What is SGID in Linux?

Subscribe to my newsletter and never miss my upcoming articles

A few weeks ago, I stumbled upon an interesting problem.
In Linux, if you check the file permissions you will notice the name of the file owner along with the group which owns the file. Note that, It is not necessary for the owner to be a part of the group but usually that is the case.

Imagine this scenario:

There are 3 processes operating in a system:

  • P1: Runs as root
  • P2: Creates the directories during the install.
  • P3: It access files created by P1.

Further, P2 & P3 are the part of the same group, say user_grp and both run as owner user.
Now consider a directory docs which is created by our installer process P2 and its permission looks like this:

drwxr-x---  5 user user_grp  4096 Jul 31 19:56 docs

P1 gets into the directory and wants to create a file called readme.txt for process P3 to read.
Please note that there is an additional constraint here, the read, write & execute access for OTHERS is prohibited.
Nevertheless, P1 goes ahead and creates the file whose permission looks like this:

  -rwxr-----  1 root root  4096 Jul 31 19:56 readme.txt

Can you spot the problem here?
After carefully examining the situation, it is not difficult to judge that Process P3 will fail in reading the file readme.txt because it is neither the owner of file readme.txt nor part of the same group.
There are a lot of ways one can go about solving this access limitation. For example, you can just issue chgrp for the file to change its group to user_grp so that process P3 can access, as it will then belong to the same group. But if there are a lot of files like this in the docs directory and you want P3 to read all of them, rather than firing chgrp for each file, you can opt for a more elegant approach.

Let's issue this command on docs directory to set GID bit, we will come back to what it actually means in a moment.

$ chmod g+s docs

Look at the file permission of the docs directory:

drwxr-s---  5 user user_grp  4096 Jul 31 19:56 docs

Notice there is an 's' in place of 'x' in the directory permissions. Now let's allow process P1 to create a file readme2.txt in the docs directory.

-rwxr-----  1 root user_grp  4096 Jul 31 19:56 readme2.txt

This is the magic of SGID!
When you set the SGID on a directory, all the files and directories inside it will inherit the parent directory's group.
So even though root is creating the file readme2.txt inside docs, the process P3 can easily read it because the file now has the same group as process P3, i.e. user_grp instead of root. Hence, SGID bit can be very useful for dealing with situations like the one above.

Linux holds deeper truths, we just have to MAN [1] up to get there!

Notes

[1] I am not trying to label courage as a masculine trait. It is just that Linux manual is called MAN pages. So a puny pun 😛


If you liked this post, you can find more by:

Following me on Twitter: @abshekha

Connecting on LinkedIn: abhimanyubitsgoa

Visiting my website: https://abhimanyutimes.com


Thanks for reading!

No Comments Yet