24

I just changed my file permissions using $ sudo chmod g+s filename and my file permissions turned from drwxr-xr-x to drwxr-sr-x. How do I remove it?

bigpotato
  • 26,262
  • 56
  • 178
  • 334

5 Answers5

50

Change the + for adding a permission into a - to remove it:

sudo chmod g-s filename

If you want to do this programatically, you’ll need to use some bitwise operators. Normally it’s

mode_without_suid = bitwise_and(existing_mode, bitwise_not(S_ISUID))

where S_ISUID is 0o4000, a constant that uses mode bits above the typical rwx ones of something like 0644.

For example, in python

import os
import stat

def mode_details(m):
    return f"mode={oct(m)} = {stat.filemode(m)}"

mode = os.stat('foo').st_mode
print("old mode", mode_details(mode))

new_mode = mode & ~stat.S_ISUID

os.chmod('foo', new_mode)
print("new mode", mode_details(new_mode))

which prints

old mode mode=0o104654 = -rwSr-xr--
new mode mode=0o100654 = -rw-r-xr--
andrewdotn
  • 32,721
  • 10
  • 101
  • 130
  • sorry to resurrect this. Do you know if you can do this using numbers instead? just out of curiosity. You would think 0XXX would remove it but it does not. – michael.schuett Sep 19 '14 at 14:49
  • 5
    @andrewdotn it also succeeds in making the file writable to the owning user, everyone at in the same group, and everyone else on the system. – Alex Barker Nov 11 '15 at 04:51
  • Thanks @AlexBarker, I have deleted the misleading comment and added better instructions to the post. – andrewdotn Apr 19 '22 at 23:29
4

To remove setgid the numerical way the command is

sudo chmod 0664 $filename

The assumption here is the permission on file is 664 and we are not changing it. The left most bit in the above command represents setuid(4),setgid(2) and sticky(1). Now to represent these symbolically setuid is u+s, setgid is g+s and sticky is o+t

Example 1:-chmod u+s filename This will setuid for the filename mentioned that is rwsr_xr_x

Example 2: chmod 2770 directory This will set gid for the directory mentioned that is rwxr_sr_x

DJAdmin
  • 77
  • 6
  • 11
    According to the man page for chmod "you can set (but not clear) the bits with a numeric mode". It appears that on many systems a fourth leading zero is ignored. – SystemParadox May 08 '17 at 10:52
  • 2
    I found this to be true on Ubuntu: no numeric value would clear this bit, but using `chmod g-s` did the trick. Moreover, when the setgid fails to clear, there is no error, it just doesn't work. What an obscure "feature". – Fixee Oct 01 '18 at 15:11
  • 1
    @SystemParadox I checked the manpage, and that statement looks like it only applies to directories, not files. In its full context: *"chmod clears the set-group-ID bit of a regular file if the file's group ID does not match the user's effective group ID or one of the user's supplementary group IDs, unless the user has appropriate privileges. Additional restrictions may cause the set-user-ID and set-group-ID bits of MODE or RFILE to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior.* 1/ – AJM Dec 07 '22 at 17:14
  • 1
    (cont. from above) *chmod preserves a directory's set-user-ID and set-group-ID bits unless you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode."* (source: copy of manpage at https://linux.die.net/man/1/chmod) /2 – AJM Dec 07 '22 at 17:15
4

Regarding: "you can set (but not clear) the bits with a numeric mode"

On RHEL 7 chmod 0644 $filename did not remove the setuid(4),setgid(2) or sticky(1).

However precedeing with an extra 0 did the trick:

chmod 00644 $filename

Tom Ratcliff
  • 51
  • 1
1

Well would just like to add few points to clarify the approach of working with the numerical way for both files and directories.

  • Adding individual special permissions for either user/group/others.

chmod "X"755 file

Where X is the specific octal numeric mode for special permissions.

  • If you want to add multiple special permissions at a time, e.g. for both suid(4) and sgid(2) i.e. 4+2=6.

chmod "6"755 file

for suid(4), sgid(2) and sticky bit(1), i.e. 4+2+1=7

chmod "7"755 file

  • Deleting all special permissions (only applicable for a file)

chmod 00"0"755 file

Well, the trailing zeros before 4 digits doesn't add any values while changing the permission for a file but it does add values while changing permission for a directory.

The above numeric code will change the permission to 755 from 7755 only for a file but if you do the same for a directory it will be 6755 as it will only remove the sticky bit for others.

To remove all the special permissions for a directory.

chmod "000"755 file

  • Similarly, to remove suid permission and having sgid(2) and sticky bit(1) i.e. 2+1=3.

chmod 00"3"755 file

And solution using letters(r,w,x,X,s,,t) and operators(+/-) were already discussed and approved in the earlier answers.

Community
  • 1
  • 1
Jagadish Sahoo
  • 23
  • 5
0
sgid with number
#chmod 2(permission)  (directory name)  = for adding
#chmod 0(permission)  (directory name)  = for removing
sgid with word
#chmod g+s directory name = for adding
#chmod g-s directory name = for removing
Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
Shivam Patil
  • 11
  • 2
    Welcome to Stack Overflow, and thank you for contributing an answer. Would you kindly edit your answer to include an explanation of your code? That will help future readers better understand what is going on, and especially those members of the community who are new to the language and struggling to understand the concepts. That's especially important when there's already an accepted answer that's been validated by the community. Under what conditions might your approach be preferred? Are you taking advantage of new capabilities? – Jeremy Caney Dec 02 '21 at 00:40