This is the fourth and last article from a series compiled from my notes while taking the LPI exams.
The three special permissions are:
- The
Stickybit, - the
SUIDbit, and - the
SGIDbit.
These permissions can be specified using:
- symbolic mode: they are represented by letters (t, s, S), or
- numeric mode: they are represented by numbers (1, 2, 4).
The Sticky Bit
The sticky bit is also known as the restricted deletion flag. It does not affect individual files, but when set at the directory level it prevents users from removing or renaming files. Only the owner and the root user can remove files in that directory.
The sticky bit on files is ignored on the modern versions of Linux.
Identifying the Sticky Bit
Example: the /tmp directory.
A well-known system directory with the sticky bit set on it is the
/tmp directory as shown below. Since this directory is word-readable and world-writable it prevents users from deleting files unless they own the parent directory.
ls -ld /tmp
drwxrwxrwt 35 root root 4096 Dec 25 19:09 /tmp
Notice the
tat the last place in the permissions.
Setting the Sticky Bit
Symbolic mode
In symbolic mode, the sticky bit is represented by a "t" within the other's permissions.
- To enable it, use "
+t". - To disable it, use "
-t".
For example set the sticky bit for mytmp.
chmod +t mytmp
To check the directory permissions use the following command.
ls -ld ./mytmp
drwxrwxrwt 2 root root 4096 Dec 25 19:37 ./mytmp
Numeric Mode
In numeric mode, we will use the four-digit notation and set the first digit to "1" which sets the sticky bit.
Example where the execute permission is set.
chmod 1771 mytmp
ls -ld ./mytmp
drwxrwx--t 2 root root 4096 Dec 25 19:37 ./mytmp
Example where the execute permission is set.
chmod 1777 mytmp
ls -ld ./mytmp
drwxrwxrwt 2 root root 4096 Dec 25 19:37 ./mytmp
Example where the execute permission is NOT set.
chmod 1774 mytmp
ls -ld ./mytmp
drwxrwxr-T 2 root root 4096 Dec 25 19:37 ./mytmp
Example where the execute permission is NOT set.
chmod 1770 mytmp
ls -ld ./mytmp
drwxrwx--T 2 root root 4096 Dec 25 19:37 ./mytmp
The sticky bit is represented with
twhen the execution permission
is enabled, and asTwhen the execute permission is missing.The
/tmpand/var/tmpdirectories often have the sticky bit set to prevent unauthorized users from deleting or modifying files created by other users.
SUID
SUID (Set User ID) is a special permission that allows a file to be executed with the privileges of the user who owns the file. When a SUID is set on a file where the owner is root then the user that is running the file can execute that file with root privileges. This means that the user running the program will temporarily inherit the root permissions.
Identifying SUID
Files with SUID bit show a letter 's' replacing the 'x' on the user permissions filed, as shown in the following diagram and examples.
SUID can only be set on files, not directories.
Example: the password command.
1. We will check the file permissions using the ls command.
ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 64152 May 30 2024 /usr/bin/passwd
2. Next, we check the permissions with stat to show the
permissions in octal and human-readable formats.
stat -c "File %n has %a and %A permissions" /usr/bin/passwd
File /usr/bin/passwd has 4755 and -rwsr-xr-x permissions
Notice the s in the user ownership field in the permissions.
Setting SUID
Symbolic Mode
In symbolic mode, SUID is set by using the letter "s" in the user permission field.
- To enable it, use "
u+s". - To disable it, use "
u-s".
Examples where we add only the SUID without any other user permissions.
chmod u+s myfile
ls -l myfile
---S------ 1 root root 0 Oct 24 13:05 myfile
u+s,u-rwx myfile
ls -l myfile
---S------ 1 root root 0 Dec 30 17:46 myfile
Please notice the capital letter S. That means the execute user
permissions are missing.
In this example where we add the SUID bit, read, write, and execute user permissions.
chmod u+rwxs myfile
ls -l myfile
-rws------ 1 root root 0 Oct 24 13:05 myfile
If the user permission section shows "
s" instead of "x", then theSUIDbit is set.
Numeric Mode
The octal value of SUID is 4, therefore we add 4 to the user permissions.
Here is an example where we set the SUID only, without any other user permissions.
chmod 4000 myfile
root@nedim-IdeaPad-box:~/emptydir# ls -l myfile
---S------ 1 root root 0 Oct 24 13:05 myfile
In this example, we set SUID and grant 755 permissions.
chmod 4755 myfile
ls -l myfile
-rwsr-xr-x 1 root root 0 Oct 24 13:05 myfile
SGID
Set GID, also known as SGID or Set Group ID bit, is a permission that can be applied to both executable files and directories.
