AIX, Security, System Admin Difference between sticky bit and SUID/GUID
This is probably one of things that people mess up all the time. They both have to do with permissions on a file, but the SUID/GUID (or SETUID short for set-user-id/SETGID short for set-group-id) bit and the sticky-bit are 2 completely different things.
The SUID/GUID
The letters rwxXst select file mode bits for users:
- read (r)
- write (w)
- execute (or search for directories) (x)
- execute/search only if the file is a directory or already has execute permission for some user (X)
- set user or group ID on execution (s)
- restricted deletion flag or sticky bit (t)
The position that the x bit takes in rwxrwxrwx for the user octet (1st group of rwx) and the group octet (2nd group of rwx) can take an additional state where the x becomes an s. When this file when executed (if it's a program and not just a shell script), it will run with the permissions of the owner or the group of the file. That is called the SUID, when set for the user octet, and GUID, when set for the group octet.
So if the file is owned by root and the SUID bit is turned on, the program will run as root. Even if you execute it. The same thing applies to the GUID bit. You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode.
SUID/GUID examples
No SUID/GUID: Just the bits rwxr-xr-x are set:
# ls -lt test.pl -rwxr-xr-x 1 root root 179 Jan 9 01:01 test.pl
SUID and user's executable bit enabled (lowercase s): The bits rwsr-x-r-x are set.
# chmod u+s test.pl # ls -lt test.pl -rwsr-xr-x 1 root root 179 Jan 9 01:01 test.pl
SUID enabled and executable bit disabled (uppercase S): The bits rwSr-xr-x are set.
# chmod u-x test.pl # ls -lt test.pl -rwSr-xr-x 1 root root 179 Jan 9 01:01 test.pl
GUID and group's executable bit enabled (lowercase s): The bits rwxr-sr-x are set.
# chmod g+s test.pl # ls -lt test.pl -rwxr-sr-x 1 root root 179 Jan 9 01:01 test.pl
GUID enabled and executable bit disabled (uppercase S): The bits rwxr-Sr-x are set.
# chmod g-x test.pl # ls -lt test.pl -rwxr-Sr-x 1 root root 179 Jan 9 01:01 test.pl
The sticky bit
The sticky bit on the other hand is denoted as a t, such as with the /tmp or /var/tmp directories:
# ls -ald /tmp drwxrwxrwt 36 bin bin 8192 Nov 27 08:40 /tmp # ls -ald /var/tmp drwxrwxrwt 3 bin bin 256 Nov 27 08:28 /var/tmp
This bit should have always been called the "restricted deletion bit" given that's what it really denotes. When this mode bit is enabled, it makes a directory such that users can only delete files and directories within it that they are the owners of. For regular files the bit was used to save the program in swap device so that the program would load more quickly when run; this is called the sticky bit, but it's not used anymore in AIX.
More information can be found in the manual page of the chmod command or on http://en.wikipedia.org/wiki/Sticky_bit.
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word