• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • Understanding Special Permission SGID in Linux

    In my earlier posts I had explained about other Special Permission used in Linux i.e. SUID and STICKY BIT

    So let me help you understand SGID and its usage with some practical examples.

    SGID:

    This is an abbreviation used for Set Group ID. This is a permission assigned to any file or directory to give normal group members additional authority of running that file with a privilege of group owner.

    This is something very similar to which I explained here for SUID with a little difference that this time you are assigning permission to a complete group and its group members instead of assigning the permission to one particular user.

    For example you have some executable file and you want all the group members of sysadmin to be able to execute it but that file can only be run as root so you assign a SGID over that file and now all the members of sysadmin team will be able to run the file with the permission of root.



    Assigning SGID permission :

    There are two ways to assign SGID
    1. Octal (2)
    2. Symbolic (g+s)
    Octal (2) :
    # chmod 2755 /myscript.sh

    # ls -l
    -rwxr-sr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

    Symbolic (g+s) :
    # chmod g+s /myscript.sh

    # ls -l
    -rwxr-sr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

    Removing SGID permission

    Octal (2) :
    # chmod 0755 /myscript.sh

    # ls -l
    -rwxr-xr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

    Symbolic (g-s) :
    # chmod g-s /myscript.sh

    # ls -l
    -rwxr-xr-x. 1 root root      0 Oct 16 11:33 /myscript.sh

    Understanding difference between Capital (S) and small (s) in SGID

    Now when you assign SGID permission you might sometimes see a Capital (S) instead of a small (s) in the group permission section. This does not makes much difference instead if gives you an additional information if that file is having group executable permission or not. If you get Capital S it means there is not executable permission and the same if you have small s it means the file is having group executable permission.






    For example:
    Before applying SGID without executable permission on user owner
    # chmod 655 /myscript.sh
    # ls -l
     -rwxr
    w-rw-. 1 root root 0 Oct 16 11:35 /myscript.sh

    After applying SGID without executable permission on user owner
    # chmod 2655 /myscript.sh
    # ls -l
    -rwxrwSrw-. 1 root root 0 Oct 16 11:35 /myscript.sh

    Before applying SGID with executable permission on user owner
    # chmod 755 /myscript.sh
    # ls -l
    -rwxrwxrw-. 1 root root 0 Oct 16 11:36 /myscript.sh

    After applying SGID with executable permission on user owner
    # chmod 2755 /myscript.sh
    # ls -l
    -rwxrwsrw-. 1 root root 0 Oct 16 11:36 /myscript.sh

    So I hope you have got my point of view and must have understood the difference between capital (S) and small (s)

    Finding all the executable files with SGID
    # find / -perm +2000
    where +2000 is the ID we use for assigning permission in octal method.


    Deepak Prasad

    is a techie and an author who is still trying to survive in this IT generation with very little knowledge he has on Linux/Unix, VMware, SAN Storage, Automation, networking etc

    You can follow him on Facebook or Google+


    Do you also have something to share here?
    Join GoLinuxHub Team as an Author, Click here for more information
    Understanding Special Permission SGID in Linux Understanding Special Permission SGID in Linux Reviewed by Deepak Prasad on Thursday, March 07, 2013 Rating: 5

    No comments:

    Powered by Blogger.