Special Permissions
Special Permissions#
Concepts#
Beyond rwx#
The standard read/write/execute permissions cover most scenarios. But Linux has three special permission bits that handle specific situations:
| Bit | Name | On Files | On Directories |
|---|---|---|---|
| SUID | Set User ID | Runs as the file’s owner, not the user who executes it | No effect |
| SGID | Set Group ID | Runs with the file’s group, not the user’s group | New files inherit the directory’s group |
| Sticky | Sticky Bit | No modern effect | Only file owner (or root) can delete files |
SUID — Set User ID#
When SUID is set on an executable, the program runs with the permissions of the file’s owner instead of the user who runs it.
The most common example is passwd:
ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 Oct 15 12:00 /usr/bin/passwd
Notice the s in the owner’s execute position (rws). This means:
- The file is owned by
root. - When any user runs
passwd, it runs as root — because it needs to modify/etc/shadow, which only root can write. - The user does not need
sudo— the SUID bit handles the privilege escalation.
Why it matters: Without SUID on passwd, no regular user could change their own password.
Security note: SUID programs are potential security risks. A vulnerability in a SUID root program gives an attacker root access. Keep SUID programs to a minimum.
Setting SUID:
# Symbolic
chmod u+s program
# Octal — SUID is the 4 in the first digit (4xxx)
chmod 4755 program
SGID — Set Group ID#
On Files#
When SGID is set on an executable, the program runs with the group of the file instead of the user’s primary group. Similar to SUID but for group rather than user.
ls -l /usr/bin/wall
-rwxr-sr-x 1 root tty 19024 Oct 15 12:00 /usr/bin/wall
The s is in the group’s execute position.
On Directories (More Common)#
When SGID is set on a directory, any new file or subdirectory created inside it inherits the directory’s group instead of the creator’s primary group. This is extremely useful for shared directories.
Without SGID:
# Alice (primary group: alice) creates a file in /shared/
-rw-r--r-- 1 alice alice file.txt # Group is alice's primary group
With SGID on /shared/:
# /shared/ has group "team" with SGID
drwxrwsr-x 2 root team 4096 /shared/
# Alice creates a file in /shared/
-rw-r--r-- 1 alice team file.txt # Group is team — inherited from directory!
Setting SGID:
# Symbolic
chmod g+s directory/
# Octal — SGID is the 2 in the first digit (2xxx)
chmod 2775 directory/
Sticky Bit#
The sticky bit is used on directories (most commonly /tmp). When set, only the file’s owner (or root) can delete or rename files in that directory — even if other users have write permission on the directory.
Without the sticky bit: anyone with write permission on a directory can delete any file in it, regardless of who owns the file.
ls -ld /tmp
drwxrwxrwt 12 root root 4096 Oct 15 12:00 /tmp
The t in the last position (rwt) is the sticky bit. This means:
- Anyone can create files in
/tmp(rwx for others). - But only the owner of a file (or root) can delete it.
Without the sticky bit, user A could delete user B’s files in /tmp — a major problem on a multi-user system.
Setting the sticky bit:
# Symbolic
chmod +t directory/
# Octal — sticky bit is the 1 in the first digit (1xxx)
chmod 1777 directory/
Octal Notation with Special Bits#
The full octal permission is four digits: SUGT + rwx + rwx + rwx
The first digit encodes special bits:
| Value | Meaning |
|---|---|
| 0 | No special bits |
| 1 | Sticky bit |
| 2 | SGID |
| 4 | SUID |
They can be combined (added):
4755 → SUID, rwxr-xr-x (e.g., /usr/bin/passwd)
2775 → SGID, rwxrwxr-x (e.g., shared group directory)
1777 → Sticky, rwxrwxrwx (e.g., /tmp)
6755 → SUID+SGID, rwxr-xr-x (4+2=6)
How Special Bits Appear in ls -l#
| Bit | Appears Where | With Execute | Without Execute |
|---|---|---|---|
| SUID | Owner execute position | s |
S |
| SGID | Group execute position | s |
S |
| Sticky | Others execute position | t |
T |
Capital S or T means the special bit is set but the underlying execute permission is not set — an unusual and often incorrect configuration.
-rwsr-xr-x SUID set, owner has execute (normal)
-rwSr-xr-x SUID set, owner lacks execute (unusual)
drwxrwsr-x SGID set, group has execute (normal)
drwxrwSr-x SGID set, group lacks execute (unusual)
drwxrwxrwt Sticky set, others have execute (normal, like /tmp)
drwxrwxrwT Sticky set, others lack execute (unusual)
Lab#
Exercise 1: Find SUID Programs#
# Find all SUID programs on the system
sudo find / -perm -4000 -type f 2>/dev/null
# Common SUID programs you should see:
# /usr/bin/passwd — change passwords
# /usr/bin/sudo — run commands as root
# /usr/bin/su — switch user
# /usr/bin/mount — mount filesystems
# /usr/bin/umount — unmount filesystems
# /usr/bin/chsh — change login shell
# /usr/bin/newgrp — change primary group
# Examine passwd
ls -l /usr/bin/passwd
# -rwsr-xr-x 1 root root ...
Exercise 2: Understand SGID on Directories#
mkdir -p ~/lab/special
cd ~/lab/special
# Create a shared directory with SGID
mkdir shared
sudo chgrp adm shared
chmod 2775 shared
# Verify SGID is set
ls -ld shared
# drwxrwsr-x ... adm ... shared
# Create a file inside — it inherits the group
touch shared/teamfile.txt
ls -l shared/teamfile.txt
# The group should be "adm", not your primary group
# Create a subdirectory — SGID propagates
mkdir shared/subdir
ls -ld shared/subdir
# Also has SGID and group "adm"
Exercise 3: The Sticky Bit#
# Check /tmp
ls -ld /tmp
# drwxrwxrwt — note the 't' at the end
# Create a directory with the sticky bit
mkdir stickydir
chmod 1777 stickydir
# Verify
ls -ld stickydir
# drwxrwxrwt
# Create a file in it
touch stickydir/myfile.txt
# In a real multi-user scenario, another user could NOT delete myfile.txt
# even though they have write access to the directory.
# We can't easily demonstrate this with a single user, but you can
# see the sticky bit in action on /tmp.
Exercise 4: Setting and Removing Special Bits#
# Create a test file
touch testprog
chmod 755 testprog
# Set SUID (symbolic)
chmod u+s testprog
ls -l testprog
# -rwsr-xr-x
# Remove SUID
chmod u-s testprog
ls -l testprog
# -rwxr-xr-x
# Set SGID (octal)
chmod 2755 testprog
ls -l testprog
# -rwxr-sr-x
# Set both SUID and SGID
chmod 6755 testprog
ls -l testprog
# -rwsr-sr-x
# Remove all special bits
chmod 0755 testprog
ls -l testprog
# -rwxr-xr-x
# Show the capital S/T (special bit without execute)
chmod 4644 testprog
ls -l testprog
# -rwSr--r-- (SUID but no execute for owner — unusual)
# Clean up
chmod 0644 testprog
Exercise 5: Practical Shared Folder Setup#
This exercise simulates a real-world scenario: a shared project folder for a team.
cd ~/lab/special
# Create the group project directory
mkdir teamproject
# Set group to a common group (using your own group for demonstration)
# In practice, you would use a dedicated team group
sudo chgrp adm teamproject
# Set permissions: owner and group have full access, SGID for group inheritance
chmod 2770 teamproject
# Verify
ls -ld teamproject
# drwxrws--- ... adm ... teamproject
# Create files — they inherit the group
touch teamproject/design.md
touch teamproject/code.py
mkdir teamproject/docs
ls -l teamproject/
# All files/dirs should have group "adm"
# Clean up
cd ~
rm -rf ~/lab/special
Review#
1. What does SUID do on an executable file?
It causes the program to run with the permissions of the file’s owner instead of the user who executes it. For example, /usr/bin/passwd has SUID and is owned by root, so any user running passwd temporarily gets root privileges (only within that program) to modify /etc/shadow.
2. What does SGID do on a directory?
New files and subdirectories created inside inherit the directory’s group ownership instead of the creator’s primary group. This is useful for shared directories where all files should belong to a team group.
3. What is the sticky bit and where is it most commonly used?
The sticky bit on a directory ensures that only a file’s owner (or root) can delete or rename files in that directory, even if other users have write permission. It is most commonly used on /tmp to prevent users from deleting each other’s temporary files.
4. What is the octal permission `2775`?
SGID (2) + owner rwx (7) + group rwx (7) + others r-x (5). Displayed as drwxrwsr-x. A typical permission for a shared group directory.
5. What does a capital `S` mean in the output of `ls -l`?
It means the SUID (or SGID) bit is set, but the underlying execute permission is not set. For example, -rwSr--r-- means SUID is on but the owner cannot execute the file. This is usually a misconfiguration.
6. How do you find all SUID programs on a system?
sudo find / -perm -4000 -type f 2>/dev/null — this searches the entire filesystem for regular files with the SUID bit set.
7. Why are SUID programs a potential security risk?
Because they run with elevated privileges (the owner’s, often root). If a SUID root program has a vulnerability (buffer overflow, race condition), an attacker can exploit it to gain root access. Systems should have the minimum number of SUID programs necessary.
Previous: File Permissions | Next: Users, Root, and Sudo