SUID and SGID in Linux Explained With Examples

Sarath Pillai's picture
SUID and SGID in Linux

Imagine a situation where you have a script or executable file that always needs to be ran by a particular user, simply because that user has proper access rights for the actions taken by the script. Also you are willing other users to be able to execute that script, but ultimately that needs to be ran as the original user of the script(as that user only has the required permission sets for the actions taken).

 

By default Linux applications and programs runs with the same exact permissions of the user who executes it. Due to this reason, we need a good solution for the above mentioned situation (ie: All users should be able to execute a program owned by a particular user as if the owner himself executed it).

 

This is where SUID comes into picture. SUID is nothing but a special permission bit available in Linux, that achieves this with a lot of ease.

 

If you are the owner of an executable file, with the help of SUID permission set, other users will be running the executable with your permission and not theirs.

 

SUID is normally used in Linux, for providing elevated privileges temporarily during execution. This elevation of privileges is not permanent at all. Its a temporary elevation only when the program/script is being executed.

 

Example's of Executable Files in Linux having SUID permission bit set

-rwsr-xr-x 1 root root 34904 Mar 12  2014 /bin/su

-rwsr-xr-x 1 root root 40760 Sep 26  2013 /bin/ping

-rwsr-xr-x 1 root root 77336 Apr 28  2014 /bin/mount

-rwsr-xr-x 1 root root 53472 Apr 28  2014 /bin/umount

-rwsr-xr-x 1 root root 66352 Dec  7  2011 /usr/bin/chage

-rwsr-xr-x 1 root root 30768 Feb 22  2012 /usr/bin/passwd

---s--x--x 1 root root 123832 Nov 22  2013 /usr/bin/sudo

-rwsr-xr-x 1 root root 51784 Nov 23  2013 /usr/bin/crontab
 

Let's understand this by considering an example. From the above list of executables,/usr/bin/passwd is something that should be executable by all the users in the system(this is because all users should be able to change their own password). If you do not know how passwords work in linux, i recommend reading the below article.

 

Read: How passwords work in Linux

 

Updating a user's password requires the user to edit the /etc/passwd, /etc/shadow file in linux. However, this is only permitted for root user. This is the reason SUID bit is applied on the file /usr/bin/passwd. As root is the owner of that file, and SUID being set on that file, any user executing the /usr/bin/passwd command will execute it as root user.  Let's see this practically.

 

Below shown is the passwd command fired by the user named sarath. Let's see if that passwd command process is getting executed as root user.

 

[sarath@localhost ~]$ passwd
Changing password for user sarath.
Changing password for sarath.
(current) UNIX password:

 

Let's open another terminal, and fire up ps aux commad and see if the passwd command process is running with root user. This can be done as shown below.

 

[sarath@localhost ~]$ ps aux | grep passwd
root     24531  0.0  0.0 156928  1664 pts/0    S+   07:24   0:00 passwd

 

You can clearly see the passwd command process is running with root user(visible from the first field of the above output.). Similar to passwd command, any command from the previously shown list of SUID applied files, will always run with the permission of the owner of the file, irrespective of which user is executing it.

Also notice the fact that even ping command is SUID(See the initial list given above), this is because PING execution requires several network operations, that can only be executed by root.

 

How to configure SUID in Linux?

Configuring SUID on your required files/script is a single CHMOD command away.

 

[sarath@localhost ~]$ chmod u+s /path/to/file/or/executable

 

Replace "/path/to/file/or/executable", in the above command, with the absolute path of the script that you need SUID bit on. This can be achieved by using the numerical method of chmod as well.

 

[sarath@localhost ~]$ chmod 4755 /path/to/file/or/executable

 

 

The first "4" in "4755" indicates SUID. Another example of numerical method is shown below.

 

[sarath@localhost ~]$ chmod 4750 /path/to/file/or/executable

 

Basically, in the numerical method, simply prepend 4 to the other permission sets that is needed on that file.

 

How to verify if SUID is applied on a file or not?

You can verify if SUID bit is applied on a file or not by using ls command as shown below.

 

root@ip-10-12-2-217:# cd /usr/bin
root@ip-10-12-2-217:/usr/bin# ls -l passwd
-rwsr-xr-x 1 root root 47032 Jul 15  2015 passwd

 

 

ls -l command should show you whether SUID is applied or not. Simply look at the first field of ls -l output. The s in -rwsr-xr-x indicates SUID bit. In some cases you will see a capital S instead of a small s that we saw above. Captal S indicates that there is no executable permission applied to that file/or script.

 

root@ip-10-12-2-217:/usr/bin# chmod -x passwd
root@ip-10-12-2-217:/usr/bin# ls -l passwd
-rwSr--r-- 1 root root 47032 Jul 15  2015 passwd

 

 

You can clearly see from the above output that, removing executable permission from /usr/bin/passwd file turned the output of ls -l into capital S. Adding executable permission back on that file will make it small s as shown below.

 

root@ip-10-12-2-217:/usr/bin# chmod +x passwd
root@ip-10-12-2-217:/usr/bin# ls -l passwd
-rwsr-xr-x 1 root root 47032 Jul 15  2015 passwd

 

How to find all files, which has SUID bit enabled in linux?

You can use the below find command to search all the files in the system that has SUID bit enabled. If you are new to find command, i would recommend reading the below article.

