3 Ways To Set and Remove Special File Permissions In Linux?

TL;DR

Here are three ways to set up special file permissions in Linux:

  1. Enable SUID on a file to allow users to run it with the file owner’s privileges using chmod 4755 filename and remove it with chmod 0755 filename.
  2. Activate SGID to let users execute a file with the owning group’s privileges using the chmod 2755 filename, and deactivate it with the chmod 0755 filename.
  3. Use chmod 1755 directoryname to set the Sticky Bit on directories to restrict file deletion to the owner or root, and remove it with chmod 0755 directoryname.

Special file permissions like SUID, SGID, and the Sticky Bit in Linux are really helpful, especially when performing tasks that usually require higher privileges. These settings allow you to execute crucial tasks more efficiently, all while keeping your system secure.

In this guide, I’ll walk you through each step to set up these permissions effectively. We’ll cover how to check, set, and, if necessary, remove these permissions, alongside some best practices to keep your system safe. So, let’s get started on enhancing your Linux system’s capabilities safely and efficiently.

What are Special File Permissions in Linux?

In Linux, special file permissions are additional settings that enhance security and functionality for files and directories. These special permissions help manage more precise security controls on files and directories, ensuring that only authorized users can perform specific actions. There are three main types:

  1. Setuid (Set User ID): This permission lets a user run an executable file with the privileges of the file’s owner, not the user who is running it. For example, if a file owned by the root user has the setuid permission, anyone who runs that file will temporarily have root-level access during that time. This is useful for programs that need to perform tasks that require higher privileges than the user normally has.
  2. Setgid (Set Group ID): Setgid is similar to setuid but applies to group permissions. When setgid is applied to a file, anyone who runs that file will inherit the group’s permissions of the file. If setgid is applied to a directory, any new files created within that directory will inherit the directory’s group rather than the group of the user who created the file. This ensures that all files in the directory are accessible to all users sharing the same group.
  3. Sticky Bit: The sticky bit is used mainly on directories to control who can delete or rename files within that directory. When the sticky bit is set, only the file’s owner, the directory’s owner, or the root user can modify the files. This is important in public directories like /tmp, where many users can create files but shouldn’t be able to delete or modify others’ files. This helps prevent accidental or malicious deletions or alterations of files.

How to Set and Remove Special File Permissions in Linux?

To set and remove special file permissions in Linux, use the chmod command with the appropriate symbolic or octal notation. For example:

Set special permissions:

  • Set-user-ID (SUID): chmod u+s filename
  • Set-group-ID (SGID): chmod g+s filename
  • Sticky bit: chmod +t directory

Remove special permissions:

  • SUID: chmod u-s filename
  • SGID: chmod g-s filename
  • Sticky bit: chmod -t directory

Alternatively, use octal notation:

  • SUID: chmod 4xxx filename
  • SGID: chmod 2xxx filename
  • Sticky bit: chmod 1xxx directory

To remove, replace the special permission digit with 0.

Below, I’ll guide you through how to configure these special permissions step by step:

1. Setting SUID (Set User ID)

The Set User ID (SUID) permission is a special file permission in Linux that allows users to execute a file with the permissions of the file’s owner. This is particularly useful for performing tasks that typically require administrative privileges, such as changing their own passwords. Follow these steps to set these permissions:

  1. Open your Terminal window.
open terminal
  1. To check the current permissions of a file, use the command:
ls -l filename

This will display the file’s permissions, allowing you to see if SUID is already set.

viewing current permissions of file
  1. To enable SUID on a file, add a 4 to the beginning of the three-digit permission code using the chmod command:
chmod 4755 filename

In this command, 4 activates the SUID, 7 grants full permissions to the file owner, and 5 grants read and execute permissions to the group and others.

enabling SUID on a file
  1. To confirm that SUID has been set, use the following command again:
ls -l

If SUID is properly set, an s will appear in the user’s permission field instead of the usual execute x.

verifying SUID is enabled
  1. If you need to remove SUID from a file, reset the permission without the leading 4.
chmod 0755 filename

This command removes the SUID bit and sets the standard permissions for owner, group, and others.

removing SUID from the file

2. Setting SGID (Set Group ID)

Similar to SUID, Set Group ID (SGID) is a special type of permission used in Unix-like operating systems. It allows a user to execute a file with the permissions of the group that owns the file. This is useful for collaborative environments where users need to share the execution privileges. Here is how to set these permissions:

  1. In the command window, to set the SGID bit, execute the following command:
chmod 2755 filename

Here, 2 activates the SGID bit, and the rest of the code (755) sets standard permissions (read, write, and execute for the owner, read and execute for the group and others).

  1. After setting SGID, check that it’s applied correctly by running the following command:
ls -l

A correctly set SGID will display as an s in the group permissions field.

enabling SGID on a file
  1. To remove SGID, modify the permissions by omitting the 2.
chmod 0755 filename

This command resets the permissions, removing the SGID bit.

removing SGID from the file

3. Setting the Sticky Bit

The Sticky Bit is a permission setting used on directories to restrict file deletion within the directory. When set, it allows only the file owner, the directory owner, or the root user to delete files within the directory, regardless of other permissions. Here is the step-by-step guide to setting permissions:

  1. Access your command prompt and use the chmod command with a 1 at the start of the permission digits to set the Sticky Bit:
chmod 1755 directoryname

This configuration sets the Sticky Bit (1), with the owner having full permissions and the group and others having read and execute permissions.

enabling sticky bit permission on a directory
  1. To ensure the Sticky Bit is set, use the following command on the directory:
ls -ld directoryname

If set correctly, a t will appear at the end of the permission field.

verifying sticky bit perrmission is enabled
  1. To remove the Sticky Bit, change the permissions and exclude the 1.
chmod 0755 directoryname

This removes the Sticky Bit and applies standard permissions to the directory.

removing sticky bit permission from a directory

Security Best Practices with Special Permissions

Managing special permissions in Linux, such as SUID, SGID, and the Sticky Bit, is crucial for maintaining system security. Here are six enhanced best practices to help you handle these permissions responsibly and effectively.

