Special Permission In Linux

Sticky Bit

1. When the sticky bit is set on a directory, only the file owner, directory owner, and root user can delete or rename its files.

2. e.g. If a manager asks the trainees to submit the assignment in /root/assignment, then that directory should be given read write and execute permission to other users, but in this case, one trainee can see the content of the also delete the file of other trainees.

3. To avoid such scenarios sticky bit is applied to the directory where you can create the files, and check someone else's file but can't rename and delete it.

4. Note:
   The directory should be provided with full access along with a stickybit.

5. Only applicable to directories(Not a file).

    #Normal file with normal permission
    [root@ip-172-31-32-5 ec2-user]# ls -ld Collection
    drwxr-xr-x 2 root root 6 Jun 21 07:04 Collection
   
    #Assigning the Stickybit the directory should have 777 permission
    [root@ip-172-31-32-5 ec2-user]# chmod 777 Collection
    [root@ip-172-31-32-5 ec2-user]# ls -ld Collection
    drwxrwxrwx 2 root root 6 Jun 21 07:04 Collection
   
    #After applying the stickybit the "t" is visible at the end of the user permission
    [root@ip-172-31-32-5 ec2-user]# chmod +t Collection
    [root@ip-172-31-32-5 ec2-user]# ls -ld Collection
    drwxrwxrwt 2 root root 6 Jun 21 07:04 Collection
    [root@ip-172-31-32-5 ec2-user]#
   
    #How to remove the stickybit from the dir
    [root@ip-172-31-32-5 ec2-user]# chmod -t Collection
    [root@ip-172-31-32-5 ec2-user]# ls -l
    total 0
    drwxrwxrwx 2 root root 6 Jun 21 07:22 Collection
   

SUID

1. When the SUID bit on an executable file is set, it signifies that the file will be executed with the same permissions as the executable's owner.

2. E.g. The "passwd" command has the SUID bit enabled, which means that when a regular user uses this command to change their password, certain system files such as "/etc/passwd" and "/etc/shadow" are also updated. These files cannot be modified by non-root accounts, but because the "passwd" command runs with root user rights, it is able to update them.-rwsr-xr-x 1 root root 0 Mar 12 12:26 test.txt

3.  [root@ip-172-31-32-5 ec2-user]# ls -l /etc/passwd
    -rw-r--r-- 1 root root 1581 Jun  7 17:28 /etc/passwd
   
    [root@ip-172-31-32-5 ec2-user]# chmod u+s /etc/passwd
   
    [root@ip-172-31-32-5 ec2-user]# ls -l /etc/passwd
    -rwSr--r-- 1 root root 1581 Jun  7 17:28 /etc/passwd
   
    #How to remove the SUID from the file
    [root@ip-172-31-32-5 ec2-user]# ls -l /etc/passwd
    -rwSr--r-- 1 root root 1581 Jun  7 17:28 /etc/passwd
   
    [root@ip-172-31-32-5 ec2-user]# chmod u-s /etc/passwd
    [root@ip-172-31-32-5 ec2-user]# ls -l /etc/passwd
    -rw-r--r-- 1 root root 1581 Jun  7 17:28 /etc/passwd
   

SGID :

1. The process will have the same group rights as the file being executed, just like SUID.

2. If the SGID bit is set on any directory, all subdirectories and files produced within will be assigned the same group ownership as the parent directory, regardless of who created them.

3.  #Root is owner and group owner of the file 
    [root@ip-172-31-32-5 ec2-user]# ls -l
    total 0
    drwxr-xr-x 2 root root 36 Jun 21 07:12 Test
   
    #Creating the files under Test dir to apply SGID recurssively 
    [root@ip-172-31-32-5 Test]# touch F1 F2 F3
    [root@ip-172-31-32-5 Test]# ls -l
    total 0
    -rw-r--r-- 1 root root 0 Jun 21 07:12 F1
    -rw-r--r-- 1 root root 0 Jun 21 07:12 F2
    -rw-r--r-- 1 root root 0 Jun 21 07:12 F3
   
    #GroupOwner of the Test dir is changed to ansible
    [root@ip-172-31-32-5 ec2-user]# chown root:ansible Test
    [root@ip-172-31-32-5 ec2-user]# ls -ld Test
    drwxr-sr-x 2 root ansible 36 Jun 21 07:12 Test
   
    #SGID "s" is visible in group permission
    [root@ip-172-31-32-5 ec2-user]# chmod g+s Test
    [root@ip-172-31-32-5 ec2-user]# ls -ld Test
    drwxr-sr-x 2 ansible root 36 Jun 21 07:12 Test/
   
    #SGID "S" is visible in group permission for files under Test dir
    [root@ip-172-31-32-5 ec2-user]# cd Test/
    [root@ip-172-31-32-5 Test]# ls -l
    total 0
    -rw-r-Sr-- 1 root root 0 Jun 21 07:12 F1
    -rw-r-Sr-- 1 root root 0 Jun 21 07:12 F2
    -rw-r-Sr-- 1 root root 0 Jun 21 07:12 F3
   
    #How to remove the SGID from the dir
    [root@ip-172-31-32-5 ec2-user]# ls -l
    total 0
    drwxr-sr-x 2 root root 6 Jun 21 07:26 Test
   
    [root@ip-172-31-32-5 ec2-user]# chmod g-s Test
    [root@ip-172-31-32-5 ec2-user]# ls -l
    total 0
    drwxr-xr-x 2 root root 6 Jun 21 07:26 Test
    [root@ip-172-31-32-5 ec2-user]#