EXPLAINING SPECIAL LINUX PERMISSIONS ( SUID | SGID | STICKY BIT )
In this article we are going to discuss on Special Linux Permissions i.e. SUID , SGID and Sticky Bit. Before we discuss about Special Linux Permissions let’s have look at basic Linux Permissions. In Linux There are three types of permission we can apply i.e. Read, Write & Execute. And each files and directories comes with three set of Users i.e. User (Owner), Group and Others. We can change permission by using chmod command.
SUID (Super User ID)
SUID Stands for Super User ID. We know that root is the Super User in Linux and have all the rights to do administrative tasks but have you noticed that normal user also can do some administrative tasks such as reset the Password and as we know that by reseting the password two files getting updated i.e. /etc/passwd and /etc/shadow which is only can be done by root user. Let’s take another example i.e. Normal user can use ping command to check network connectivity. Now let’s Understand what is the use of SUID. First of all SUID should be applied to a binary file or to a script and we can apply SUID from root user only using chmod command. We are applying SUID to any binary file or script means we are allowing that binary file to execute in any logged in user as a owner of that file. Means if i run the ping command by logging in with a normal user i.e. user1 still it will run as root user only. Let’s take an example to understand the concept properly. SUID alphabetically identified by letter “s” and Numerically Identified by “4“.
Logging as a normal user i.e. user1 and try to use ping command to check the connectivity.[user1@localhost ~]$ whoami # To check currently Logged in User user1 [user1@localhost ~]$ ping -c 3 localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.027 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.042 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.042 ms --- localhost ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.027/0.037/0.042/0.007 ms
As we can see on above sample output we able to use ping command in normal user. The reason behind that is SUID special permission is applied to ping binary file. we can use ls -l command to check the permission.
First check the path of ping binary file by which command and then check the permission of that file by using ls -l command.[root@localhost ~]# which ping # Checking the Path of the File /bin/ping [root@localhost ~]# ls -l /bin/ping # Checking the Permission of the File -rwsr-xr-x. 1 rootroot 40760 Sep 26 2013 /bin/ping
As per Sample output above Owner of ping binary is root (Highlighted in Red Color) and belongs to group root (Highlighted in Skyblue Color) and has -rwsr-xr-x permission. Here “s” is nothing but SUID which is applied to Owner. So whenever we run ping command in normal user it still runs as a owner of the file and has nothing concerned with that normal user.
To apply SUID Special Permission you can use chmod command. There are two ways by which we can apply SUID permission i.e. Alphabetically and Numerically. Follow the sample output below.
Apply SUID Alphabetically :[root@localhost ~]# chmod u+s /bin/ping # Applying SUID Permission to ping binary file Alphabetically [root@localhost ~]# ls -l /bin/ping -rwsr-xr-x. 1 root root 40760 Sep 26 2013 /bin/ping
Apply SUID Numerically :[root@localhost ~]# chmod 4755 /bin/ping # Applying SUID Permission Numerically [root@localhost ~]# ls -l /bin/ping -rwsr-xr-x. 1 root root 40760 Sep 26 2013 /bin/ping
Let’s check what will happen if we remove the SUID permission from ping binary file.[root@localhost ~]# chmod u-s /bin/ping # Removing SUID Permission [root@localhost ~]# ls -l /bin/ping -rwxr-xr-x. 1 root root 40760 Sep 26 2013 /bin/ping
To remove SUID numerically add “0” at beginning with whatever your files permission. For example Here my file has full access for Owner and Read and Execute permission for Group and Others So the command would be as shown below.[root@localhost ~]# chmod 0755 /bin/ping # Removing SUID by Numerically
0 – to remove SUID permission
755 – is the files permission
As you can see above SUID permission has been removed, Now let’s logging as a normal user and check by running ping command.[user1@localhost ~]$ ping -c 3 localhost ping: icmp open socket: Operation not permitted
It’s not working as it don’t have SUID Permission.
