The SUID bit allows a program to run with more permissions than the person who started the program would ordinarily be entitled to.
Many system programs have the SUID bit set because they need to modify various system files.
These system files still need to be protected from individual users. One classic example of use of the SUID bit is the case of the passwd program. This program changes a user's login password. To do this, it must write the new password into the system password database. For obvious reasons, the system password database must be write-protected against all users. Therefore, if you run passwd with only your permissions, it cannot do its job.
However, the file
/bin/passwd
is owned by root and has the SUID bit set. When passwd is run, the resulting process has an effective user ID equal to root,
and can therefore write to the password database.
The SGID bit works like the SUID bit, but for group ownership. The SUID and SGID bits are printed by
ls –l
by putting an
s
in the execute slot for user and group respectively, so that you will see a string like
rwsr-sr--
.
The SUID and SGID bits are set with
chmod
, just like other permission bits:
Now that you’ve learned about SUID and SGID, let’s return for a moment to real and effective IDs. Most of the time, the real and effective IDs for a process are the same. In two important cases, however, they are different: