File Permissions are a crucial entity in the Linux File System. They decide if a specific user can create, edit, delete, or execute a file. Understanding basic file permissions in Linux and types of ownership (user, group, other) is important to understand the concepts of this article better. If you want a quick recap or a brief introduction to the basic file permissions, please have a look at this article.
Topics covered below:
- sticky bit
The setUID (suid) is a flag that enables users running a script, to inherit the owner’s privileges when executing that script. It can also be considered as a way to temporarily escalate the privileges of a user to perform specific tasks that only privileged users can do.
The first example that comes to my mind for this scenario is the default file permissions of a file used for changing the password of a user. This binary should access and update the files
/etc/shadow which can only be modified by root.
$ ls -la /usr/bin/passwd
-rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
The set (s) bit above identifies that any user would have root privileges when the file is being executed. When a user foo runs this script, the script is executed as root because of the presence of the set bit in the user permissions(the first three bits correspond to user permissions).
Setting the SUID bit:
The setUID bit can be added to a binary in two ways
$ ls -la /usr/bin/test
-rwxr-xr-x 1 root root 63736 Jul 1 2020 /usr/bin/test# setting with symbolic arguments
$ chmod u+s /usr/bin/test# setting with bit representation
$ chmod 4755 /usr/bin/test
Sometimes, due to inconsistencies in File Permissions, you come across
S bit when looking at the file permissions of a file. This implies that the suid/sgid bit is set, but the file is not executable.
The setuid bit imposes some security risks when setting on files that aren’t carefully designed.
The setGID (SGID) bit when set on a binary, enables the users running the script, to run with the permissions of the group owner of the binary. Rather, the gid of this process would be of that of the group owner of the binary, and not the group ID of the user.
This bit when set on a directory is not about execution, but for the inheritance of group ownership of the parent directory. When a setgid bit is set on a directory, any subdirectory created in this directory will have its group set to the group of the parent directory and not the group of the user who created the directory.
$ ls -la test_dir
drwxrwsr-x. 2 test support_users 4096 Nov 1 17:25 test_dir
In the example above, any directory created inside the test_dir will have the group set to support_users.
Setting the SGID bit:
Similar to suid bit, this can be set in two different ways
$ ls -la /home/test/sgid_dir
drwxrwxr-x 5 test support_users 360 Jun 29 15:46 sgid_dir# setting with symbolic representation
$ chmod g+s /home/test/sgid_dir# setting with bit notation
$ chmod 2775 /home/test/sgid_dir
The sticky bit is specific to directories and doesn’t have any effect on files. The sticky bit is represented by t bit in other permissions of a directory. When a sticky bit is set on a directory, any file present inside it can only be modified by the owner (and root) but not by any other user. This bit aims to set fine-grained permissions on shared directories and not let a user delete other user’s files. One common example is the
/tmp directory in Linux. It is a directory that is shared by all the users and the files of one user can’t be deleted by other users.
$ ls -la /tmp
drwxrwxrwt 1 root root 4096 Jun 14 02:59 tmp
Setting the Sticky bit:
The sticky bit is represented in the other permissions of the directory. It is denoted by
t when the executable bit is set on the directory else it is represented as
$ ls -al test
drwxrwxr-x 5 test support_users 360 Jun 29 15:46 test# Symbolic Representation
$ chmod o+t test# Bit Representation
$ chmod 1775 test
- The setUID and setGID bits are functional only on executable binaries and not on regular bash or python scripts
Sbit is set, instead of
sif the setuid/setgid bit is set, but the binary doesn’t have executable permissions(no
xbit set on the binary)
- The setuid and setgid bits are not in effect if the file doesn’t have executable permissions.
- The Sticky bit is functional on directories only and doesn’t mean anything when set on a file
These special permissions can be useful in many situations, but they sometimes open doors to many security vulnerabilities, especially when the setuid bit makes a binary to be run as root, by an unauthorized user. So care should be taken when setting these bits.
An alternative way to escalate permissions without using these special File permissions is to use the built-in File Capabilities in Linux. If you are curious to know more about it, please refer to the article below.
I hope you enjoyed reading this article, as much as I enjoyed writing it. Feel free to drop in any comments.