The sticky bit, setuid and setgid are one of the powerful concepts of the UNIX based operating systems. Although they are widely used, it is not a widely understood feature. This article explains about them based on Ubuntu. Other linux flavours may vary slightly in terms of implementing this.
Sticky Bit
Linux is a multi user operating system. So occasionally there will be a need to have a folder which can be used by everyone using the system. This means everyone should have read+write access to this folder. The easiest way to achieve this would be.
mkdir /some/folder/for/everyone
chmod o+rwx /some/folder/for/everyone
Sure enough, this solves the problem in hand. Everyone has permission to create files in this folder. The files will be created with the default group and permission according to the umask. But there is one major flaw. Anyone can delete any file under this folder irrespective of the file permission. This is because everyone has write access at the folder level. The sticky bit is here to solve precisely this problem. When the sticky bit is set on the folder, only the owner of the folder or those with right permission only can delete the files under it. Typically the root should be the owner of the folder so no one else can delete the files of others. To set the sticky bit on a folder use one of the following commands
chmod +t /some/folder/for/everyone
chmod 1777 /some/folder/for/everyone
Now, if you look at the permission of this folder you can see a t at the end. That means the sticky bit is on.
Applying sticky bit to a file doesn't make any difference. Also the sticky bit will only be applied to the other portion of the permission.
chmod +t /some/folder/for/everyone
chmod 1777 /some/folder/for/everyone
Now, if you look at the permission of this folder you can see a t at the end. That means the sticky bit is on.
Applying sticky bit to a file doesn't make any difference. Also the sticky bit will only be applied to the other portion of the permission.
setuid and setgid
These commands can be applied to individual files or directories and the behavior is entirely different on each case.
setuid and setgid on files
when setuid bit is set on an executable file, any other user who has executable permission for the file, can execute it with a temporarily elevated privilege as the original user. Most of the linux flavours including Ubuntu don't enable setuid on shell scripts as a security measure. This means the setuid bit can be set on shell script but it won't be effective.
setuid can be set of a file using command
chmod u+s file
The files permission will be like -rwSrw-r--. The S indicates the setuid bit is set but the file is not executable. Give executable permission to the file using chmod u+x file and the permission will be -rwsrw-r--. The small s indicates the file is executable and the setuid bit is set.
The best example is /usr/bin/passwd.
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd
The passwords of individual users are stored in a file that is owned by root. But individual users should be able to update their own password. Thanks to the setuid bit in the command "passwd" the executing user is temporarily elevated as root so he can update his own password.
The setgid bit on the file works same as setuid with the only difference being that it is applied at group level. It can be set using
chmod u+s file.
If both setuid and setgid are set in a file then it will be executed with a privilege as original user and original group.
setuid and setgid on directory
setuid bit on a directory has no meaning.
When the setgid bit is set on a directory, any files or directories created under that folder will have the group set as the parent directory instead of the users default group.
In the following example a folder called my_folder is created with group set to
adm.
$ ls -l
drwxrwxr-x 2 user adm 4096 Oct 21 02:25 my_folder
drwxrwxr-x 2 user adm 4096 Oct 21 02:25 my_folder
When a file is created under this folder, and the group is set to the users default group "user"
$ id -gn
user
user
$ touch my_folder/file1
$ ls -l my_folder/
-rw-rw-r-- 1 user user 0 Oct 21 02:30 file1
Now when the setgid bit is set on the folder and a file is created.
$ chmod g+s my_folder/
$ ls -lt
drwxrwsr-x 2 user adm 4096 Oct 21 02:40 my_folder
$ touch my_folder/file2
$ ls -lt my_folder/
-rw-rw-r-- 1 user adm 0 Oct 21 02:40 file2
-rw-rw-r-- 1 user user 0 Oct 21 02:30 file1
$
As can be seen in the above example, the new file file2 is created with a group adm, parent folder's group, after the setgid bit is set.
$ ls -l my_folder/
-rw-rw-r-- 1 user user 0 Oct 21 02:30 file1
Now when the setgid bit is set on the folder and a file is created.
$ chmod g+s my_folder/
$ ls -lt
drwxrwsr-x 2 user adm 4096 Oct 21 02:40 my_folder
$ touch my_folder/file2
$ ls -lt my_folder/
-rw-rw-r-- 1 user adm 0 Oct 21 02:40 file2
-rw-rw-r-- 1 user user 0 Oct 21 02:30 file1
$
As can be seen in the above example, the new file file2 is created with a group adm, parent folder's group, after the setgid bit is set.