This content originally appeared on DEV Community and was authored by Sahil
SUID, SGID, and the Sticky Bit are special permissions in Linux and other Unix-like operating systems that modify how files and directories behave. They are used to enhance system security and manage access control more effectively.
SUID (Set User ID):
The SUID bit allows an executable file to run with the permissions of the file’s owner, regardless of who is executing it.
Why it’s Used
SUID is crucial for programs that need to perform tasks requiring elevated privileges, but are run by ordinary users. A classic example is the passwd command. When a user changes their password, the passwd program needs to write to the /etc/shadowfile, which only the root user can modify. By setting the SUID bit on the passwd executable, a regular user can run the program, and it will temporarily execute with root privileges, allowing it to write to the secure file.
How to Identify and Set:
In the long listing format (ls -l), the SUID bit is represented by an s in the owner’s execute permission spot.
If the 
owner’s execute bit is not set, the SUID bit is shown as a capital S.
Example:
-rwsr-xr-x indicates the SUID bit is set, and the owner can execute the file.
-rwSr--r-- indicates the SUID bit is set, but the owner cannot execute the file.
You can set the SUID bit using the chmod command:
Symbolic mode: chmod u+s filename
Octal mode:
chmod 4755 filename (The 4 in front signifies the SUID bit.)
Security Risks:
A potential risk of SUID is that if a program with a vulnerability has the SUID bit set, it could be exploited to gain unauthorized root access. This is why SUID should be used judiciously and only on trusted executables.
SGID (Set Group ID):
The SGID bit has two different functions depending on whether it’s applied to a file or a directory.
On Files:
- Like the SUID bit, the SGID bit on an executable file allows it to run with the permissions of the file’s group owner, not the user’s group. This is useful for programs that need to access resources owned by a specific group, even if the user isn’t a member of that group.
On Directories:
- When the SGID bit is set on a directory, any new files or subdirectories created within it will automatically inherit the group ownership of that parent directory, rather than the primary group of the user who created them. This is extremely useful for collaborative environments where multiple users need to share files and have them all be part of the same group. For example, a project directory can have the SGID bit set so that all new files created by different team members automatically belong to the project’s group.
How to Identify and Set
The SGID bit is represented by an s in the group’s execute permission spot.
If the group’s execute bit is not set, the SGID bit is shown as a capital S.
Example:
-rwxr-sr-x indicates the SGID bit is set, and the group can execute the file.
-rw-rS--r-- indicates the SGID bit is set, but the group cannot execute the file.
You can set the SGID bit using chmod:
Symbolic mode: chmod g+s filename or chmod g+s directoryname
Octal mode: chmod 2755 filename (The 2 signifies the SGID bit.)
Sticky Bit:
The sticky bit is primarily used on directories to restrict file deletion.
Why it’s Used:
When the sticky bit is set on a directory, users can create files in that directory, but they can only delete or rename files that they own. This prevents users from deleting or modifying files created by other users, even if the directory permissions allow write access for everyone. The most common use case is the
/tmpdirectory.This directory is world-writable, meaning anyone can create files there. However, the sticky bit prevents one user from deleting another user’s temporary files, ensuring system stability and security.
How to Identify and Set:
- The sticky bit is represented by a t in the “other” category’s execute permission spot.
- If the “other” execute bit is not set, the sticky bit is shown as a capital T
Example:
drwxrwxrwt indicates the sticky bit is set on a directory.
drwxr-xr-T indicates the sticky bit is set, but the “other” permission does not have execute rights.
You can set the sticky bit using chmod:
Symbolic mode: chmod o+t directoryname
Octal mode: chmod 1777 directoryname (The 1 signifies the sticky bit.)
| Permission | Octal Value | File Behavior | Directory Behavior |
|---|---|---|---|
| SUID | 4 |
Executes with the owner’s permissions | N/A |
| SGID | 2 |
Executes with the group’s permissions | New files inherit the directory’s group |
| Sticky Bit | 1 |
N/A | Users can only delete their own files |
Understanding and using these special permissions correctly is a key part of Linux administration and security. Feel free to share your insights.
This content originally appeared on DEV Community and was authored by Sahil