Temporarily changing the user ID or group ID during execution

An executable file can have an additional attribute, which is displayed in the execute position (x) when you issue ls -l. This permission setting is used to allow a program temporary access to files that are not normally accessible to other users. An s or S can appear in the execute permission position; this permission bit sets the effective user ID or group ID of the user process that is executing a program to that of the file whenever the file is run. The setuid and setgid bits are only honored for executable files that contain load modules.
s
In the owner permissions section, s indicates that the set-user-ID (S_ISUID) bit is set and execute (search) permission is set.

In the group permissions section, s indicates that the set-group-ID (S_ISGID) bit is set and execute (search) permission is set.

 

S
In the owner permissions section, S indicates that the set-user-ID (S_ISUID) bit is set, but the execute (search) bit is not.

In the group permissions section, S indicates that the set-group-ID (S_ISGID) bit is set, but the execute (search) bit is not.

A good example of this behavior is the mailx utility. A user who is sending mail to another user on the same system is actually appending the mail to the recipient's mail file, even though the sender does not have the appropriate permissions to do this action. The mail program does.

Parent topic: Handling security for your files