This special permission has the following functions:
- When applied to executable files, once a user executes the file it grants the resulting process permissions of the group that owns the file.
- When applied to directories, it makes every file or directory created under it inherit the group from the parent directory.
As we explained previously, when the
SGIDbit is set on a folder, any new files created inside that folder will automatically belong to the same group as the folder itself. It doesn't matter who created the file.
This can be helpful when you want all files in a folder to belong to a specific group, even if different people create those files.
Identifying SGID
Files with SGID bit show a letter "s" replacing the "x" on the group permissions. Please see the following diagram and examples.
Setting SGID
You need to be careful when using the SGID bit because it can create security problems. For example, if a folder with the SGID bit is set it can be written to by anyone who is a member of that group. Anyone in that group could create files within that folder. These files would belong to the group, which could give them access to data they shouldn't
have.
It's usually better to use group ownership and permissions correctly instead of relying on the
SGIDbit.
Symbolic Mode
To set the SGID bit on a directory, in symbolic mode, we use the command demonstrated below.
chmod g+s mydirectory
ls -ld mydirectory
drwxr-sr-x 2 root root 4096 Dec 30 19:47 mydirectory
To set the SGID bit on a file in symbolic mode, we use the command demonstrated below.
chmod g+s,g+rwx myfile
ls -l myfile
----rws--- 1 root root 0 Dec 30 17:46 myfile
To set the SGID bit on a file in symbolic mode, with missing execute permissions, we use the command demonstrated below.
chmod g+s,g+rw,g-x myfile
ls -l myfile
----rwS--- 1 root root 0 Dec 30 17:46 myfile
Please notice the capital letter S. That means the execute group permissions are missing.
Numeric Mode
The octal value of SGID is 2, therefore we add 2 to the group permissions.
To set the SGID bit on a directory, in numeric mode, we use the command demonstrated below.
chmod 2755 mydirectory
ls -ld mydirectory
drwxr-sr-x 2 root root 4096 Dec 30 19:47 mydirectory
To set the SGID bit on a file, in numeric mode, we use the command demonstrated below.
chmod 2755 myfile
ls -l myfile
-rwxr-sr-x 1 root root 0 Dec 30 17:46 myfile
Special Directories
Understanding Temporary Files
Temporary files are files used by programs for short-term data storage. They can be used for various purposes, such as storing process data and logs. The Filesystem Hierarchy Standard (FHS) defines standard locations for temporary files, as shown in the table below.
- Both
/tmpand/var/tmpare used for temporary files but have different behaviors. - Files in
/tmpare typically erased during system boot-up, while files in/var/tmpare usually preserved between reboots. - The
/rundirectory is used for run-time variable data used by running processes, such as process identifier files (PID). It is intended to be cleared during system boot-up.
Securing Temporary Files
The most widely used location for storing temp files is the /tmp
directory. It is a system-wide temporary directory that any user can write and read from. Managing permissions for this directory is a challenge as the correct access permissions need to be set to make sure that users cannot erase or modify files created by others. In short, choosing /tmp to store and execute your files can be very dangerous.
To implement security to the /tmp directory, the sticky bit is used. When set for a directory, the sticky bit prevents users from removing or renaming a file within that directory unless they own the file.
Identifying the Sticky bit on /tmp
To check the permissions on /tmp use the ls command, as follows.
ls -ldh /tmp/ /var/tmp/
drwxrwxrwt 392 root root 28K Dec 2 08:42 /tmp/
drwxrwxrwt 14 root root 4.0K Dec 2 08:39 /var/tmp/
The sticky bit is indicated by a "
t" replacing the "x" in the
permission for others.
The sticky bit helps to protect files created by other users from being accidentally or maliciously deleted or modified.
Summary
In Linux, everything you interact with, such as files, folders, and even devices like your keyboard or mouse, is considered a file. This might seem unusual the first time you start working on Linux, but it's a core concept that makes Linux incredibly flexible and powerful.
In this article series, we learned about the different types of files, from regular files to special files that represent hardware or are used for communication. We also learned about links, which are shortcuts to files, and how to identify them.
One of the most important aspects of Linux is security. File permissions determine who can access and modify your files. This is crucial in a multi-user environment, where you usually share a computer with other people. We learned how to use commands like ls and chmod to view and change these permissions, giving you control over your data.
Special permissions, like the Sticky bit, SUID, and SGID, provide extra layers of security. For example, the Sticky bit can prevent other users from deleting files in shared directories.
Understanding file types and permissions is a must for any Linux user. It allows you to manage your system efficiently and protect your data.
I hope the effort I put into this book, especially the graphics makes this topic as simplified as possible. Let me know if you'd like any specific parts explained further.
Please do not hesitate to contact me, via the links below.
This article is part of my book:
Top comments (0)