Home » How can we set SGID » How can we set SUID » How to set Special Permissions In Linux » How to Set STICKY BIT for Directory » How to set Special Permissions In Linux

How to set Special Permissions In Linux

in , , , - on 07:53:00 - No comments
Set And Change special Permission or Advanced Permission in Linux

In This Tutorial we will learn about how to set special permission to file and directories.

There are three special permissions that can be assigned to a file or directory apart from basic file permissions (RWX). With the help of “chmod” command  we can implement the special permissions or advanced permission on file and directories. These special permission are as fallows.
  • SUID – SET USER ID
  • SGID – SET GROUP ID
  • STICKY BIT

Permission
Symbolic Form
Numeric Form
Syntax
SETUID
s or S
4
#chmod u+s   or    #chmod 4766
SETGID
s or S
2
#chmod g+s   or    #chmod 2766
STICKYBIT
t or T
1
#chmod o+t   or    #chmod 1766

Note: Where s=setuid +execute permission and S= setuid only. Same is for SGID and also for Sticky Bit.
  • How can we set SUID

SUID – SET USER ID

Change user ID on execution. If SETUID bit is set, when the file will be executed by a user, the process will have the rights as the owner of the file being executed. Many of the system commands are the best example of SUID, Basically the owner of the commands will be root, but still normal user can execute it. For example, the suid permission on the passwd command makes it possible for a normal user to change passwords by updating few system files like /etc/passwd and /etc/shadow which can’t be updated by non-root accounts. Therefore, passwd command always run with root user rights.

Symbolic way:
    [root@linuxelearn ~]# chmod u+s file1.txt
    [root@linuxelearn ~]# ll file1.txt
    -rwSrw-r– 1 root root 0 Dec 24 22:40 file1.txt

Numerical way:
    [root@linuxelearn ~]# chmod 4655 file1.txt
    [root@linuxelearn ~]# ll file1.txt
    -rwSr-xr-x 1 root root 0 Dec 24 22:45 file1.txt*

Example :

By default ping command is having suid, so all users can run that command but if suid is removed and a normal user wants to execute it, then it will show “Operation not permitted”.


[root@linuxelearn ~]# which ping
/bin/ping
[root@linuxelearn ~]# ls -l /bin/ping
-rwsr-xr-x. 1 root root 41432 Jul 27  2010 /bin/ping
[root@linuxelearn ~]#



[root@linuxelearn ~]# chmod u-s /bin/ping
[root@linuxelearn ~]# su nagios
[nagios@linuxelearn root]$ ping 192.168.10.10
ping: icmp open socket: Operation not permitted
[nagios@linuxelearn root]$

  • How can we set SGID

SGID – SET GROUP ID

Set group ID, used on executable files to allow the file to be run as if logged into the group (like SUID but uses file group permissions)
SGID can also be used on a directory so that every file created in that directory will have the directory group owner rather than the group owner of the user creating the file.

Symbolic way:
    [root@linuxelearn ~]# chmod g+s dir1
    [root@linuxelearn ~]# ls -ld dir/
    drwxrwsr-x 2 root root 4096 Dec 22 22:50 dir1/

Numerical way:
    [root@linuxelearn ~]# chmod 2775 dir1/
    [root@linuxelearn ~]# ls -ld dir1/
    drwxrwsr-x 2 root root 4096 Dec 22 23:13 dir1/

Example:

When a directory is created and its group is set to some group. Now if SGID is applied to it, and the group member created files and directory inside it, then it will get the same group rather than getting user’s primary group.
Lets see the example practically.


[root@linuxelearn ~]# mkdir dir1
[root@linuxelearn ~]# chgrp rjgroup dir1
[root@linuxelearn ~]# ls -ld dir1
drwxr-xr-x. 2 root rjgroup 4096 Dec 22 23:34 dir1

[root@linuxelearn ~]# chmod g+s dir1
[root@linuxelearn ~]# ls -ld dir1
drwxr-sr-x. 2 root rjgroup 4096 Dec 22 23:34 dir1

[root@linuxelearn ~]# chmod go+w dir1
[root@linuxelearn ~]# ls -ld dir1
drwxrwsrwx. 2 root rjgroup 4096 Dec 22 23:34 dir1

[root@linuxelearn ~]# su – nagios

[nagios@linuxelearn ~]$ cd /dir1
[nagios@linuxelearn dir1]$ touch emptyfile{1..5}
[nagios@linuxelearn dir1]# ls -l
total 0
-rw-r--r--. 1 root rjgroup 0 Dec 22 23:44 emptyfile1
-rw-r--r--. 1 root rjgroup 0 Dec 22 23:44 emptyfile2
-rw-r--r--. 1 root rjgroup 0 Dec 22 23:44 emptyfile3
-rw-r--r--. 1 root rjgroup 0 Dec 22 23:44 emptyfile4
-rw-r--r--. 1 root rjgroup 0 Dec 22 23:44 emptyfile5
[root@linuxelearn dir1]#
Note: when a file is created by any user it will get the group as primary group of the owner which is usually owner’s private group with same name.
  • How to Set STICKY BIT for Directory

STICKY BIT
If Sticky bit is applied on a file or directory, then only root and owner of that file or directory can delete it. Even if other users are having full permissions they cannot delete the file or directory.

Symbolic way:
    [root@linuxelearn ~]# chmod +t /mydir
    [root@linuxelearn ~]# ls -ld /mydir/
    drwxrwxrwt 16 root root 4096 Dec 22 23:10 /mydir/

Numerical way:
    [root@linuxelearn ~]# chmod 1777 /mydir
    [root@linuxelearn ~]# ls -ld /mydir/
    drwxrwxrwt 16 root root 4096 Dec 22 23:30 /mydir/

Let see the example of sticky bit practically..


[root@linuxelearn ~]# chmod o+t dir1
[root@linuxelearn ~]# ls -ld dir1
drwxrwsrwt. 2 root rjgroup 4096 Dec 22 23:34 dir1

[root@linuxelearn ~]# su – nagios

[nagios@linuxelearn ~]$ cd /dir1
[nagios@linuxelearn dir1]$ ls
emptyfile1  emptyfile2  emptyfile3  emptyfile4  emptyfile5

[nagios@linuxelearn dir1]$ rm emptyfile1
rm: remove write-protected regular empty file `emptyfile1'? y
rm: cannot remove `emptyfile1': Permission denied
[nagios@linuxelearn dir1]$

I think Its cover all special permissions in detail..


If you Like post then share and comment please And if you have any suggestion for me do comment .





Labels: , , ,

Post a Comment