Special Permission Bits: SUID, SGID, and Sticky Bit

Published on December 7, 2025 by Team SKY | Tags: Linux, Security, DevOps

Go beyond basic read/write/execute permissions with special bits that solve specific DevOps challenges. Learn when to use SUID, SGID, and the sticky bit for secure and efficient system administration.

What Are Special Permission Bits?

Special permission bits add extra functionality to standard Linux permissions. They appear in the first position when you run ls -l:

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 68208 May 28  2023 /usr/bin/passwd
   ↑
   Special bit (s = SUID)

$ ls -ld /tmp
drwxrwxrwt 15 root root 4096 Dec  7 10:30 /tmp
           ↑
           Special bit (t = sticky)

The Three Special Bits

SUID (Set User ID)

What: Makes an executable run with the file owner's privileges, not the user who runs it.

Visual:

-rwsr-xr-x
chmod u+s file OR chmod 4755 file
Why Use It:
• When regular users need to perform privileged operations
• Example: Changing password (/usr/bin/passwd)
• Mounting filesystems, network configuration tools

SGID (Set Group ID)

What: On files: runs with group's privileges. On directories: new files inherit directory's group.

Visual:

-rwxr-sr-x (file)
drwxr-sr-x (directory)
chmod g+s file OR chmod 2755 directory
Why Use It:
• Shared directories where team collaboration is needed
• All team members should share file ownership
• Example: /var/www/html for web developers

Sticky Bit

What: On directories: users can only delete their own files, even if directory is world-writable.

Visual:

drwxrwxrwt
chmod +t directory OR chmod 1777 /tmp
Why Use It:
• Public directories where many users create files
• Prevents users from deleting each other's files
• Essential for /tmp, /var/tmp

Essential Commands & Examples

1. SUID Examples

# View existing SUID files
$ find /usr/bin -type f -perm /4000 2>/dev/null | head -5
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/su

# Set SUID on a script (BE CAREFUL!)
$ sudo chmod u+s /usr/local/bin/backup-script

# Check if SUID is set
$ ls -l /usr/local/bin/backup-script
-rwsr-xr-x 1 root root 1234 Dec  7 10:30 /usr/local/bin/backup-script

# Remove SUID
$ sudo chmod u-s /usr/local/bin/backup-script
Security Warning: SUID scripts are dangerous! Any user can exploit them to gain root access. Use Linux Capabilities (setcap) instead when possible.

2. SGID Examples

# Create shared directory for developers
$ sudo mkdir /shared/projects
$ sudo chown root:developers /shared/projects
$ sudo chmod 2770 /shared/projects

# Verify SGID is set
$ ls -ld /shared/projects
drwxr-s--- 2 root developers 4096 Dec  7 10:30 /shared/projects
         ↑
         SGID bit is set

# Test: New files inherit group
$ touch /shared/projects/test.txt
$ ls -l /shared/projects/test.txt
-rw-r--r-- 1 alice developers 0 Dec  7 10:30 test.txt
                    ↑
                    Inherited developers group

# SGID on executable files (less common)
$ sudo chmod g+s /usr/local/bin/team-tool

3. Sticky Bit Examples

# Check /tmp has sticky bit (it should!)
$ ls -ld /tmp
drwxrwxrwt 15 root root 4096 Dec  7 10:30 /tmp
           ↑
           Sticky bit

# Set sticky bit on shared upload directory
$ sudo chmod +t /var/www/uploads
$ ls -ld /var/www/uploads
drwxrwxrwt 2 www-data www-data 4096 Dec  7 10:30 /var/www/uploads

# Octal notation for sticky bit
$ sudo chmod 1777 /shared/tmp
# 1 = sticky bit, 777 = rwx for all

DevOps Comparison Table

Bit When to Use Security Risk Common DevOps Use Cases
SUID Privileged operations needed by non-root users HIGH • Backup scripts needing root access
• Network configuration tools
• System monitoring scripts
SGID Team collaboration directories MEDIUM • Shared project directories
• Web server document roots
• CI/CD workspace directories
Sticky Bit Public writable directories LOW • /tmp and /var/tmp directories
• Upload directories
• Temporary build directories

