Understanding SUID, SGID, and Sticky Bit - Special Permission Bits in Linux
What Are SUID, SGID, and Sticky Bit?
SUID, SGID, and Sticky Bit are three special permission flags layered on top of Linux's standard rwx permissions. They power core system behaviors: allowing normal users to run commands that require root privileges (like passwd), making files in shared directories inherit the directory's group, and preventing users from deleting each other's files in shared spaces like /tmp.
| Bit | Value | Target | Main Use Case |
|---|---|---|---|
| SUID | 4 | Executables | Run as the file owner's UID |
| SGID | 2 | Files / Directories | Run as the file's group / inherit group |
| Sticky Bit | 1 | Directories | Only the file owner can delete their files |
SUID (Set User ID)
An executable with SUID set runs with the file owner's privileges, not the calling user's privileges.
/usr/bin/passwd is the canonical example. Regular users can change their own passwords because passwd has SUID set and runs with root privileges, allowing it to write to /etc/shadow.
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59976 Mar 22 2024 /usr/bin/passwd
The s in the owner's execute position indicates SUID is set.
Setting and Removing SUID
# Set SUID (symbolic) $ chmod u+s /path/to/file # Set SUID (octal: 4XXX prefix) $ chmod 4755 /path/to/file # Remove SUID $ chmod u-s /path/to/file
SUID introduces privilege escalation risk. Avoid setting it on files unnecessarily, and audit SUID files regularly:
# Find all SUID files on the system $ find / -perm -4000 -type f 2>/dev/null
SGID (Set Group ID)
SGID behaves differently depending on whether it is set on an executable or a directory.
On executables: the process runs with the file's group instead of the caller's primary group. The classic example is /usr/bin/write, which needs access to the tty group.
On directories: files created inside inherit the directory's group rather than the creator's primary group — essential for shared project directories.
$ ls -l /usr/bin/write
-rwxr-sr-x 1 root tty 14952 Mar 30 2023 /usr/bin/write
The s in the group's execute position signals SGID.
Using SGID on a Shared Directory
# Set SGID on a shared project directory $ chmod g+s /shared/project # Verify $ ls -ld /shared/project
drwxrwsr-x 2 user devteam 4096 Jun 1 12:00 /shared/project
New files inside this directory will have devteam as their group, regardless of who creates them:
$ touch /shared/project/newfile.txt $ ls -l /shared/project/newfile.txt
-rw-r--r-- 1 alice devteam 0 Jun 1 12:00 /shared/project/newfile.txt
Setting SGID
# Symbolic $ chmod g+s /path/to/dir # Octal: 2XXX prefix $ chmod 2775 /path/to/dir
Sticky Bit
The Sticky Bit is set on directories so that only the file's owner (or root) can delete or rename it, even if the directory is world-writable.
/tmp is the most familiar example. Anyone can write to it, but each user can only delete their own files.
$ ls -ld /tmp
drwxrwxrwt 17 root root 4096 Jun 1 12:00 /tmp
The t in the others' execute position indicates the Sticky Bit.
Setting the Sticky Bit
# Set Sticky Bit (symbolic) $ chmod +t /shared/dir # Set Sticky Bit (octal: 1XXX prefix) $ chmod 1777 /shared/dir # Remove Sticky Bit $ chmod -t /shared/dir
Verify:
$ mkdir /tmp/testdir && chmod 1777 /tmp/testdir $ ls -ld /tmp/testdir
drwxrwxrwt 2 user group 40 Jun 1 12:00 /tmp/testdir
Setting Special Bits with Octal Notation
Use 4-digit octal notation to combine special bits with standard permissions. The leading digit is the sum of the special bits (SUID=4, SGID=2, Sticky=1).
| Configuration | Value | Example |
|---|---|---|
| SUID only | 4755 | chmod 4755 file |
| SGID only | 2755 | chmod 2755 dir |
| Sticky only | 1777 | chmod 1777 dir |
| SUID + SGID | 6755 | chmod 6755 file |
# SUID: owner=rwx, group=rx, others=rx $ chmod 4755 myprogram # SGID shared directory: owner=rwx, group=rwx, others=rx $ chmod 2775 shared_dir
Reading Special Bits in ls -l Output
Special bits replace the x character at predictable positions in ls -l output.
-rwsr-xr-x → SUID set (owner's x replaced by s) -rwxr-sr-x → SGID set (group's x replaced by s) drwxrwxrwt → Sticky Bit set (others' x replaced by t) -rwSr--r-- → SUID set, owner has no execute bit (uppercase S) -rwxr-Sr-- → SGID set, group has no execute bit (uppercase S) drwxrwxrwT → Sticky Bit set, others have no execute bit (uppercase T)
Lowercase s / t — the special bit and execute permission are both set.
Uppercase S / T — only the special bit is set; the execute bit is absent. This is almost always a misconfiguration.
Finding files with special bits:
# Files with SUID $ find / -perm -4000 -type f 2>/dev/null # Files and directories with SGID $ find / -perm -2000 2>/dev/null # Directories with Sticky Bit $ find / -perm -1000 -type d 2>/dev/null
Security Considerations
Special permission bits are powerful but carry security exposure.
Keep SUID/SGID usage to a minimum
Unnecessary SUID/SGID files are a common vector for privilege escalation. Never set SUID on shell scripts — Linux ignores it on interpreted files, but doing so signals poor security hygiene.
Audit SUID/SGID files regularly
# Record a baseline of SUID/SGID files $ find / -perm /6000 -type f 2>/dev/null > /tmp/suid_baseline.txt
Run this periodically and diff against the baseline to detect unauthorized additions.