Also Read :
SGID (Super Group ID)
SGID stands for Super Group ID. This special Linux Permissions is same as SUID with little difference. The difference is when we apply SUID means that is belongs to a particular user and a particular user will be effected by that permission but when we apply SGID permission then that will effect to a Group and Group means Multiple users. Here below I explained an example related to a SGID so that you will find more easy to understand the concept. SGID alphabetically identified by letter “s” and Numerically Identified by “2“.
Let’s say I have two users i.e. member1 and member2 and a group named admins. The users member1 and member2 are the member of group admins.[root@localhost ~]# cat /etc/group | grep admins admins:x:502:member1,member2
Now let’s create a directory named database in / and give appropriate permission. Here I am giving rwx to user, rwx to group and rx to others Follow the sample output.[root@localhost ~]# mkdir /database # Creating a Directory [root@localhost ~]# chmod 775 /database/ # Giving Permissions [root@localhost ~]# ls -l / total 110 dr-xr-xr-x. 2 root root 4096 Apr 8 04:32 bin dr-xr-xr-x. 5 root root 1024 Apr 8 2017 boot drwxrwxr-x. 2 root root 4096 Apr 8 07:14 data drwxrwxr-x. 2 root root 4096 Apr 8 07:19 database drwxr-xr-x. 18 root root 3960 Apr 8 03:15 dev drwxr-xr-x. 101 root root 12288 Apr 8 07:18 etc drwxr-xr-x. 9 root root 4096 Apr 8 07:17 home
I am going to change the group ownership of the directory by using chgrp command, So that the owner of the directory would be root and admins.[root@localhost ~]# chgrp admins /database/ # Changing Group Ownership [root@localhost ~]# ls -l / total 110 dr-xr-xr-x. 2 root root 4096 Apr 8 04:32 bin dr-xr-xr-x. 5 root root 1024 Apr 8 2017 boot drwxrwxr-x. 2 root root 4096 Apr 8 07:14 data drwxrwxr-x. 2 root admins 4096 Apr 8 07:19 database drwxr-xr-x. 18 root root 3960 Apr 8 03:15 dev drwxr-xr-x. 101 root root 12288 Apr 8 07:18 etc drwxr-xr-x. 9 root root 4096 Apr 8 07:17 home
Now let’s apply SGID Special Linux Permissions to the directory using chmod command.
After applying the SGID permission you will able to notice a letter “s” (Highlighted in orange color) on group permission section on directory.[root@localhost ~]# chmod g+s /database/ # Applying SGID Permission [root@localhost ~]# ls -l / total 110 dr-xr-xr-x. 2 root root 4096 Apr 8 04:32 bin dr-xr-xr-x. 5 root root 1024 Apr 8 2017 boot drwxrwxr-x. 2 root root 4096 Apr 8 07:14 data drwxrwsr-x. 2 root admins 4096 Apr 8 07:19 database drwxr-xr-x. 18 root root 3960 Apr 8 03:15 dev drwxr-xr-x. 101 root root 12288 Apr 8 07:18 etc drwxr-xr-x. 9 root root 4096 Apr 8 07:17 home
Now login by any normal user i.e. member1 and create a file in /database.[root@localhost ~]# su - member1 [member1@localhost ~]$ whoami member1 [member1@localhost ~]$ cd /database/ [member1@localhost database]$ touch file1 # A you can see below the owner of the file is member1 and admins [member1@localhost database]$ ls -l total 0 -rw-rw-r--. 1 member1 admins 0 Apr 8 07:29 file1
Now let’s login through a different user that is member2 and try to edit that file.[root@localhost ~]# su - member2 [member2@localhost ~]$ whoami member2 [member2@localhost ~]$ cd /database/ [member2@localhost database]$ vi file1 [member2@localhost database]$ cat file1 Welcome to ElinuxBook
As you can see on output above we are able to successfully edit the file by logging in by user “member2“which was created by user “member1” because “member2” is also a member of group “admins“.
