When viewing file permissions on Linux, sometimes you see more than ordinary R, W, X and – names. What you may see is not RWX, but s or T, as shown in the following example:
One way to further clarify this is to use the stat command to view permissions. The fourth line in the output result of stat shows the file permissions in octal and string format:
$ stat /var/mail File： /var/mail Size： 4096 Blocks： 8 IO Block： 4096 directory Device： 801h/2049d Inode： 1048833 Links： 2 Access： （3777/drwxrwsrwt） Uid： （ 0/ root） Gid： （ 8/ mail） Access： 2019-05-21 19:23:15.769746004 -0400 Modify： 2019-05-21 19:03:48.226656344 -0400 Change： 2019-05-21 19:03:48.226656344 -0400 Birth： –
This output reminds us that there are more than 9 digits assigned to file permissions, actually 12. The extra 3 bits provide a way to allocate permissions other than normal read, write and execution; For example, 3777 (binary 011111) indicates that two additional settings are being used.
The first 1 (bit 2) in this specific value represents sgid (set group ID) and assigns temporary permissions to run the file, or uses a directory with associated group permissions.
Sgid gives temporary permissions to people who use this file as a member of this group.
The second 1 (bit 3) is the “sticky” bit. It ensures that only the owner of the file can delete or rename the file or directory.
If the permission is 7777 instead of 3777, we already know that the suid (set uid) field has also been set.
one hundred and eleven billion one hundred and eleven million one hundred and eleven thousand one hundred and eleven
Suid gives temporary permissions to users who use the file as the owner of the file.
As for the / var / mail directory we saw above, all users need certain access rights, so they need some special values to provide it.
But now let’s go further.
A common use of special permission bits is for commands such as the passwd command. If you look at the / usr / bin / passwd file, you will notice that the suid bit is set to allow you to change the password (thus updating the contents of the / etc / shadow file), even if you run as a normal (non privileged) user and have no read or write permissions to the file. Of course, the passwd command is smart and doesn’t allow you to change someone else’s password unless you actually run as root or use sudo.
$ ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 63736 Mar 22 14:32 /usr/bin/passwd $ ls -l /etc/shadow -rw-r- 1 root shadow 2195 Apr 22 10:46 /etc/shadow
Now, take a look at what you can do with these special permissions.
How to assign special file permissions?
Like many things on the Linux command line, you have some choices about how to make a request. The Chmod command allows you to change permissions numerically or using character expressions.
To change the file permissions numerically, you can set the setuid bit and setgid bit with the following command:
$ chmod 6775 tryme
Alternatively, you can use the following command:
$ chmod ug+s tryme 《 for SUID and SGID permissions
If the file with special permissions is a script, you may be surprised that it does not meet your expectations. This is a very simple example:
$ cat tryme #！/ bin/bash echo I am $USER
Even if the suid bit and sgid bit are set and the file is owned by root, running such a script will not bring the “I am root” response you may expect. Why? Because Linux ignores the set user ID bit and set group ID bit on the script.
$ ls -l tryme -rwsrwsrwt 1 root root 29 May 26 12:22 tryme $ 。/ tryme I am jdoe
On the other hand, if you use a compiled program to try similar operations, like this simple C program, you will see different effects. In the sample program, we prompt the user to enter a file, create a file for it, and give write permission to the file.
Once you compile the program, run the command to make root the owner and set the required permissions, you will see it run with the expected root permissions, leaving the newly created files owned by root. Of course, you must have sudo permission to run some of the required commands.
$ cc -o mkfile mkfile.c 《 compile the program $ sudo chown root:root mkfile 《 change owner and group to “root” $ sudo chmod ug+s mkfile 《 add SUID and SGID permissions $ 。/mkfile 《 run the program Enter name of file to be create： empty File created successfully $ ls -l empty -rw-rw-r– 1 root root 0 May 26 13:15 empty
Note that this file is owned by root. This does not happen if the program is not running with root privileges.
The location of uncommon settings in permission strings (such as rwsrwsrwt) can help remind us of the meaning of each bit. At least the first “s” (suid) is in the owner permission area and the second (sgid) is in the group permission area. Why the viscous bit is “t” instead of “s” is not the scope of this paper. In any case, additional permission settings provide many additional functions for Linux and other UNIX systems.