What is SGID?
SGID (Set Group ID
up on execution) is a special type of file permissions given to a
file/folder. Normally in Linux/Unix when a program runs, it inherits
access permissions from the logged in user. SGID is defined as giving
temporary permissions to a user to run a program/file with the
permissions of the file group permissions to become member of that group
to execute the file. In simple words users will get file Group’s permissions when executing a Folder/file/program/command.
SGID is similar to SUID. The difference between both is that SUID
assumes owner of the file permissions and SGID assumes group’s
permissions when executing a file instead of logged in user inherit
permissions.
Learn SGID with examples:
Example: Linux Group quota implementation
When implementing Linux Group quota for group of people SGID plays an
important role in checking the quota timer. SGID bit set on folder is
used to change their inherit permissions to group’s permissions to make
it as single user who is dumping data. So that group members whoever
dumps the data the data will be written with group permissions and in
turn quota will be reduced centrally for all the users. For clear
understanding of this you have to implement group quota from the above
link. Without implementation of SGID the quota will not be effective.
How can I setup SGID for a file?
SGID can be set in two ways
1) Symbolic way (s)
2) Numerical/octal way (2, SGID bit as value 2)
Use chmod command to set SGID on file: file1.txt
Symbolic way:
chmod g+s file1.txt
Let me explain above command we are setting SGID(+s) to group who owns this file.
Numerical way:
chmod 2750 file1.txt
Here in 2750, 2 indicates SGID bitset, 7 for full permissions
for owner, 5 for read and execute permissions for group, and no
permissions for others.
How can I check if a file is set with SGID bit or not?
Use ls –l to check if the x in group permissions field is replaced by s or S
For example: file1.txt listing before and after SGID set
Before SGID set:
ls -l
total 8
-rwxr--r-- 1 xyz xyzgroup 148 Dec 22 03:46 file1.txt
After SGID set:
ls -l
total 8
-rwxr-sr-- 1 xyz xyzgroup 148 Dec 22 03:46 file1.txt
Some FAQ’s related to SGID:
Where is SUID used?
1) When implementing Linux group disk quota.
I am seeing “S” ie Capital s in the file permissions, what’s that?
After setting SUID or SGID to a file/folder if you see ‘S’ in the file
permission area that indicates that the file/folder does not have
executable permissions for that user or group on that particular
file/folder.
chmod g+s file1.txt
output:
-rwxrwSr-x 1 surendra surendra 0 Dec 27 11:24 file1.txt
so if you want executable permissions too, apply executable permissions to the file.
chmod g+x file1.txt
output:
-rwxrwsr-x 1 surendra surendra 0 Dec 5 11:24 file1.txt
you should see a smaller 's' in the executable permission position.
How can I find all the SGID set files in Linux/Unix.
find / -perm +2000
The above find command will check all the files which is set with SGID bit(2000).
Can I set SGID for folders?
Yes, you can if it’s required (you should remember one thing, that Linux treats everything as a file)
How can I remove SGID bit on a file/folder?
chmod g-s file1.txt
What is SUID and how to set it in Linux?
SUID (Set owner User ID
up on execution) is a special type of file permissions given to a file.
Normally in Linux/Unix when a program runs, it inherits access
permissions from the logged in user. SUID is defined as giving temporary
permissions to a user to run a program/file with the permissions of the
file owner rather that the user who is running it. In simple words users will get file owner’s permissions as well as owner UID and GID when executing a file/program/command.
The above sentence is bit tricky and should be explained in-depth with examples.
Learn SUID with examples:
Example1: passwd command
When we try to change our password we will use passwd command which is owned by root. This passwd command
file will try to edit some system config files such as /etc/passwd,
/etc/shadow etc when we try to change our password. Some of these files
cannot be opened or viewed by normal user only root user will have
permissions. So if we try to remove SUID and give full permissions to
this passwd command file it cannot open other files such as /etc/shadow
file to update the changes and we will get permission denied error or
some other error when tried to execute passwd command. So passwd command
is set with SUID to give root user permissions to normal user so that
it can update /etc/shadow and other files.
