Setuid

Updated: 08/02/2019 by Computer Hope

Setuid, which stands for set user ID on execution, is a special type of file permission in Unix and Unix-like operating systems such as Linux and BSD. It is a security tool that permits users to run certain programs with escalated privileges.

When an executable file's setuid permission is set, users may execute that program with a level of access that matches the user who owns the file. For instance, when a user wants to change their password, they run the passwd command. The passwd program is owned by the root account and marked as setuid, so the user is temporarily granted root access for that very limited purpose.

Viewing the setuid permission of a file

When viewing a file's permissions with the ls -l command, the setuid permission is displayed as an "s" in the "user execute" bit position. For example:

ls -l /usr/bin/passwd
-rwsr-xr-x 1 root 54192 Nov 20 17:03 /usr/bin/passwd

Setting the setuid permission of a file

To set the setuid permission for an executable file, use the permission identifier u+s with the chmod command:

chmod u+s myfile

Non-executable files can be marked as setuid, but it has no effect; marking them setuid does not automatically make them executable. In this case, the permission bit shows up as an uppercase "S". For instance:

ls -l myfile
-rw-r--r-- 1 user 0 Mar 6 10:45 myfile 
chmod u+s myfile
ls -l myfile
-rwSr--r-- 1 user 0 Mar 6 10:45 myfile

However, if you then set the file to be user-executable with the permission u+x, the setuid permission comes into effect. It will then be represented in the listing with a lowercase "s":

chmod u+x myfile
ls -l myfile
-rwsr--r-- 1 user 0 Mar 6 10:45 myfile

Setgid

Setgid is the equivalent of setuid for groups. If the bit is set, it grants permission of the group who owns the file. In a file listing, the "s" (lowercase s) character is listed in the "group execute" position of the file permissions string. If the setgid bit is set, but the group does not have execute permissions for the file or directory, an uppercase "S" is used instead, to indicate that the bit is set but has no effect.

For instance, in the of the output of ls -l below, the lowercase "s" indicates that the setgid permission bit is set for that file. Any user who accesses that file successfully will do so as if they are a member of the owning group.

chmod g+s myfile2
ls -l myfile2
-rw-r-sr-- 1 user mygroup 0 Mar 6 10:46 myfile2

If the setgid bit is set for a directory, any new files created in that directory will receive the group ID of the owning group of the directory (instead of the group ID of the user). Files moved or copied from another location will not have their group ID modified.

Computer acronyms, Executable file, Linux, Permission, Security terms