Like that you can create a file in /database directory by logging in member2 and it is possible to edit that file by logging in member1.
So the main purpose of SGID is if a team is working on some data which needs to edit or executed by all team members then in that case you can use SGID.
To remove SGID follow below commands :chmod g-s /database/ # Remove SGID Alphabetically chmod 0775 /database # Remove SGID Numerically
Also Read :
Sticky Bit :
Sticky bit Special Linux Permissions is very simple to learn and understand as compared to SUID and SGID. Suppose you stored some data in some directory let’s say in /database directory which is accessible to everyone, Which means your data is on high risk and any one can delete your data. To avoid such situation you can use Sticky Bit permission.Sticky Bit alphabetically identified by letter “t” and Numerically Identified by “1“.
What is the use of Sticky Bit ?
Let’s take a scenario that we have a directory i.e. /database to which everyone has full access. suppose user1 creates a file named user1.txt. as all users has full access to the directory any one can come and delete the file created by user1 as we have no control over it. So to avoid such situation we can apply Sticky Bit special Linux Permissions to that directory by which user1 (Owner of user1.txt file) only able to delete or edit that file even after everyone has full access to the /database directory.
Such situation is possible in a large organisation where all users allowed one share drive to store data so In that case we can apply Sticky Bit.
Create a Directory named /database and give full access to everyone.[root@localhost ~]# mkdir /database [root@localhost ~]# chmod 777 /database/ [root@localhost ~]# ls -l / total 102 dr-xr-xr-x. 2 root root 4096 Apr 8 04:32 bin dr-xr-xr-x. 5 root root 1024 Apr 8 2017 boot drwxrwxrwx. 2 root root 4096 Apr 8 05:19 database drwxr-xr-x. 18 root root 3960 Apr 8 03:15 dev drwxr-xr-x. 101 root root 12288 Apr 8 05:17 etc drwxr-xr-x. 6 root root 4096 Apr 8 05:17 home dr-xr-xr-x. 10 root root 4096 Apr 8 2017 lib dr-xr-xr-x. 9 root root 12288 Apr 8 04:31 lib64
Now apply sticky bit permission to it. you can apply Sticky permission by two ways :
Alphabetical Way :[root@localhost ~]# chmod +t /database/ [root@localhost ~]# chmod o+t /database/
Numerical Way :[root@localhost ~]# chmod 1777 /database/
After applied Sticky Bit you will notice the letter “t” on other permission section of /database[root@localhost ~]# ls -l / total 102 dr-xr-xr-x. 2 root root 4096 Apr 8 04:32 bin dr-xr-xr-x. 5 root root 1024 Apr 8 2017 boot drwxrwxrwt. 2 root root 4096 Apr 8 05:19 database drwxr-xr-x. 18 root root 3960 Apr 8 03:15 dev drwxr-xr-x. 101 root root 12288 Apr 8 05:17 etc drwxr-xr-x. 6 root root 4096 Apr 8 05:17 home dr-xr-xr-x. 10 root root 4096 Apr 8 2017 lib dr-xr-xr-x. 9 root root 12288 Apr 8 04:31 lib64
Now log in as user1 and create a file in /database and check the the permission.[root@localhost ~]# su - user1 [user1@localhost ~]$ whoami user1 [user1@localhost ~]$ cd /database/ [user1@localhost database]$ touch user1.txt [user1@localhost database]$ ls -l total 0 -rw-rw-r--. 1 user1 user1 0 Apr 8 05:22 user1.txt
As you can see above owner of user1.txt user1.
