Loading...

VONDS ©

Lab 31: Special File Permissions

Lab Index

Configure setgid directories for shared work, create a controlled setuid helper, and lock down a world-writable drop zone using the sticky bit. Verify each special permission in real output so you can spot misconfigurations quickly in the field.

permissions users security

Scenario

You’re preparing a multi-user development server. The dev team needs a shared workspace that preserves group ownership, a controlled helper that runs with root privileges, and a world-writable staging directory where users cannot delete each other’s files.

Operator context

Special permission bits are powerful and dangerous. This lab is about setting them intentionally and proving state with verification output.

Objective

  • Create a shared directory for developers.
  • Apply setgid so new files inherit the dev group.
  • Confirm setgid shows up as s in group perms.
  • Create a root-owned setuid helper safely.
  • Build a world-writable directory protected by sticky bit.
  • Validate special bits using ls output.

What You’ll Practice

  • setgid directories and group inheritance in shared paths.
  • setuid binaries and why they require extreme caution.
  • sticky bit behavior for world-writable directories.
  • Reading permission strings and mapping them back to octal.

Walkthrough

Step 1 : Ensure the devs group exists.
Command 
sudo groupadd -f devs

-f makes the command idempotent. If the group already exists, the command exits without failing, which is useful in repeatable lab workflows.

Step 2 : Create the shared directory /opt/devshare.
Command 
sudo mkdir -p /opt/devshare

This is the workspace target. We will assign group ownership and apply setgid so new files inherit the dev group.

Step 3 : Assign group ownership to devs.
Command 
sudo chgrp devs /opt/devshare

Group ownership is the foundation. setgid controls what group gets applied to files created inside the directory.

Step 4 : Apply setgid so new files inherit the group.
Command 
sudo chmod 2775 /opt/devshare

2 sets the setgid bit on the directory. 775 gives owner and group full access while leaving read/execute for others. On shared dev servers, you often pair this with a group umask so files land group-writable.

Step 5 : Verify setgid is present.
Command 
ls -ld /opt/devshare
drwxrwsr-x 2 root devs 4096 Jul 19 00:00 /opt/devshare

The group execute slot shows s when setgid is set and group execute is enabled (that is the rws in the middle).

Step 6 : Create a root-owned helper with setuid.
Safety note

setuid is a privilege escalation mechanism. In real systems, you do not set this on random scripts or unknown binaries. This lab uses /bin/true as a harmless stand-in.

Command 
sudo install -o root -g root -m 4755 /bin/true /usr/local/bin/helper

install copies the file and sets owner, group, and mode in a single command. 4755 applies setuid (4) plus executable permissions.

Step 7 : Confirm setuid is set on the helper.
Command 
ls -l /usr/local/bin/helper
-rwsr-xr-x 1 root root 0 Jul 19 00:00 /usr/local/bin/helper

The owner execute slot shows s when setuid is set and owner execute is enabled (the rws at the front).

Step 8 : Create a world-writable directory protected by sticky bit.
Command 
sudo mkdir -p /tmp/shared && sudo chmod 1777 /tmp/shared

This is the classic pattern used by /tmp. The directory is writable by everyone, but the sticky bit prevents users from deleting files they do not own.

Step 9 : Confirm sticky bit is set.
Command 
ls -ld /tmp/shared
drwxrwxrwt 2 root root 4096 Jul 19 00:00 /tmp/shared

The last execute slot shows t when sticky bit is set and others execute is enabled (rwt at the end).

Reference

  • chmod 2775 <dir> : Applies setgid on a directory so new files inherit the directory’s group.
  • chmod 4755 <file> : Applies setuid on an executable so it runs with the file owner’s privileges.
  • chmod 1777 <dir> : World-writable directory with sticky bit protection.
  • ls -ld <dir> : Shows special bits in the permission string (s / t).
  • Special bit indicators:
    • setuid: owner execute shows s (example: -rwsr-xr-x)
    • setgid: group execute shows s (example: drwxrwsr-x)
    • sticky: others execute shows t (example: drwxrwxrwt)