Setgid

from Wikipedia, the free encyclopedia

Setgid ( set group ID , sometimes SGID ) is an (extended) Unix file rights for files or folders of the Unix - operating system . Executable programs for which this bit is set are executed in addition to the rights of the executing user with the rights of the group to which the program belongs.

On some systems, the Setgid bit in a directory means that newly created files or subdirectories belong to the group to which the directory belongs (instead of the group to which the user who created it belongs).

Set the SGID bit

With file managers, the bit can be set by clicking

With classic Unix commands like chmod, the bit can be called with a call like

chmod g+s objekt

can be set, where object stands for at least one file or directory.

Modern file managers also offer options for graphically activating / deactivating the bit using a checkbox .

Notation / display of the bit

In the extended octal notation , which uses four octal digits, adding the value 2 to the first digit represents the set set ID bit. A file with the rights 0755(in octal notation) has the rights after the Setgid bit has been set 2755. This representation is obviously independent of whether the file is executable for the group.

The symbolic rights notation, on the other hand, distinguishes between a set SGID bit, in that instead of xa sand instead of -a at the point that represents the group executabilityS . This turns off after the Setgid bit is set , but off . rwxr-xr-xrwxr-sr-xrw-r--r--rw-r-Sr--

Effect of the set bit on directories

Since directories cannot be executed in the traditional sense, the SGID bit has a special meaning here. If you set the SGID bit here, the groups in the subdirectories are inherited.

The SGID bit does not pose a security risk in this configuration as long as it is not applied to files.

example

Initially without SGID bit: 

# ls -l /data/fileshare
drwxrwx--- admin   abteilung1  1994-05-23 daten_abteilung1
drwxrwx--- admin   abteilung2  1994-05-23 daten_abteilung2
drwxrwx--- admin   abteilung3  1994-05-23 daten_abteilung3

(Note on the meaning of the columns from left to right: rights, owner, group, date, name.)
If new files are created here, the primary group of the currently logged in user is set as the group for a new file. 

# ls -l /data/fileshare/daten_abteilung1
-rw-rw---- mueller   abteilung1  1994-05-23 datei1.txt
-rw-rw---- wieser    abteilung1  1994-05-23 datei2.txt
-rw-rw---- maier     abteilung1  1994-05-23 datei3.png

Is Mr. Maier but also a member of department2 , files that were created by Mr. Maier can no longer be read by colleagues from department2 , as the primary group remains set to department1 . 

# ls -l /data/fileshare/daten_abteilung2
-rw-rw---- maier     abteilung1  1994-05-23 maiers_datei.txt
-rw-rw---- berger    abteilung2  1994-05-23 datei2.txt
-rw-rw---- berger    abteilung2  1994-05-23 datei3.txt

However, if you set the SGID bit on the higher-level directories, the group is inherited. This makes it possible to manage different departments without having to rely on complex ACLs or assigning permissions for everyone. 

# find /data/fileshare/* -type d -exec chmod g+s {} \;

(This command searches for all directories and sets the SGID bit)

If a file from Mr. Maier in department2 , this can now also be edited by the other members of department2 : 

#maier$ touch /data/fileshare/daten_abteilung2/maiers_datei.txt

# ls -l /data/fileshare
drwxrws--- admin   abteilung1  1994-05-23 daten_abteilung1
drwxrws--- admin   abteilung2  1994-05-23 daten_abteilung2
drwxrws--- admin   abteilung3  1994-05-23 daten_abteilung3

# ls -l /data/fileshare/daten_abteilung2 
-rw-rw---- maier     abteilung2  1994-05-23 maiers_datei.txt
-rw-rw---- berger    abteilung2  1994-05-23 datei2.txt
-rw-rw---- berger    abteilung2  1994-05-23 datei3.txt

Security aspect

Although very useful in many situations, the Setgid bit (similar to the Setuid bit) can pose a high security risk if Setgid is set for programs that are programmed insecurely.

See also