The Trinity of Special Permissions: SUID, SGID, and the Sticky Bit
Master the advanced bits of Linux security. Understand how SUID allows regular users to run commands as Root, why SGID is essential for shared team folders, and how the Sticky Bit prevents users from deleting each others' files in /tmp.
Special Permissions: SUID, SGID, and the Sticky Bit
Standard permissions (rwx) handle the vast majority of Linux security. But there are three specific scenarios they can't solve:
- How can a regular user change their password if only Root can write to the password file?
- How can a team ensure every new file in a shared folder belongs to the same group?
- How can we allow everyone to write to
/tmp, but prevent User A from deleting User B's files?
The answer lies in the three "Special Bits." These are the most powerful—and most dangerous—parts of the Linux permission system.
1. SUID (Set User ID)
When you run a program with the SUID bit set, the program runs with the privileges of the File Owner, not the privileges of the user who typed the command.
The Use Case: passwd
The passwd command is owned by Root and has the SUID bit set. This allows you to change your password (which requires writing to /etc/shadow) even though you aren't an admin.
How to spot it:
In ls -l, an s appears in the owner's execution slot.
-rwsr-xr-x 1 root root ... /usr/bin/passwd
How to set it:
chmod u+s /path/to/binary
# Or Octal (the 4 in the front)
chmod 4755 /path/to/binary
2. SGID (Set Group ID)
This has two different functions depending on whether it's on a file or a directory.
On a Directory (The Pro Use Case):
When SGID is set on a folder, any new file created inside inherits the folder's Group, rather than the user's primary group. This is essential for shared team folders.
How to spot it:
An s appears in the group's execution slot.
drwxr-sr-x 2 lead_dev developers ... /projects/nexus
How to set it:
chmod g+s /projects/shared
# Or Octal (the 2 in the front)
chmod 2775 /projects/shared
3. The Sticky Bit
Historically used for memory management, today the Sticky bit is used for Shared Directory Safety.
When the Sticky Bit is set on a folder, only the file owner (or root) can delete or rename the files inside. Even if the folder is "World Writable" (777), User A cannot delete User B's files.
The Use Case: /tmp
The /tmp directory is used by everyone. The Sticky Bit ensures that one user's temp file doesn't get messed with by another.
How to spot it:
A t appears at the very end of the string.
drwxrwxrwt 15 root root ... /tmp
How to set it:
chmod +t /shared/dropbox
# Or Octal (the 1 in the front)
chmod 1777 /shared/dropbox
4. Special Permission Logic Table
| Bit | Octal | Code | On File | On Directory |
|---|---|---|---|---|
| SUID | 4000 | u+s | Runs as File Owner | No standard effect |
| SGID | 2000 | g+s | Runs as File Group | Files inherit folder group |
| Sticky | 1000 | +t | No standard effect | Only owner can delete |
5. Practical: Setting up a Collaborative Team Folder
If you are setting up a workspace for the "AI Team," follow this industry-standard pattern:
# 1. Create the shared folder
mkdir /data/ai_models
# 2. Change group to the team name
chown :ai_team /data/ai_models
# 3. Set SGID (for group inheritance) and Sticky Bit (for safety)
chmod 3770 /data/ai_models
# Now any file Alice (in ai_team) creates will be writable by Bob (in ai_team).
# But Bob cannot delete Alice's files unless she gives him permission!
6. Example: A SUID Security Scanner (Python)
SUID is a major security risk. If a hacker creates a copy of /bin/bash and gives it the SUID bit, they have successfully created a "Backdoor" that gives them Root access forever. Here is a Python script that scans for persistent SUID binaries.
import os
import stat
def find_suid_binaries(directory):
"""
Finds every binary file in a directory that has the SUID bit set.
"""
suid_files = []
# We use walk to check subdirectories
for root, dirs, files in os.walk(directory):
for name in files:
path = os.path.join(root, name)
try:
# Get file info
file_stat = os.stat(path)
# Check for SUID (S_ISUID) bit
if file_stat.st_mode & stat.S_ISUID:
owner = os.path.basename(root) # Simplified
suid_files.append(f"{path} (Owned by {file_stat.st_uid})")
except:
continue
return suid_files
if __name__ == "__main__":
# Scanned dirs: /usr/bin is normal, /home is suspicious
print("Auditing for SUID binaries in /usr/bin...")
found = find_suid_binaries("/usr/bin")
print(f"Detected {len(found)} SUID programs.")
for f in found[:5]: # Show just the first few
print(f" [!] {f}")
print("\nAuditing /home for suspicious backdoors...")
# This should return 0 on a clean system
suspicious = find_suid_binaries("/home")
if not suspicious:
print("[OK] No suspicious SUID files in home directories.")
else:
print(f"[DANGER] Found suspicious SUID files: {suspicious}")
7. The Capital 'S' Mystery
Sometimes you might see a capital S or T instead of lowercase. This means the bit is set, but the underlying execution (x) bit is NOT set. Usually, this means you've made a mistake in your chmod command.
s: Bit set AND can execute.S: Bit set BUT CANNOT execute (Broken config).
8. Summary
Special bits solve the "Edges" of security.
- SUID is for running tasks with elevated power (like
passwd). - SGID is for team collaboration and group consistency.
- Sticky Bit is for shared space safety (like
/tmp). - Octal prefix (4 for SUID, 2 for SGID, 1 for Sticky) allows you to set them easily.
This concludes our deep dive into the Linux social and security model. In the next module, we will explore System Information and Performance Monitoring to see how your machine is handling its workload.
Quiz Questions
- Why is setting the SUID bit on a shell script a massive security risk?
- You have a folder where team members need to share files. Which bit ensures all new files have the correct group?
- What is the octal command to set a directory to have full permissions, SGID, and the Sticky Bit?
End of Module 5. Proceed to Module 6: System Information & Performance Monitoring.