Practical DevOps Scenarios

Scenario 1: Web Server Directory Setup

# Setup for Apache/Nginx shared hosting
sudo mkdir -p /var/www/html/project
sudo chown -R root:webdevs /var/www/html/project
sudo chmod -R 2775 /var/www/html/project  # SGID for directories
sudo find /var/www/html/project -type f -exec chmod 664 {} \;

# Result: All new files get webdevs group automatically

Scenario 2: Team Collaboration Space

# Create shared space for DevOps team
sudo mkdir /opt/team-shared
sudo groupadd devops-team
sudo usermod -a -G devops-team alice
sudo usermod -a -G devops-team bob
sudo chown root:devops-team /opt/team-shared
sudo chmod 2770 /opt/team-shared

# All files created will have devops-team group

Scenario 3: Secure Script with SUID (Alternative)

# Instead of SUID, use Linux Capabilities (safer)
# Install needed package
sudo apt install libcap2-bin

# Give specific capability instead of full root
sudo setcap cap_net_raw+ep /usr/local/bin/network-monitor

# Check capabilities
getcap /usr/local/bin/network-monitor
# /usr/local/bin/network-monitor = cap_net_raw+ep

Security Best Practices

SUID Security Guidelines:
1. Avoid SUID on scripts - Use compiled binaries instead
2. Use capabilities (setcap) when possible
3. Regularly audit: find / -type f -perm /4000 2>/dev/null
4. Minimize usage - Only when absolutely necessary
5. Document every SUID binary and its purpose
SGID Best Practices:
1. Use for directories, not files
2. Set appropriate umask for the directory
3. Monitor for unexpected group inheritance
4. Use with ACLs for complex scenarios
5. Document shared directory purposes
Sticky Bit Tips:
1. Always use on /tmp and /var/tmp
2. Use on world-writable upload directories
3. Combine with appropriate permissions (1777, not 0777)
4. Monitor for abuse in public directories

Troubleshooting Common Issues

# 1. SUID not working on scripts?
# Check if filesystem is mounted with nosuid option
$ mount | grep nosuid
/dev/sda1 on / type ext4 (rw,nosuid,nodev)

# 2. SGID not inheriting group?
# Check parent directory SGID is set
$ ls -ld /parent/directory

# 3. Can't delete file in /tmp?
# Check sticky bit is set
$ ls -ld /tmp

# 4. Find all special bits
$ find / -type f -perm /7000 2>/dev/null | head -10

DevOps Automation Examples

Ansible Playbook for Special Permissions

---
- name: Configure shared DevOps directory
  hosts: all
  tasks:
    - name: Create devops group
      group:
        name: devops-team
        state: present
        
    - name: Create shared directory
      file:
        path: /opt/devops-shared
        state: directory
        owner: root
        group: devops-team
        mode: '2770'
        
    - name: Add users to devops group
      user:
        name: "{{ item }}"
        groups: devops-team
        append: yes
      loop:
        - alice
        - bob
        - charlie

Security Audit Script

#!/bin/bash
# Audit special permissions on system

echo "=== Special Permissions Audit $(date) ==="
echo ""

echo "1. SUID Files:"
find / -type f -perm /4000 2>/dev/null | xargs ls -l 2>/dev/null

echo ""
echo "2. SGID Files:"
find / -type f -perm /2000 2>/dev/null | xargs ls -l 2>/dev/null

echo ""
echo "3. Sticky Bit Directories (excluding /tmp):"
find / -type d -perm /1000 2>/dev/null | grep -v "^/tmp" | xargs ls -ld 2>/dev/null

echo ""
echo "4. World-writable files with SUID/SGID (DANGEROUS!):"
find / -type f -perm /6002 2>/dev/null

Key Takeaways for DevOps

SUID: Use sparingly, prefer Linux capabilities. Essential for system tools but dangerous for custom scripts.

SGID: Perfect for team collaboration. Makes shared directories work seamlessly without manual permission fixes.

Sticky Bit: Essential for any world-writable directory. Prevents "cleaning" attacks in shared spaces.

Remember: Special bits are powerful but can be security risks. Always follow the principle of least privilege and audit regularly.

Quick Reference:
• SUID: chmod u+s file or chmod 4755 file
• SGID: chmod g+s dir or chmod 2755 dir
• Sticky: chmod +t dir or chmod 1777 dir
• Find SUID: find / -type f -perm /4000 2>/dev/null
• Remove all: chmod u-s,g-s,-t file