  • 🔒 Limit Use of SUID and SGID: Apply SUID and SGID permissions only to programs that absolutely need them. Widely using these permissions can open up security holes, as they allow programs to run with elevated privileges. Be carefull and only assign these permissions to well-trusted and regularly maintained software.
  • 🔎 Regular Audits: Frequently audit your system to identify and review any files with SUID or SGID permissions. Use commands like find / -perm /4000 to list all SUID files and find / -perm /2000 for SGID files. Regular checks help ensure that no unnecessary permissions are set, reducing potential security risks.
  • 🚨 Monitor Changes: Implement monitoring tools like auditd, which can track and log changes made to file permissions. Setting up alerts for modifications to SUID, SGID, or Sticky Bit permissions can help you respond quickly to unauthorized changes, preventing potential exploits.
  • 🛡️ Restrict Access: Limit access to files with special permissions to users who really need it. Use group policies and access control lists (ACLs) to fine-tune who can interact with sensitive files. Restricting their availability minimizes the chance of these powerful permissions being misused.
  • 📚 Educate Users: Provide training for all users and administrators about the dangers and proper handling of special permissions. When people understand what SUID, SGID, and Sticky Bit entail and the security implications of misusing them, they are more likely to adhere to best practices.
  • 🔄 Update Regularly: Always keep your Linux system and its applications up to date. Developers frequently release security updates that fix vulnerabilities, including those related to special permissions. Regular updates ensure that your system is protected against known threats and reduce the risks associated with outdated software.

In a Nutshell

I’ve just walked you through how to set up special file permissions in Linux, including SUID, SGID, and the Sticky Bit. Remember, these tools are powerful, so it’s important to use them wisely, check on them regularly, keep your system updated, and make sure everyone using them knows what they’re doing.

For further insights into Linux security and permissions, consider exploring topics on fixing critical sudo bugs, mastering user group management, and creating desktop shortcuts in Ubuntu. These areas will complement your knowledge of special permissions, offering practical applications and enhancing your administrative capabilities.

Frequently Asked Questions

  1. What is SUID?

    SUID, or Set User ID, is a special permission on executable files in Unix and Linux systems that allows users to run the file with the permissions of the file owner, rather than with the permissions of the user running the file. This is particularly useful for allowing users to perform specific administrative tasks without giving them full administrative rights. For example, the passwd command typically has SUID set so any user can change their password, executing as the root user to modify system authentication files.

  2. What is SGID?

    SGID, or Set Group ID, is similar to SUID but applies to group permissions. When SGID is set on an executable file, the process runs with the group permissions of the file owner. This is useful for shared directories where files need to inherit the group ownership, ensuring that all users who are part of the group can edit and modify the files. Additionally, when SGID is set on a directory, new files and subdirectories created within it inherit its group ID, rather than the primary group ID of the user who created the file.

  3. What Is Sticky Bit?

    Sticky Bit is a permission setting on directories that allows files within the directory to be deleted or renamed only by the file owner, the directory owner, or the root user. This is crucial for directories like /tmp, which are writable by everyone. The sticky bit prevents users from deleting or renaming each other’s temporary files. When the sticky bit is set, the directory’s permissions will display a t at the end of the permission string, such as drwxrwxrw.

  4. Can Sticky Bit be applied to files, or is it just for directories?

    The Sticky Bit is primarily used on directories to restrict file deletion within them. While it can technically be applied to files, it does not affect their behavior as it does with directories, where it prevents users from deleting files they do not own.

  5. How can I find all files with SUID or SGID set on my system?

    To find all files with SUID or SGID set on your system, use the find command. For SUID, execute find / -perm -4000 -type f and for SGID, use find / -perm -2000 -type f. These commands will list files with these permissions throughout the filesystem.

  6. Is there a way to set special permissions only temporarily?

    Setting special permissions temporarily isn’t supported directly through file permission commands. However, you can script changes to revert permissions back after a certain period or use configuration management tools like Ansible or Puppet to apply and later remove specific permissions at scheduled times.

  7. Can setting the Sticky Bit on a file prevent it from being renamed by other users?

    Setting the Sticky Bit on a file does not prevent it from being renamed by other users. The Sticky Bit’s primary function on directories is to restrict file deletion, not renaming. To control file renaming, you would need to adjust the overall permissions or ownership.

Ojash

Author

Ojash is a skilled Linux expert and tech writer with over a decade of experience. He has extensive knowledge of Linux's file system, command-line interface, and software installations. Ojash is also an expert in shell scripting and automation, with experience in Bash, Python, and Perl. He has published numerous articles on Linux in various online publications, making him a valuable resource for both seasoned Linux users and beginners. Ojash is also an active member of the Linux community and participates in Linux forums.

Akshat

Reviewer

Akshat is a software engineer, product designer and the co-founder of Scrutify. He's an experienced Linux professional and the senior editor of this blog. He is also an open-source contributor to many projects on Github and has written several technical guides on Linux. Apart from that, he’s also actively sharing his ideas and tutorials on Medium and Attirer. As the editor of this blog, Akshat brings his wealth of knowledge and experience to provide readers with valuable insights and advice on a wide range of Linux-related topics.

Share this article
Shareable URL
Prev Post

5 Best Ways to Use Cat EOF for Multi-line Strings in Bash

Next Post

Redis-CLI Get/Set Key Value Pairs: How to Do It? [10 Easy Steps]

Leave a Reply

Your email address will not be published. Required fields are marked *

Read next