If you’ve ever worked on a linux system, chances are that you’ve used chmod many times. However, the quickest way to stump many linux users is to ask how many octets a full permissions set has. Many people think of this and say three:
chmod 777 file
But what you’re actually saying:
chmod 0777 file
The first octet works the same way as the other three as it has 3 possible values that add to make the octet (for the letter-lovers, i’ve included those too):
4 - setuid (letter-style: s)
2 - setgid (letter-style: s)
1 - sticky bit (letter-style: t)
Remember – your first octet will always be reset to 0 when using chown or chgrp on files.
Setuid
If you setuid on a binary, you’re telling the operating system that you want this binary to always be executed as the user owner of the binary. So, let’s say the permissions on a binary are set like so:
# chmod 4750 some_binary
# ls -al some_binary
-rwsr-x--- 1 root users 0 Feb 13 21:43 some_binary
You’ll notice the small ‘s’ in the user permissions blocks – this means that if a user on the system executes this binary, it will run as root with full root permissions. Obviously, anyone in the users group can run this binary since the execute bit is set for the group, but when the binary runs, it will run with root permissions. Be smart with setuid! Anything higher than 4750 can be very dangerous as it allows the world to run the binary as the root user. Also, if you allow full access plus setgid, you will be opening yourself up for something mighty nasty:
# chmod 4777 some_binary
# ls -al some_binary
-rwsrwxrwx 1 root users 0 Feb 13 21:43 some_binary
Not only can every user on the system execute this binary, but they can edit it before it runs at root! It goes without saying, but this could be used to beat up your system pretty badly. If you neglect to allow enough user permissions for execution, linux laughs at you by throwing the uppercase ‘S’ into your terminal:
# chmod 4400 some_binary
# ls -al some_binary
-r-S------ 1 root users 0 Feb 13 21:43 some_binary
Since no one can execute this script anyways (except root), you get the big capital ‘S’ for ‘Silly’. (It probably doesn’t stand for silly, but whatever.)
Setgid
Setgid is pretty much the exact same as setuid, but the binary runs with the privileges of the owner group rather than the user’s primary group privileges. This isn’t quite so useful in my opinion, but in case you need it, here’s how the permissions come out:
# chmod 2750 some_binary
# ls -al some_binary
-rwxr-s--- 1 root users 0 Feb 13 21:43 some_binary
And if you enjoy being made fun of:
# chmod 2400 some_binary
# ls -al some_binary
-r----S--- 1 root users 0 Feb 13 21:43 some_binary
Sticky Bit
This is such a giggly term for a linux file permission, but it’s rather important, and it best applies to your tmp directory (or any other world writable location). Since world writable locations allow users to go hog-wild with creating, editing, appending, and deleting files, this can get annoying if certain users share a common directory.
Let’s say users work in an office and they work on files in a world writeable directory. One user gets mad because another user got a raise, so they trash all of the files that belong to that recently promoted user. Obviously, this could lead to a touchy situation. If you apply the sticky bit on the directory, the users can do anything they want to files they create, but they can’t write to or delete files which they didn’t create. Pretty slick, er, sticky, right? Here’s how to set the sticky bit:
#chmod 1777 /tmp
# ls -ld /tmp
drwxrwxrwt 3 root root 4096 Feb 13 21:57 /tmp
And again, linux will laugh at you for setting sticky bits on non-world writable directories, but this time it does so with a capital ‘T’:
#chmod 1744 /tmp
# ls -ld /tmp
drw-r--r-T 3 root root 4096 Feb 13 21:57 /tmp
Setuid + Setgid on Directories
Setting the setgid bit on a directory means any files created in that directory will be owned by the group who owns the directory. No matter what your primary group is, any files you make will be owned by the group who owns the directory.
Setting the setuid bit on a directory has no effect in almost all Linux variants. However, in FreeBSD, it acts the same as the setgid (except it changes the ownership of new files as the user who owns the folder).
Thanks for the clear explanation. I just ran into an issue with setuid and VirtualBox. Although I’ve been using Linux for nearly 8 years now, and I had seen “sticky bit” mentioned, I never knew what the first permission octet was really for.
Linux/POSIX has three UIDs associated with a process – real, effective, and saved. They don’t switch automatically.
Here is a demo.
# su – luser
$ id
uid=17813(luser) gid=17701(luser) groups=17701(luser)
$ cat tuser.c
#include
#include
#include
#include
void main()
{
printf(“I am %d-%s, effective %d\n”,
getuid(),
getpwuid(getuid())->pw_name,
geteuid());
setreuid(17813, 17813);
printf(“But now I am %d-%s, effective %d\n”,
getuid(),
getpwuid(getuid())->pw_name,
geteuid());
}
$ cc -o tuser tuser.c
$ chmod u+s tuser
$ ./tuser
I am 17813-luser, effective 17813
But now I am 17813-luser, effective 17813
$ exit
logout
# su – oracle
$ ~luser/tuser
I am 60-oracle, effective 17813
But now I am 17813-luser, effective 17813
Thanks Major! Man you explained this setuid,setguid , sticky bit stuff in simple manner…. Hats to you….really folks ignore the first octet while setting permissions………………Best thing i understood clearly..
Need more ……………something like performance monitoring and tuning
Thanks buddy, the information helped me a lot in fixing issues with SAP system
Let me put it this way: my linux system is no longer laughing at me.
Thank you!
Thank you.
don’t you mean octal digit, not octet.
an octet is 8 bits
chmod sets 12 bits. 4 octal digits.
an octal digit is 3 bits. That’s what we have. 4 of them.
chmod 0777 is 4 lots of 3 bits. that’s 12 bits.
Not 8. And not 16 or 24, Not a bunch of octets
You mixed up the term Octet and Octal.
i’d add, this was a very helpful page.. helped me understand that first octal digit!
Nice.. Very helpful. Simply done
I cant also not help but giggle how giggly the sticky bit is: “Sticky Bit This is such a giggly term for a linux file permission”. Great post, helped me allot, thanks ! !
Dear Major, thank you for sharing this insightful information.
However, about setgid you write “This isn’t quite so useful in my opinion.”
Could it be that you are overlooking the very interesting side effect that setgid on a parent directory renders the group ID inheritable for newly created subdirectories?
I made an attempt to write about this over on my website: http://hamwaves.com/find/en/index.html#prevent-others-from-deleting-files-inyourfolder
Any review comments of that are more than welcome!
Are there mnemonics for the stickybit or other bits? Have not seen other that rwx u,g,o
Capital-T sticky bit is for lack of execute bit for the directory, not the write bit. Capital letter S or T means that execute bit was reasonably expected there, but is actually missing — without a capital letter this would be invisible.
thanks a lot – thats the first time I really understood this stuff! – I cant understand, why elsewhere peoples seems not to be able to explain this understandable…