Read: Find command in Linux with examples

root@ip-10-12-2-217:~# find / -perm -4000 -exec ls -l {} \;

 

Replace the first / in the above command with the required location to find all SUID files in that location. For example, to find all files with SUID inside /usr/bin, run the below command.

 

root@ip-10-12-2-217:~# find /usr/bin/ -perm -4000 -exec ls -l {} \;
-rwsr-xr-x 1 root root 68152 Jul 15  2015 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51464 Oct 21  2013 /usr/bin/at
-rwsr-xr-x 1 root root 155008 Aug 27  2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 41336 Jul 15  2015 /usr/bin/chsh
-rwsr-xr-x 1 root root 23104 May  7  2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 47032 Jul 15  2015 /usr/bin/passwd
-rwsr-xr-x 1 root root 75256 Oct 21  2013 /usr/bin/mtr
-rwsr-xr-x 1 root root 46424 Jul 15  2015 /usr/bin/chfn
-rwsr-xr-x 1 root root 23304 Nov 24 21:15 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32464 Jul 15  2015 /usr/bin/newgrp

 

Please remember the fact that SUID bit is ignored on directories in Linux.



SGID is very much similar to SUID. The only difference is that the script/file having SGID configured, will run with the same permission of the group owner.

If you setup SGID on directores, all files or directories created inside that directory will be owned by the same common group(group owner of the directory where SGID is configured).

 

Examples of SGID files in linux

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /usr/bin/mail-unlock
-rwxr-sr-x 1 root utmp 421768 Nov  7  2013 /usr/bin/screen
-rwxr-sr-x 1 root shadow 23360 Jul 15  2015 /usr/bin/expiry
-rwxr-sr-x 1 root mail 14856 Dec  7  2013 /usr/bin/dotlockfile
-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /usr/bin/mail-lock
-rwsr-sr-x 1 daemon daemon 51464 Oct 21  2013 /usr/bin/at
-rwxr-sr-x 1 root shadow 54968 Jul 15  2015 /usr/bin/chage
-rwxr-sr-x 1 root mlocate 39520 Jun 20  2013 /usr/bin/mlocate
-rwxr-sr-x 1 root tty 14688 Jun  4  2013 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 284784 Jan 13 16:39 /usr/bin/ssh-agent
-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /usr/bin/mail-touchlock
-rwxr-sr-x 1 root tty 19024 Sep  2  2015 /usr/bin/wall
-rwxr-sr-x 1 root crontab 35984 Feb  9  2013 /usr/bin/crontab

 

How to configure SGID in Linux?

Similar to SUID, SGID can be configured using chmod command as shown below.

 

root@localhost:~# chmod g+s /path/to/file

 

Replace "/path/to/file", in the above command, with the absolute path of the script that you need SGID bit on. This can be achieved by using the numerical method of chmod as well(shown below).

 

root@localhost:~# chmod 2755 /path/to/file

 

How to verify if SGID is applied on a file or script?

Similar to SUID, you can easily execute ls -l command on a file/directory to find if SGID is enabled or not. The below shown example shows the same.

 

root@ip-10-12-2-217:# cd /usr/bin
root@ip-10-12-2-217:/usr/bin# ls -l chage
-rwxr-sr-x 1 root shadow 54968 Jul 15  2015 chage

The small s part of the first field in the about output (-rwxr-sr-x) indicates SGID bit. Similar to SUID, if you do not have executable permission applied on the group, it will be capital S instead of small as shown below.

 

root@ip-10-12-2-217:/usr/bin# chmod g-x chage
root@ip-10-12-2-217:/usr/bin# ls -l chage
-rwxr-Sr-x 1 root shadow 54968 Jul 15  2015 chage

 

 

And enabling executable permission on the group, will make it small s (shown below.)

 

root@ip-10-12-2-217:/usr/bin# chmod g+x chage
root@ip-10-12-2-217:/usr/bin# ls -l chage
-rwxr-sr-x 1 root shadow 54968 Jul 15  2015 chage

 

How to find all files in linux with SGID configured?

You can use the below find command to search for all the files in Linux operating system, with SGID bit configured.

 

root@ip-10-12-2-217:~# find / -perm -2000 -exec ls -l {} \;

 

Scripts/applications that require SGID or SUID needs to be written with utmost care. As this can be a big security hole for the entire operating system.

Rate this article: 
Average: 3.6 (564 votes)

Comments

Nice Article. Clear explanation

very well described.... thanks

Beautifully explained. good work!!

Concepts cleared with scenario explanation

Clearly explained the concept of suid and sgid

Nicely explained. However, can you explain, why with elevated permission (SUID) a normal user can only change his password and not anybody else's?

Sarath Pillai's picture

Hi Chinmaya,
This is the reason why SUID programs needs to be coded really carefully. Else it can become a security risk.

The program with SUID needs to have all the logic to prevent any wrong. The passwd program first verifies the uid of the person who triggers that command using getuid system call, if root is executing it, it will let you do things that regular user cannot do (like parameters can be any username). Check it over here: https://github.com/shadow-maint/shadow/blob/master/src/passwd.c

Hope that answers your question.
Thanks
Sarath

Clearly explained! Thanks. Would be nice to include 'sticky bit' too.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.