LiveFire Labs: Online UNIX Training with Hands-on Internet Lab

"Taking a LiveFire Labs' course is an excellent way to learn Linux/Unix. The lessons are well thought out, the material is explained thoroughly, and you get to perform exercises on a real Linux/Unix box. It was money well spent."

Ray S.
Pembrook Pines, Florida

LiveFire Labs' UNIX and Linux Operating System Fundamentals course was very enjoyable. Although I regularly used UNIX systems for 16 years, I haven't done so since 2000. This course was a great refresher. The exercises were fun and helped me gain a real feel for working with UNIX/Linux OS. Thanks very much!"

Ming Sabourin
Senior Technical Writer
Nuance Communications, Inc.
Montréal, Canada

Read more student testimonials...

Receive UNIX Tips, Tricks, and Shell Scripts by Email

Custom Search

LiveFire Labs' UNIX Tip, Trick, or Shell Script of the Week

Special Purpose Access Modes (Permissions) - Part I - SUID (set user ID)

Even if you are new to the UNIX or Linux operating system environment, you most likely have already worked with file access modes (permissions) in some form.  Your experience may have been as simple as granting execute permission to a new shell script you authored.

In addition to the basic file access modes (read, write, and execute), there are also a few special purpose modes.  The special mode discussed in this week's tip is SUID, or set user ID.

If a file (command) is an executable and has the SUID bit set, the process running the command inherits the privileges and access rights of the file's owner for its duration, not those of the user who created the process.  A frequently used UNIX command that exhibits this configuration is the passwd command:

-r-sr-sr-x     3 root     sys          73748 Nov 2 2001 /usr/bin/passwd

The "s" in the third position of the owner permission set indicates set user ID and execute permission.  Non-privileged users running passwd need this level of access (root) because the access-restricted /etc/shadow file has to be updated each time a login password is changed.  Notice the ownership and permissions for this file:

-r--------     1 root     sys          346 Aug 16 15:14 /etc/shadow

If passwd was ran without having root's access rights, a non-privileged user would be unable to update /etc/shadow.

Just like basic file access modes, the SUID bit is also set with the chmod command.  Consider the starting access mode of unixprogram:

-r-xr-xr-x     1 root     other          647 Sep 6 16:17 unixprogram

The following command will set the SUID bit for this file:

# chmod 4555 unixprogram
# ls -l unixprogram
-r-sr-xr-x     1 root     other          647 Sep 6 16:17 unixprogram

As you can see, the "x" in the owner permission set was changed to "s".  Review chmod's man page for more information regarding the setting of this special permission.

It is important to recognize that using this functionality may also introduce security vulnerabilities, especially if used with files owned by root.  This becomes even more of a concern if the files are shell scripts because of the relative ease in which they can be exploited.
Read the NEXT article in this series - Special Purpose Access Modes (Permissions) - Part II - SGID (set group ID)