File & Directory Permissions on Linux

Posted by Mohamed Adam on Thursday, February 16, 2012 Under: Linux Permissions

File & Directory Permissions on Linux

Special Bits

So far, you have been shown the basic manipulation of file and directory permissions. However, there are quite a few circumstances which these will not be enough for the situation. For instance, what if you have a few people that have different "Default Groups", but are members of another group and you need them to all have write access to certain files. Or what if you have some less knowledgeable users that may accidentally delete other peoples files if they are given write access to a directory.

To rectify these situations, Linux provides what are called "Special Bits" that you can apply to files and directories to change their default behaviour.

The setuid Bit

The setuid (set user id) bit allows you to specify which user a certain program is executed as. This is not really useful for sharing files on a network, but can be invaluable when you have an application that needs to run as another user (such as 'root') when launched. An example:

chown root /usr/bin/myprogram
chmod +x /usr/bin/myprogram
chmod +s /usr/bin/myprogram   (this sets the setuid bit)

In the above example, whenever anyone launches the /usr/bin/myprogram application, the program will have all of the rights of the "root" user regardless who actually launched the file. (Use with Caution)

On the command line, an "ls -l" output of a setuid bit file would be:

-rwsr-xr-x 1 root root 11159 2007-07-16 12:09 myprogram

The setgid Bit

The setgid (set group id) bit can be the cornerstone of good file permissions. This bit allows you to enforce what group ownership a directory (and all it's subdirectories and files) have. For instance if you set the setgid bit to "admins" on a directory, any file (and directory) created below that directory will also have the "admins" group ownership. This allows you to setup a shared network folder that is accessible by any member of the group, and any file below that directory will maintain that group ownership (regardless of the user's primary group). Here is an example:

mkdir accounts
chgrp acctns accounts
chmod g+w accounts
chmod g+s accounts  (this sets the setgid bit)
chmod o-rwx accounts

In this example, any member of the acctns group will be able to access and write to the accounts directory, and since the setgid bit is set, any new file or folder created will have "acctns" as it's group ownership. This allows you to create a shared network folder for a specified group without having to make it "world writable".

Note: Any directory created within a setgid set directory will also be "setgid".

On the command line, an "ls -l" output of a setgid bit directory would be:

drwxrws--- 2 root company 48 2007-07-16 12:12 share

The Sticky Bit

The "sticky" bit (also known as the "Save Text Attribute" bit) is set only on a directory and specifies that only the owner of a file can delete their own file within the directory regardless of the group or other's "writable" status. So, in the setgid example, if you did not want any member of the "accts" group to be able to delete a file (unless they "owned" the file), then you would set the sticky bit on the accounts directory:

chmod +t accounts

On the command line, an "ls -l" output of a "sticky" directory would be:

drwxrws--T 2 root company 48 2007-07-16 12:12 share

Setting Special Bits using Numeric Permissions

As with regular file permissions, you can also use numeric permissions to set these special bits (useful when creating scripts). When setting special bits using numeric permissions, you would increase the number of digits from 3 to 4 digits (for instance, instead of 664 you would use 0644), where the first digit would set the special attributes.

Similar to regular permissions, you need to add the digits together using the following chart:

0     no special bit is set
1     sticky bit is set
2     setgid bit is set
4     setuid bit is set

So, if you want the sticky and the setgid bits set on a directory (as well as group full control and others no access) you would use 3770. For example:

chmod 3770 directoryname
ls -l
drwxrws--T 2 root company 48 2007-07-16 12:12 share

In : Linux Permissions

Next post:

Learn Linux