kazmax - Home Server on Linux

SGID (Set Group ID) - Special access rights

There is a special access right called SGID (Set Group ID). This page describes Set Group ID (SGID).

Last Update : October 08, 2020

SGID (Set Group ID) - Special access rights

  1. What is SGID (Set Group ID)?
  2. Set the SGID (Set Group ID)
  3. How to check the SGID (Set Group ID)
  4. use case

1. What is SGID (Set Group ID)?

SGID (Set Group ID) is a special access right set for files for which you have execution rights. Also, unlike SUID, it is set for directories as well as files.

If SGID (Set Group ID) has been set for the executable file, the file is executed with the privileges of the group that owns the executable file when it is executed.

If the directory has a SGID(Set Group ID), then the ownership group of the file directories created under that directory will be the same as the ownership group of the directory for which the SGID(Set Group ID) was set.

2. Set the SGID (Set Group ID)

To set the SGID (Set Group ID), use the chmod command as follows.

chmod g+s file

To set access privileges in numeric mode, add 2000 to the number. For example, if you want to add an SGID (Set Group ID) to an executable file with 755 access rights, the numeric value would be "2755".

chmod 2755 file

Notes

The options are the same for setting the SGID (Set Group ID) for the directory.

3. How to check the SGID (Set Group ID)

To check the SGID (Set Group ID), you can use the "ls -l" command.

# touch file
# chmod 2755 file
# ls -l file
-rwxr-sr-x 1 root group2 0 Jul 26 08:24 file 

The group part of the permissions is "r-s". The execution right part is usually "x", but if this part is "s", it means that SGID (Set Group ID) is set.

4. use case

Actually, let's set up SGID (Set Group ID) and see how it works. We will test both the case of setting it to the executable file and the case of setting it to the directory.

If you set the file to executable

# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
↑ You are logged in with the root account.

# cp /bin/touch . ← Copy the touch command
# chgrp group1 touch ← Set the group to group1
# chmod g+s touch ← Set SGID.
# ls -l touch
-rwxr-sr-x 1 root group1 42284 Jul 26 08:28 touch ← SGID is set.

# ./touch test.txt

# ls -l test.txt
-rw-r--r-- 1 root group1 0 Jul 26 08:30 test.txt ← The ownership group is now group1.

Notes

Since you are running the command with the root account, the group of files created by the command is essentially root. Since SGID is set in the touch command, the command is executed as root:group1 and the created file group is group1.

If you set the SGID for a directory

If you set the SGID for a directory, the file directory you create under it becomes the ownership group of the directory in which the SGID is set.

# mkdir dir        ← directory creation
# chgrp group1 dir ← Set the ownership group to group1
# chmod g+s dir    ← Set SGID.

# ls -ld dir
drwxr-sr-x 2 root group1 4096 Jul 26 08:33 dir ← The directory where the group is group1 and SGID is set

# touch dir/test.txt    ← Create files under the dir directory with the root account
# mkdir dir/test_dir    ← Create a directory under the dir directory with the root account.
# ls -l dir
total 12
-rw-r--r-- 1 root group1    0  Jul 26 08:33 test.txt    ← The group is group1.
drwxr-sr-x 2 root group1 4096 Jul 26 08:34 test_dir    ← The group is group1.