This is a bit of an advanced topic, you're unlikey to need the information below too often.
Special permissions have different effects on regular files, executables and directories. Their effect also varies from Unix to Unix and even from filesystem to filesystem.
Set User ID - SUID
- Regular files - no effect
- Executables - run program with effective user ID (EUID) set to the owner
- Directories - no effect
Some interpreters (such as bash and perl) will automatically drop the extra privileges provided by the SUID and SGID bits as a security measure. Normally a executable with a EUID of the owner will be able to access file as though it was the owner.
Set Group ID - SGID
- Regular files - enables mandatory locking. Maybe
- Executables - run program with effective group ID (EGID) set to the group
- Directories - all files created in this directory will have the same group as this directory. All directories created will also have the SGID bit set.
Note that the effect of the SGID bit on directories some Unix systems (e.g BSD) occurs by default - without any setting of SGID. Also this behavior may not happen at all, even with the SGID bit set (it does work on Matrix).
- Regular files - Disable caching
- Executables - Kept program text in memory (forced caching) on older Unixes
- Directories - Users may only remove or rename entries that they own, unless they own the directory
The effect on regular files is used for swap devices for thin clients over NFS. The effect on executables is generally nothing but Your Mileage May Vary. The effect on directories is seen on /tmp.
Viewing Special Permissions
To view special permissions just use ls -l
$ ls -l drwxr-s--- 1 bbrazil council 512 Jun 15 21:36 propagate_council drwxrwxrwt 1 root root 512 May 15 10:45 tmp -rwsr-xr-x 1 bbrazil bbrazil 253 Dec 27 16:27 run_me_suid -rwsr-sr-x 1 bbrazil bbrazil 253 Dec 27 16:27 run_me_suid_and_sgid -rw-r-Sr-- 1 bbrazil bbrazil 1264 Dec 27 16:27 mandatory_locking -rw------T 1 bbrazil bbrazil 1264 Dec 27 16:27 no_cache
The execute bits for user, group and other correspond to SUID, SGID and Sticky respectively. A 's' or 't'(for sticky) indicates the appropriate bit is set, and also executable. 'S' or 'T' indicates the appropriate bit is set, but executable is not set.
For example(modes are in brackets):
- propagate_council (2750 - SGID) any new files created in this directory will have group 'council'
- tmp (1777 - Sticky) is accessible by everyone, but only the owner of an entry can remove it
- run_me_suid (4755 - SUID) is an executable which anyone can run, but it will run as though it was run by UID 'bbrazil'
- run_me_suid_and_sgid (6755 - SUID and SGID) is as above but also runs with group 'bbrazil'
- mandatory_locking (2644 - SGID) is a regular file
- no_cache (1600 - Sticky) is a file only I can look at or change, and for which caching is disabled
As you might have guessed from above the numeric values are: 1 - Sticky, 2 - SGID and 4 - SUID. These are put in front of the standard permissions. If zero the number is optional (0755 is the same as 755).
Setting Special Permissions
As with basic permissions chmod is used.
chmod 4755 file #Make file SUID and world-executable chmod u+s file #Add SUID chmod ug+s file #Add SUID and SGID chmod o+s file #Add Sticky bit (using 's') chmod o-t file #Remove Sticky bit (using 't') chmod 0644 file #No special permissions. Just standard rw-r--r-- chmod 644 file #Same as above
The use of 'a' to select user, group and other is not encouraged as results may vary.