Now login by user2 and try to delete the file created by user1.[root@localhost ~]# su - user2 [user2@localhost ~]$ whoami user2 [user2@localhost ~]$ cd /database/ [user2@localhost database]$ ls user1.txt [user2@localhost database]$ rm user1.txt rm: remove write-protected regular empty file `user1.txt'? y rm: cannot remove `user1.txt': Operation not permitted
So as you can see on the output above user2 is unable to delete the file as we have applied Sticky bit to it.chmod o-t /database/ # Remove Sticky Bit Alphabetically chmod 0777 /database # Remove Sticky Bit Numerically
If you found this article then Like Us, Follow Us or Subscribe us for more Latest Linux Tutorials, guides and News directly in to your Email ID.
The first thing a potential employer sees in your job application is the cover letter. This doesn't just support your CV – it's an opportunity for you to stand out from the crowd and persuade the recruiter to put you through to the next round.
Be wary of spending hours on perfecting your CV at the expense of your cover letter. If you need some inspiration on what to include and what format to use, here are our helpful guides – just remember not to copy them as exact templates.
1. Standard, conservative style
This is ideal for sectors such as business, law, accountancy and retail. For more creative sectors, a letter like this might be less appealing, and could work against you.
Dear Mr Black,
Please find enclosed my CV in application for the post advertised in the Guardian on 30 November.
The nature of my degree course has prepared me for this position. It involved a great deal of independent research, requiring initiative, self-motivation and a wide range of skills. For one course, [insert course], an understanding of the [insert sector] industry was essential. I found this subject very stimulating.
I am a fast and accurate writer, with a keen eye for detail and I should be very grateful for the opportunity to progress to market reporting. I am able to take on the responsibility of this position immediately, and have the enthusiasm and determination to ensure that I make a success of it.
Thank you for taking the time to consider this application and I look forward to hearing from you in the near future.
2. Standard speculative letter
This may vary according to the nature of the organisation and the industry you're applying to.
Dear Mr Brown,
I am writing to enquire if you have any vacancies in your company. I enclose my CV for your information.
As you can see, I have had extensive vacation work experience in office environments, the retail sector and service industries, giving me varied skills and the ability to work with many different types of people. I believe I could fit easily into your team.
I am a conscientious person who works hard and pays attention to detail. I'm flexible, quick to pick up new skills and eager to learn from others. I also have lots of ideas and enthusiasm. I'm keen to work for a company with a great reputation and high profile like [insert company name].
I have excellent references and would be delighted to discuss any possible vacancy with you at your convenience. In case you do not have any suitable openings at the moment, I would be grateful if you would keep my CV on file for any future possibilities.
3. Letter for creative jobs
We've used the example of a copywriter but you can adapt it for your profession. The aim of a creative letter is to be original and show you have imagination, but understand what the job entails. Balance is essential: don't be too wacky, or it will turn off the reader.
Dear Ms Green,
· Confused by commas?
· Puzzled by parenthesis?
· Stumped by spelling?
· Perturbed by punctuation?
· Annoyed at the apostrophe? (And alliteration?)
Well, you're not alone. It seems that fewer and fewer people can write. Unfortunately, there are still a lot of people who can read. So they'll spot a gaffe from a mile off. And that means it's a false economy, unless you're 100% sure of yourself, to write your own materials. (Or to let clients do it for themselves.)
To have materials properly copywritten is, when one considers the whole process of publishing materials and the impact that the client wishes to make, a minor expense. Sloppiness loses clients, loses customers.
There is an answer. Me. Firm quotes are free. You can see some of what I do on my multilingual website at [insert web address]. If you'd like, I can get some samples out to you within 24 hours. And, if you use me, you'll have some sort of guarantee that you can sleep soundly as those tens of thousands of copies are rolling off the presses.
Luck shouldn't come into it!
With kindest regards
Other helpful resources
•How to write a perfect CV and cover letter
•Applying for jobs without experience? How to build and sell your skills
•Five steps to the perfect graduate CV
•School-leavers and graduates: how to write your first CV
•How to write a personal statement for your CV
•CV templates to fit every stage of your career
Looking for a job? Browse Guardian Jobs or sign up to Guardian Careers for the latest job vacancies and career advice