Revision as of 16:55, 7 May 2021 by Mbaney (talk | contribs)
Jump to navigation Jump to search

The setgid bit works in two ways, one for files and one for directories.

SetGID Files

The setgid bit for files will force when a file is executed to set its group ID to the GID that of the binary instead of the user that is running it. This mode has no effect for files that are not executable. To a lesser extent than SetUID this can lead to security issues when the group in question has some files that would be allowed to be read or written when otherwise not permitted. There are very limited uses for this feature these days and its use is discouraged.

SetGID Directories

SetGID directories have a much more benign behavior. When this bit is set on a directory all filesystem creations underneath that directory will inherit the group from the directory. UMIACS policy is to keep users' default UID and GID. So for users who wish to have certain directory trees have consistent groups the use of SetGID directories is useful. The SetGID directory bit will force all files created under that directory to have the same GID. Any directories created will also be given the same GID and the SetGID bit so that the same policy is applied at the next level of directory down.

Before you we give an example of how to use the sticky bit please see the documentation about umask. SetGID will only work on the GID and the setting a sticky bit and will not change any other permissions. By default the umask is 022 and is a bit too restrictive for the use of SetGID effectively. (002 or 007 will be the appropriate setting depending if you want Others to be able to read/execute or not)

First an example of what our default group is and what other groups we belong to:

[username@novelty ~/staff]$ id
uid=9001(username) gid=29001(username) groups=15114(umadmin),15116(vnodedisplay),29001(username)

Now we have created a directory called staff that we want to share with the umadmin group (which is not my default group)

[username@novelty ~/staff]$ ls -la .
drwxr-xr-x  2 username username   96 Jun 16 11:34 .

I am going to set the new group to umadmin and set rwxrwxr-x permissions. Then finally i will add the SetGID bit.

[username@novelty ~/staff]$ chgrp umadmin .
[username@novelty ~/staff]$ chmod 775 .
[username@novelty ~/staff]$ chmod g+s .

Now you can see we have a directory that is correctly set up,

[username@novelty ~/staff]$ ls -la .
drwxrwsr-x  2 username umadmin   96 Jun 16 11:34 .

We are going to use umask of 002 since we want to allow others to read the files.

We are going to now create a test file and test directory,

[username@novelty ~/staff]$ touch test
[username@novelty ~/staff]$ mkdir testdir

Now as you can see we have the correct groups and permissions being used to create both files directories,

[username@novelty ~/staff]$ ls -la
drwxrwsr-x  3 username umadmin   96 Jun 16 12:58 .
-rw-rw-r--  1 username umadmin    0 Jun 16 12:58 test
drwxrwsr-x  2 username umadmin   96 Jun 16 12:58 testdir