Example2: ping command
Similarly if we take ping command, when we have to execute this command
internally it should open socket files and open ports in order to send
IP packets and receive IP packets to remote server. Normal users don’t
have permissions to open socket files and open ports. So SUID bit is set
on this file/command so that whoever executes this will get owner (Root
user’s) permissions to them when executing this command. So when this
command start executing it will inherit root user permissions to this
normal user and opens require socket files and ports.
Example3: crontab and at command.
When scheduling the jobs by using crontab or at command it is obvious to
edit some of the crontab related configuration files located in /etc
which are not writable for normal users. So crontab/at commands are set
with SUID in-order to write some data.
How can I setup SUID for a file?
SUID can be set in two ways
1) Symbolic way(s, Stands for Set)
2) Numerical/octal way(4)
Use chmod command to set SUID on file: file1.txt
Symbolic way:
chmod u+s file1.txt
Here owner permission execute bit is set to SUID with +s
Numerical way:
chmod 4750 file1.txt
Here in 4750, 4 indicates SUID bit set, 7 for full permissions for
owner, 5 for read and execute permissions for group, and no permissions
for others.
How can I check if a file is set with SUID bit or not?
Use ls –l to check if the x in owner permissions field is replaced by s or S
For example: file1.txt listing before and after SUID set
Before SUID set:
ls -l
total 8
-rwxr--r-- 1 xyz xyzgroup 148 Dec 22 03:46 file1.txt
After SUID set:
ls -l
total 8
-rwsr--r-- 1 xyz xyzgroup 148 Dec 22 03:46 file1.txt
1) Symbolic way(s, Stands for Set)
2) Numerical/octal way(4)
Use chmod command to set SUID on file: file1.txt
Symbolic way:
chmod u+s file1.txt
Here owner permission execute bit is set to SUID with +s
Numerical way:
chmod 4750 file1.txt
Here in 4750, 4 indicates SUID bit set, 7 for full permissions for
owner, 5 for read and execute permissions for group, and no permissions
for others.
How can I check if a file is set with SUID bit or not?
Use ls –l to check if the x in owner permissions field is replaced by s or S
For example: file1.txt listing before and after SUID set
Before SUID set:
ls -l
total 8
-rwxr--r-- 1 xyz xyzgroup 148 Dec 22 03:46 file1.txt
After SUID set:
ls -l
total 8
-rwsr--r-- 1 xyz xyzgroup 148 Dec 22 03:46 file1.txt
Some FAQ’s related to SUID:
A) Where is SUID used?
1) Where root login is required to execute some commands/programs/scripts.
2) Where you don't want to give credentials of a particular user and but want to run some programs as the owner.
3) Where you don't want to use SUDO command but want to give execute permission for a file/script etc.
B) I am seeing “S” I.e. Capital “s” in the file permissions, what’s that?
After setting SUID to a file/folder if you see ‘S’ in the file
permission area that indicates that the file/folder does not have
executable permissions for that user on that particular file/folder.
For example see below example
chmod u+s file1.txt
ls -l
-rwSrwxr-x 1 surendra surendra 0 Dec 27 11:24 file1.txt
If you want to convert this S to s then add executable permissions to this file as show below
chmod u+x file1.txt
ls -l
-rwsrwxr-x 1 surendra surendra 0 Dec 5 11:24 file1.txt
you should see a smaller 's' in the executable permission position now.
SUID with execute permissions:
ls -l
-rwSrwxr-x 1 surendra surendra 0 Dec 27 11:24 file1.txt
If you want to convert this S to s then add executable permissions to this file as show below
chmod u+x file1.txt
ls -l
-rwsrwxr-x 1 surendra surendra 0 Dec 5 11:24 file1.txt
you should see a smaller 's' in the executable permission position now.
SUID with execute permissions: