:

ls -l file1
-rwx--S--- 1 user1 user1 0 2007-10-30 21:40 file1

Use the chmod u+s command to set the setuid bit. Use the chmod g+s command to set the setgid bit.

Special Permissions for Directories

There are two special permissions for directories: the sticky bit and the setgid bit. When the sticky bit is set on a directory, only the root user, the owner of the directory, and the owner of a file can remove files within said directory.

Sticky Bit

An example of the sticky bit is the /tmp directory. Use the ls -ld /tmp command to view the permissions:

ls -ld /tmp
drwxrwxrwt  24 root root  4096 2007-10-30 22:00 tmp

The t at the end symbolizes that the sticky bit is set. A file created in the /tmp directory can only be removed by its owner, or the root user. For example, run the following command to set the sticky bit on the folder1 folder:

chmod a+t folder1

Alternatively, prepend a 1 to the mode of a directory to set the sticky bit:

chmod 1777 folder1

The permissions should be read, write, and execute for the owner, group, and everyone else, on directories that have the sticky bit set. This allows anyone to cd into the directory and create files.

Set Group ID

When the setgid bit is set on a directory, all files created within said directory inherit the group ownership of that directory. For example, the folder1 folder is owned by the user user1, and the group group1:

ls -ld folder1
drwxrwxr-x 2 user1 group1 4096 2007-10-30 22:25 folder1

Files created in the folder1 folder will inherit the group1 group membership:

touch folder1/file1

ls -l folder1/file1
-rw-rw-r-- 1 user1 group1 0 2007-10-30 22:29 folder1/file1

To set the setgid bit on a directory, use the chmod g+s command:

chmod g+s folder1

View the permissions using the ls -ld command, noting the s in the group permissions:

ls -ld folder1
drwxrwsr-x 2 user1 group1 4096 2007-10-30 22:32 folder1

Alternatively, prepend a 2 to the directories mode:

chmod 2770 folder1

Administration Guide - TOC

Previous Page: Managing Permissions Using the GUI

Permission: Introduction