15.8. Effect of Setting File and Directory SUID/SGID Permissions Explained
The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as a normal user (let's say as the user bobj), and you execute a file that is owned by the user root (uid = 0), and the file has the SUID bit set, then the file is executed as if you had logged in as the user root and then executed the file. The SUID bit effectively gives you (as bobj) administrative privilege for the use of that executable file.
The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it applies the privilege to the UNIX group setting. In other words, the file executes with the force of capability of the group.
When the SUID/SGID permissions are set on a directory, all files that are created within that directory are automatically given the ownership of the SUID user and the SGID group, as per the ownership of the directory in which the file is created. This means that the system level create() function executes with the SUID user and/or SGID group of the directory in which the file is created.
If you want to obtain the SUID behavior, simply execute the following command:
root# chmod u+s file-or-directory
To set the SGID properties on a file or a directory, execute this command:
root# chmod g+s file-or-directory
And to set both SUID and SGID properties, execute the following:
root# chmod ug+s file-or-directory
Let's consider the example of a directory /data/accounts. The permissions on this directory before setting both SUID and SGID on this directory are:
root# ls -al /data/accounts total 1 drwxr-xr-x 10 root root 232 Dec 18 17:08 . drwxr-xr-x 21 root root 600 Dec 17 23:15 .. drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ drwx------ 2 root root 48 Jan 26 2002 lost+found
In this example, if the user maryv creates a file, it is owned by her. If maryv has the primary group of Accounts, the file is owned by the group Accounts, as shown in this listing:
root# ls -al /data/accounts/maryvfile.txt drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53
Now you set the SUID and SGID and check the result as follows:
root# chmod ug+s /data/accounts root# ls -al /data/accounts total 1 drwxr-xr-x 10 root root 232 Dec 18 17:08 . drwxr-xr-x 21 root root 600 Dec 17 23:15 .. drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts drwx------ 2 root root 48 Jan 26 2002 lost+found
If maryv creates a file in this directory after this change has been made, the file is owned by the user bobj, and the group is set to the group Domain Users, as shown here:
root# chmod ug+s /data/accounts root# ls -al /data/accounts/maryvfile.txt total 1 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt