UNIX for Dummies Questions & Answers

Unix also understands three specialty permissions that allow us to fine-tune the default permissions. The first specialty permission is called the SUID, or set user id bit. If you do a long listing, and see either an s or an S instead of an x in the owner section of the permissions, this bit has been set.

The SUID bit allows a user to temporarily gain root access, usually in order to run a program. For example, only the root account is allowed to change the password information contained in the password database; however, any user can use the passwd utility to change their password. Let's do a long listing on the passwd command to see why:

whereis -b passwd
passwd: /usr/bin/passwd
ls -l /usr/bin/passwd
-r-sr-xr-x 2 root wheel 26260 Jul 26 23:12 /usr/bin/passwd
^
Because the SUID bit has been set on the passwd utility, it will become root in order to modify the password database, allowing the user to change their password.

If the SUID bit appears as an s, the file's owner also has execute permission to the file; if it appears as an S, the file's owner does not have execute permission.

The second specialty permission is the SGID, or set group id bit. It is similar to the SUID bit, except it can temporarily change group membership, usually to execute a program. The SGID bit is set if an s or an S appears in the group section of permissions. An example of a file with the SGID bit set is netstat:

ls -l /usr/bin/netstat
-r-xr-sr-x 1 root kmem 84448 Jul 26 23:12 /usr/bin/netstat
^
Since netstat's SGID bit is set with an s instead of an S, execute permission has also been set.

The third specialty permission is the directory sticky bit. This bit is essential if you have a directory that is used by more than one user. Remember the permissions for your home directory?

ls -la ~
drwxr-xr-x 12 genisis wheel 1024 Aug 15 11:34 .
The owner has full access to the directory, but all other users, including members of the owner's primary group, only have rx. Only the owner will be able to create and delete files from his home directory, which is a good thing.

However, these permissions aren't suitable for a shared directory where many users have to be able to create, modify, and possibly remove files from the directory. If you create a directory and give either a group or everyone write access to the directory, users will be able to create and modify files within the directory.

Unfortunately, write access to a directory also means that users can delete any file within the directory, even if they don't own the file. This is not nice, especially considering that once a file is deleted in Unix, it is gone forever.

This is where the directory sticky bit comes in. This bit is set if a t or a T appears instead of an x in the everyone section of permissions like so:

drwxrwxrwt
When the directory sticky bit is set, users will still be able to create and modify files within the directory, but they will only be able to delete files which they themselves created.

Using the symbolic method we have:

chmod u+s - set the setuid bit.
chmod g+s - set the setgid bit.
chmod u+t - set the sticky bit or directories

or numerically:

chmod 4777 - setuid and read/write/execute for everyone.
chmod 2777 - setgid and read/write/execute for everyone.
chmod 1777 - set sticky bit and read/write/passthrough on a directory.

You can, of course, add the numbers up to combine permissions:

chmod 6777 - setuid/setgid and read/write/execute for everyone.