Setuid

Setuid, which stands for set user ID on execution, is a special type of file permission in Unix and Unix-like operating systems such as Linux and BSD (Berkeley Software Distribution). It is a security tool that permits users to run certain programs with escalated privileges.

When an executable file's setuid permission is set, users may execute that program with a level of access that matches the user who owns the file. For instance, when a user wants to change their password, they run the passwd command. The passwd program is owned by the root account and marked as setuid, so the user is temporarily granted root access for that limited purpose.

Viewing the setuid permission of a file

When viewing a file's permissions with the ls -l command, the setuid permission is displayed as an "s" in the "user execute" bit position. For example:

ls -l /usr/bin/passwd

-rwsr-xr-x 1 root 54192 Nov 20 17:03 /usr/bin/passwd

Setting the setuid permission of a file

To set the setuid permission for an executable file, use the permission identifier u+s with the chmod command:

chmod u+s myfile

Non-executable files can be marked as setuid, but it has no effect; marking them setuid does not automatically make them executable. In this case, the permission bit shows up as an uppercase "S". For instance:

ls -l myfile

-rw-r--r-- 1 user 0 Mar 6 10:45 myfile

chmod u+s myfile

ls -l myfile

-rwSr--r-- 1 user 0 Mar 6 10:45 myfile

However, if you then set the file to be user-executable with the permission u+x, the setuid permission comes into effect. It's then represented in the listing with a lowercase "s":

chmod u+x myfile

ls -l myfile

-rwsr--r-- 1 user 0 Mar 6 10:45 myfile

Setgid

Setgid is the equivalent of setuid for groups. If the bit is set, it grants permission of the group who owns the file. In a file listing, the "s" (lowercase s) character is listed in the "group execute" position of the file permissions string. If the setgid bit is set, but the group does not have execute permissions, an uppercase "S" is displayed instead. This uppercase character indicates that the bit is set, but has no effect.

In the of the output of ls -l shown here, the lowercase "s" indicates that the setgid bit is set for the listed file. Any user who accesses that file does so as if they are a member of the owning group.

chmod g+s myfile2

ls -l myfile2

-rw-r-sr-- 1 user mygroup 0 Mar 6 10:46 myfile2

If the setgid bit is set for a directory, any new files created are owned by the directory's owning group, instead of the user's group. Files moved or copied from another location will not have their group ID modified.

Computer acronyms, Executable file, Linux, Permission, Security terms