Linux File Special Permissions - SGID

This is second of the three series posts regarding Linux special file permissions. We know that in addition to the basic file permission there are three more  special permissions. They are
  • Set User ID (SUID)
  • Set Group ID (SGID)
  • Sticky Bit
and in this post will cover SGID

Set Group ID (SGID)

If setting SUID on a file causes a user temporarily inheriting the permission of the files' owner, SGID will allow a user to temporarily inherit the access permission of the files' group users. i.e while executing a file set with SGID bit, a user will temporary become a member of the file' group and gains the access rights of the group users 

To check whether SGID on a file is set or not, use the ls -l output

In the screenshot above you can see the group's execute permission displaying 's' instead of 'x'. This means the the file is set with SGID bit. In some cases you will see a 'S' (capital letter S) instead of  's' (small letter s). This means SGID bit is set even though the group don't have execute permission.

Using chmod command we can either add or remove SGID bit to a file. SGID can be set in two methods
  • symbolic method - chmod g+s <filename> will set SGID bit on a file
  • numeric method - chmod 2xxx <filename> will set SGID bit on a file where2 represents  SGID bit and xxx represents the access permissions of owner, group and other users in numeric method.
Lets check two example to understand how to add/remove SGID on a file and the impact SGID has. Below screenshot is the ls -l output of a file /opt/my_file
From the above screenshot we can say that owner and group owner of the file /opt/my_file is root and root. The access permission of the users are as follows

owner (root) - read and write
group (root)  - read
others - none

If a user other than root and not belonging to the group 'root' tries to access /opt/my_file using vim command, the result will be permission denied. Now lets  see what happens when we add SGID bit to the vim command. The vim command is located in /usr/bin/ and ls -l output of /usr/bin/vim is
-rwxr-xr-x 1 root root 2257844 Oct 13 2014 /usr/bin/vim

#1) Now lets add SGID bit to /usr/bin/vim file. To do so, execute
chmod -v g+s /usr/bin/vim
or
chmod -v 2755 /usr/bin/vim

Sample Output:
mode of ‘/usr/bin/vim’ changed from 0755 (rwxr-xr-x) to 2755 (rwxr-sr-x)

Now lets see the impact after adding the SGID bit
vim /opt/my_file
Sample Output:
In the above screenshot we can see that the user calypso is able to open the file in readonly mode in spite of having no access permission. This is becuase user calypso even though not a member of the group "root", temporarily became a member of the group 'root' while executing vim command and the  members of group 'root' has the permission to read the file /opt/my_file.

#2) Now that we have seen the effects with adding SGID bit on a file, lets see what happens when SGID bit is removed from a file.  To remove SGID bit added earlier on /usr/bin/vim file, execute
chmod -v g-s /usr/bin/vim
or
chmod -v 0755 /usr/bin/vim

Sample Output:
mode of ‘/usr/bin/vim’ changed from 2755 (rwxr-sr-x) to 0755 (rwxr-xr-x)

Now lets see the impact after adding the SGID bit
vim /opt/my_file
Sample Output:
We can see that the file is no longer readable and the vim command is giving 'Permission Denied' output because without SGID bit set on the vim command, user calypso can no longer become a member of the group 'root'. And from the ls -l output of /opt/my_file we can say that other users don't have any access rights set on the file.

Comments

Post a Comment

Popular posts from this blog

Understanding awk command with examples

Image
Awk is a simple and powerful programming language used for processing text files. It is widely used by system administrators as a data manipulation, extraction and reporting tool. Awk treats every file as a sequence of records and by default each records are separated by a new line. Each record consist of one or more fields which are by default separated by a space. The syntax for awk command is
Read more

what is an inode?

Image
In Unix/*nix every file has a data structure known as i-nodes (index nodes). Each i-node stores all the information regarding a file like File type File mode or permission Number of links User ID Group ID File size Time stamp File deletion time
Read more

Understanding sed command with example -Part 1

sed is a *nix stream editor command with the ability to filter and transform input text files line by line. sed command works very well with awk command and they are used together by System Administrators to simplify day to day activities. The syntax for sed command is sed [options] commands <input-file> One thing that distinguishes sed from other editors are its ability to filter text in a pipeline. In this first of the two post series on sed we will cover 3 of the most often used commands. They are Print (p) command Quit (q) command Delete (d) command
Read more