Linux Special Permissions / Privilege Elevation

In this article, I will explain special file permissions: SetUID, SetGID, and the Sticky Bit. What they are, why they are needed and security concerns about them.

Up to now, we have seen that the behaviour of file is controlled by 2 mechanisms:

1. File Permission with default read/write/execute permissions
2. File Ownership with Owner/Group/Others users

The ownership of files and directories is normally based on the default uid (User ID) gid (Group ID) of the user who created them.

Regarding the file permissions, a default set of permissions (755 for files, 644 for the directories) are assigned to a file or directory when it is created.

The file ownership not only determines who can access a file but also how a file behaves when it is run.

This is due to the fact that when a file executed, it runs with the effective uid and gid of the user who started it.

To change file permissions, chmod commands can be used.

Via chmod command, read (r), write (w) or execute (x) privileges can be set for the owner of the file, to the group or to all the other users.

Now in addition to these 3 default permissions(r/w/x), there are 3 additional special permissions that can be assigned to an Owner, a Group or the Others and therefore can be applied to a file or a folder.

• First one is Set User ID(SID)
• The second one is Set Group ID(SGID)
• And the third one is Sticky Bit

They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task.

While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

The setuid, setgid and sticky bits are normally set with the command chmod by setting the high-order octal digit to 4 for setuid or 2 for setgid or 1 for sticky bits.

User ID (SID)

When a file is executed (if the execution bit is set), it runs with the effective uid and gid of the user who started it.

When the setuid flag is set, an executable file does not run with the privileges of the user who launched it, but with that of the file owner instead.

So, for an instance, if an executable file has its setuid bit is on and it is owned by the root, it will be executed with root privileges even when a normal user (with execute privileges) launches it.

The setgid flag is represented with an s character in the first octal (owner permissions) of the file permission bits.

Typically, this is run against a root file owned by root. Eg. Change Password is the most common one. To do that, one needs root access. So SUID bit allowed to do that.

How to set SUID bit on a file

SUID can be applied by using chmod command by setting high-order octal digit to 4 for setid.

Symbol Notations:

chmod u+s filename

Note: File having SetUid bit set are highlighted with red background

Numerical Notations:

chmod 4644 fileName

How to unset SUID bit on a file

To unset the setuid bit:

Symbol Notations

chmod u-s filename

Numerical Notations

chmod 0644 fileName

Set Group ID

The setgid bit is very similar in functionality to the setuid bit except that it affects both files as well as directories.

When set on a file, it is run with the privileges of the group which own the file rather than the user who launched it

In the case of setting the setgid bit on a directory, files created inside that directory will be owned by the group that of the parent directory rather than the group to which the user who created the file belongs.

The setgid flag is represented with an s character in the second octal (group permissions) of the file permission bits.

How to set SGID bit on a file/directory

It can be applied by using chmod command by setting the second octal digit to 2 for set group id.

Symbol Notations

chmod g+s filename

Numerical Notations

chmod 2444 fileName

How to unset SGID bit on a file/directory

To unset the setgid bit:

Symbol Notations

chmod g-s filename

Numerical Notations

chmod 0644 fileName

Note: Both the setuid and setgid bits are set using the s symbol. The setgid is represented the same as the setuid bit, except in the group section of the permissions.

Security Impact over SetUID and SetGID

While the setuid feature is very useful in many cases, its improper use can pose a security risk if the setuid attribute is assigned to executable programs that are not carefully designed.

These privilege bits could lead to serious security issues due to the risk that they could allow attackers to conduct privilege escalation attacks.

If a file that has its SetUID or SetGID bit set is vulnerable to Buffer Overflow attacks, then attackers can run their malicious code with the root privileges by corrupting the memory.

Thus, only executables that are considered to be secure should be assigned the SetUID or SetGID privileges.

To minimize the security risks, some operating systems even ignore these bits for executable shell scripts.

Sticky Bits

The sticky bit is only used with the directories and has no effect on files.

With sticky bit set on a directory, all the files in the directory can only be deleted or renamed by the file owners only or the root.

The sticky bit flag is represented with a character in the third octal (other user permissions) of the file permission bits.

This is typically used in the /tmp directory that works like the trash can of temporary files.

How to set Sticky bit on a directory

To set the sticky bit:

Symbol Notations

chmod +t directoryName

Numerical Notations:

chmod 1644 directoryName

How to unset Sticky bit on a directory

Symbol Notations

chmod -t directoryName

Numerical Notations

chmod 0644 directoryName

Comparison between all three Special Permissions

How to find Files with SUID/SGID bit set

1. To find all the files with SUID bit set, use the below command :

find / -perm   +4000

2. To find all the files with SGID bit set, use the below command :

find / -perm   +2000

Summary

• Linux in addition to r/w/x allows three special permissions sid, sgid and sticky bits.
• When sid bit is set, the file runs with the owner’s privileges
• When sgid bit is set on a file, it runs with the privileges of the group which own the file.
• When sgid bit is set on a directory, a file created inside the directory will be owned by the parent group.
• When the sticky bit is set, a directory can be renamed/delete by ower/root only.
• The permissions on a file can be changed by ‘chmod’ command.
• Improper use of SetUID and SetGID poses a Security risk. Hence needs to be used cautiously and only executables that are considered to be secure should be assigned the SetUID or SetGID privileges.

I hope you enjoyed reading this article, as much as I enjoyed writing it. If you like this article please let me know! But, more importantly if you disagree with this article please, please, please let me know! I made this with the hope of helping the community so if it is off it defeats the purpose! If you have a suggestion or critique please feel free to drop in any comments.