Sticky Bits, UID's and GID's



Special settings within file permissions - how to understand and manage them


This article is part 3 of 3 in the series on file permissions:
Understanding File Permissions
How do I use chmod to manage file permissions?
Sticky Bits, UID's and GID's

Article Navigation:
Overview
Understanding special octal values
What is a Sticky Bit
What is an SGID (SETGUID) - What is an SUID (SETUID)
Why the capitol letters?
Where and how to get help
Where to go from here

Overview

It's already been established in a previous article that you can use 3 digits to represent any file permission value, or manage them using chmod. However, you can in fact use 4 digits to achieve the same result where, for example 777 is equal to 0777, and so on. This additional prepended octal value, represents some special features known as Sticky Bit's, UID's, and GID's.

Understanding special octal values

Within regular file permissions where special options are not set. Octal values ranging from 0-7 represent options for reading, writing, and executing, files and the like. However as stated above, when using this additional octal, the values (still ranging from 0-7) represent the following options:

Special options octal breakdown cheat sheet
0 - No options set
1 - Sticky Bit set
2 - SGID set
3 - Sticky Bit and SGID Set
4 - SUID set
5 - Sticky Bit and SUID Set
6 - SGID and SUID set
7 - Sticky Bit GID and UID Set


What is a Sticky Bit

A Sticky Bit, is a special setting within file permissions that helps limit access beyond what normal file permissions are capable of. In short, a Sticky Bit ensures only the owner of the file / directory is able to delete or rename the file. However it should be noted that root is able to edit and delete the file as well.

How to set a Sticky Bit

Largely, while using chmod, setting a Sticky Bit is like any normal file permission. For example normally if you wanted to set a file to the permission 777 you would do the following.

Changing a permission normally
$ chmod 777 myfile.txt

Confirming the change using ls -l
$ ls -al

output being:
-rwxrwxrwx 1 root root 4096 Sep 24 2016 myfile.txt

In order to change a file to the same permission of 777 with a Sticky Bit, you would use the octal 1777, as follows:

Changing a permission with a Sticky Bit
$ chmod 1777 myfile.txt

Confirming the change using ls -l
$ ls -al

output being:
-rwxrwxrwxt 1 root root 4096 Sep 24 2016 myfile.txt
* Please note the differences, where the normal file permission of 777 has a symbolic value of "-rwxrwxrwx", the one with the Sticky Bit is "-rwxrwxrwxt". The Sticky Bit has a "t" appended to the end of it's symbolic value. This letter "t" represents a Sticky Bit is set.

Detecting a Sticky Bit

Detecting a Sticky Bit
Run the ls -l or al command to see the permissions of the file or directory in question

$ ls –l
-rwxrwxrwxt 1 root root 4096 Sep 24 2013 your_file.txt
drwxrwxrwxt 1 root root 4096 Sep 24 2013 your_directory
Please note the output, for the file and directory the symbolic value of their file permissions are -rwxrwxrwxt and drwxrwxrwxt respectively. As stated above, the appended letter "t" on the permissions symbolic value represents a Sticky Bit has been set.

What is an SGID (SETGUID) - What is an SUID (SETUID)

There are certain cases where a user needs to execute or manipulate a file or program where elevated privileges are required. In which case a SUID or SGID can be set in order to provide the required permissions for execution. A SETUID or SETGID binary is executed respectively whilst the command is executed on the document in question. Usually an SUID or SGID is required where users need elevated privileges and do not have admin or root access.

Setting and Detecting an SGID

Setting an SGID
$ chmod 2777 myfile.txt

Confirming the change using ls -l
$ ls -al

output being:
-rwxrwsrwx 1 root root 4096 Sep 24 2016 myfile.txt
# chmod 2777 changes myfile.txt to permissions 777 with an SGID
* Please note the symbolic permissions value is -rwxrwsrwx from which the second triad "rws" is appended with an "s" rather than an "x". This letter "s" indicates that an SGID has been set for the file or directory in question.

Setting and Detecting an SUID

Setting an SUID
$ chmod 4777 myfile.txt

Confirming the change using ls -l
$ ls -al

output being:
-rwsrwxrwx 1 root root 4096 Sep 24 2016 myfile.txt
# chmod 4777 changes myfile.txt to permissions 777 with an SUID
* Please note the symbolic permissions value is -rwsrwxrwx from which the first triad "rws" is appended with an "s" rather than an "x". This letter "s" indicates that an SUID has been set for the file or directory in question.

Why the capitol letters?

There are cases within certain file permissions where you may see a capitol letter "S" or "T" in the place of a normal lower case counterpart. The following is a breakdown of each of those situations, references, and their meaning

Special options octal breakdown cheat sheet
- Capitol S within User Triad
For example the permission 4236 contains a capitol "S" within it's symbolic value of "--wS-wxrw-". Which is an indication that an SUID has been set, however execution permission has not been granted to the user triad.

- Capitol S within Group Triad
For example the permission 2767 contains a capitol "S" within it's symbolic value of "-rwxrwSrwx". Which is an indication that an SGID has been set, however execution permission has not been granted to the group triad.

-Capitol T
A capital T is a representation that a Sticky Bit has been set, however the other triad permissions do not have execute access. See permission 1774 with a symbolic value of "-rwxrwxr-T" for an example.

Where and how to get help

It may take a while to fully take in exactly what file permissions are trying to tell you, about who has access to particular files and programs. If you're lost, see our list of file permissions, where each permission page provides a detailed breakdown of each permission. Check out permission 7777 for an example.

Websites:
If all else fails Stack Overflow and Super User are always a good source of info along with well respected q and a.

Where to go from here

This article is part 3 of 3 in the series on file permissions.

Now that you have an introductory understanding of file permissions, check out our complete list of file permissions whenever you need a reference.