How to set the SetUID and SetGID bit for files in Linux and Unix

The setuid (set user id) is a permission bit, that allows the users to exec a program with the permissions of its owner.

The setgid (set group id) is a bit that allows the user to exec a program with the permissions of the group owner.

A random user can exec a setuided script, with the permissions of the owner. Also a random user can exec a setgided script, with the permissions of the group.

The setuid and setgid can be set with the chmod command, like any other permission bits.

To view if a file has setuid and setgid, use ls -l or stat. The s in the user permissions field represents the setuid and the S in the group permission field represents the setgid:

$ ls -l
-rwSrwSr-- 1 razvan razvan 0 2012-07-01 02:46 script

How to set and remove the setuid and the setgid:

1. In the human readable format:

The setuid and setgid can be set in both the octal and the human readable format.

To add the setuid add the +s bit for the user: chmod u+s /path/to/file

$ chmod u+s script2

To remove the setuid bit use the -s argument with the chmod command: chmod u-s /path/to/file

$ chmod u-s script2

To set the setgid bit on a file, add the +s argument for the group, with chmod g+s /path/to/file:

$ chmod g+s myscript

To remove the setgid use -s for the group: chmod g-s /path/to/file

$ chmod g-s myscript

2. In the octal mode:

To set the setuid in the octal form, place a 4 in front of the three permission bits. 4777 for example, means that the file has full permissions and setuid bit: chmod 4777 /path/to/myscript.

$ chmod 4777 myscript
$ chmod 4764 myscript

To set the setgid in the octal form, add a 2 before the three permission digits. 2777 for example, means that the file has full permissions and setgid bit: chmod 2777 /path/tomyscript

$ chmod 2777 myscript
$ chmod 2764 myscript

To remove the setuid and setgid place a 0(zero)  in front of the three permission bits: chmod 0777 /path/to/file.

How to find the setuided and setgided files:

I will show you how to find the setuided and setgided files with find: find / -type f -perm /6000

$ find / -type f -perm /6000 -exec stat -c "%A %a %n" {} \;
-rwxr-sr-x 2755 /usr/bin/wall
-rwxr-sr-x 2755 /usr/bin/mlocate
-rwxr-sr-x 2755 /usr/bin/dotlockfile
-rwxr-sr-x 2755 /usr/bin/crontab
-rwsr-sr-x 6755 /usr/bin/at
-rwxr-sr-x 2755 /usr/bin/bsd-write
-rwxr-sr-x 2755 /usr/bin/ssh-agent
-rwsr-xr-x 4755 /usr/bin/mtr
-rwsr-xr-x 4755 /usr/bin/traceroute6.iputils
-rwsr-xr-x 4755 /usr/bin/passwd
-rwsr-xr-x 4755 /usr/bin/pkexec
-rwsr-sr-x 6755 /usr/bin/X
[...]

Find only the files with setuid: find / -type f -perm /4000

Find only the files with setgid: find / -type f -perm /2000

Share and Enjoy

  • Twitter
  • Facebook
  • Google Plus
  • Email
  • RSS
Tagged with: , , , , , ,
Posted in The Linux and Unix Articles!
6 comments on “How to set the SetUID and SetGID bit for files in Linux and Unix
  1. Joe says:

    Nice tut. keep it up. thanks.

  2. Val says:

    A very nice tutorial. One thing I noticed is that the the setuid or ‘s’ letter on the owner part is a lowercase ‘s’ not ‘S’. The capital ‘S’ as you already explained is part of the group section.

  3. min says:

    it turns out, when it is capital S at the group field, it means the x bit is not set.

    in effect, if it is a folder, the group will not have access to the folder
    i.e.
    chmod 700 to a folder is the same as chmod 2740 to a folder.

  4. Kozaki says:

    Thank you for a nice tut’. I found the

    > How to find the setuided and setgided files:

    especially neat!

    Article layout could be improved a bit, with e.g. bigger non-Arial titles –but maybe that’s my taste.

  5. Arty Caiado says:

    Thanks for the tutorial, very helpful.

Leave a Reply to Val Cancel reply

Your email address will not be published. Required fields are marked *

*

Subscribe

  

Subscribe to get the latest Linux news and how to guides directly on your e-mail!