Lesson 1.19: Advanced file permissions

Special Permission Bits

SGID Bit

If SGID bit is set on a directory, then any files/dirs created inside that directory inherits group ownership of parent directory.

  • chmod g+s <dir name> : To set SGID Bit
  • chmod g-s <dir name> : To unset SGID Bit To check if SGID set
  • ls -ld
  • d --- --s --- : Here in permission , s indicates SGID bit set.
  • lowercase s : Indicates both execute & SGID bit is set.
  • uppercase S : Indicates that only SGID bit is set.
[root@sanjeeb /]# ls -ld prod sls mkt 
drwxrwx---. 2 boss marketing  6 Sep 26 21:31 mkt
drwxrwx---. 2 boss production 6 Sep 26 21:31 prod
drwxrwx---. 2 boss sales      6 Sep 26 21:31 sls
 
[root@sanjeeb /]# chmod g+s prod sls mkt 
 
[root@sanjeeb /]# ls -ld prod sls mkt 
drwxrws---. 2 boss marketing  6 Sep 26 21:31 mkt
drwxrws---. 2 boss production 6 Sep 26 21:31 prod
drwxrws---. 2 boss sales      6 Sep 26 21:31 sls
 
 
[root@sanjeeb /]# su - boss 
Last login: Fri Sep 27 07:12:23 +0545 2024 on tty3
# Creating a file in prod dir, we can see group is set to production due to SGID 
[boss@sanjeeb prod]$ touch file_1
[boss@sanjeeb prod]$ ls -lh 
total 0
-rw-r--r--. 1 boss production 0 Sep 27 07:50 file_1
 
# Creating a file in mkt dir, we can see group is set to marketing due to SGID 
[boss@sanjeeb mkt]$ touch file2
[boss@sanjeeb mkt]$ ls -lh 
total 0
-rw-r--r--. 1 boss marketing 0 Sep 27 07:50 file2

Sticky Bit

If sticky bit is set in the directory then only the owner can delete their files/dir

  • chmod o+t <dir name>: To set sticky bit
  • chmod o-t <dir name>: To unset sticky bit
  • d --- --- --t : indicates that sticky bit is set
  • lowercase t : Indicated that both the execute and sticky bit is set.
  • uppercase T : Indicates that only sticky bit is set.
[root@sanjeeb /]# ls -ld mkt sls prod 
drwxrws---. 2 boss marketing  19 Sep 27 07:50 mkt
drwxrws---. 2 boss production 20 Sep 27 07:50 prod
drwxrwx---. 2 boss sales       6 Sep 26 21:31 sls
 
[root@sanjeeb /]# chmod o+t sls
 
[root@sanjeeb /]# ls -ld mkt sls prod 
drwxrws---. 2 boss marketing  19 Sep 27 07:50 mkt
drwxrws---. 2 boss production 20 Sep 27 07:50 prod
drwxrwx--T. 2 boss sales       6 Sep 26 21:31 sls
 
# Switicing to salesman1 of the group sales , but cannot remove folder sls. 
# Eventhough sls has rwx permission for group , as it is set to T (sticky bit)
[salesman1@sanjeeb /]$ rm -rf sls 
rm: cannot remove 'sls': Permission denied
[salesman1@sanjeeb /]$ ls -ld sls 
drwxrwx--T. 2 boss sales 6 Sep 27 08:20 sls
 
# Removing the sticky bit from root user
[root@sanjeeb /]# chmod o-t sls 
[root@sanjeeb /]# ls -ld sls 
drwxrwx---. 2 boss sales 6 Sep 27 08:20 sls

SUID Bit

If SUID Bit set then the executable file works on the security context of owner.

# Here SUID bit is set in /usr/bin/passwd shown by s in owner
[boss@sanjeeb ~]$ which passwd 
/usr/bin/passwd
[boss@sanjeeb ~]$ ls -lh /usr/bin/passwd 
-rwsr-xr-x. 1 root root 68K Aug 10  2021 /usr/bin/passwd
 
# Removing the SUID Bit 
[root@sanjeeb ~]# ls -lh /usr/bin/passwd 
-rwsr-xr-x. 1 root root 68K Aug 10  2021 /usr/bin/passwd
[root@sanjeeb ~]# chmod u-s /usr/bin/passwd 
[root@sanjeeb ~]# ls -lh /usr/bin/passwd 
-rwxr-xr-x. 1 root root 68K Aug 10  2021 /usr/bin/passwd
 
# Checking the passwd command 
[boss@sanjeeb ~]$ passwd 
Changing password for user boss.
Current password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error
 
# Now adding SUID Bit
[root@sanjeeb ~]# chmod u+s /usr/bin/passwd 
[root@sanjeeb ~]# ls -lh /usr/bin/passwd 
-rwsr-xr-x. 1 root root 68K Aug 10  2021 /usr/bin/passwd
 
[boss@sanjeeb ~]$ passwd 
Changing password for user boss.
Current password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Numerical Representation of Special Permission Bits

  • SUID Bit : 4
  • SGID Bit : 2
  • Sticky Bit : 1
All systems normal

© 2025 2023 Sanjeeb KC. All rights reserved.