In the world of Linux, file permissions are the first line of security. For operations engineers, this is a necessary part of daily management; for hackers, it is the most common point of breach.
If configured incorrectly, permissions can become an “invisible backdoor,” allowing attackers to easily escalate privileges and even take control of the entire server. Today, we will introduce you to four key “invisible permissions” through four examples: Sticky Bit, SUID, SGID, ACL.

1. Sticky Bit — The “Insurance Lock” for Temporary Directories
You may have seen directory permissions like this:
drwxrwxrwt 2 root root 4096 /tmp
The trailing <span>t</span> is the Sticky Bit.
-
Meaning: Everyone is allowed to write to the directory, but only the file creator or root can delete files.
-
Use case: Shared directories like
<span>/tmp</span>.
What happens without the Sticky Bit? Suppose you stored a temporary file in <span>/tmp</span><span>, and others could directly delete or replace it. Hackers could even forge a socket file with the same name, tricking high-privilege services into connecting, thereby escalating privileges.</span>
👉 Identification method: Check if there is a <span>t</span> at the end of the directory permissions.
2. SUID — “Temporary Privileges” for Ordinary Users
You may have seen file permissions like this:
-rwsr-xr-x 1 root root 123K /usr/bin/passwd
The <span>s</span> here is SUID.
-
Meaning: When a user executes this program, they temporarily gain the permissions of the file owner.
-
Use case:
<span>passwd</span>needs to modify<span>/etc/shadow</span><span>, so it must run with root privileges.</span>
Where’s the risk? If a SUID program is poorly written, hackers can exploit it to “accidentally gain root privileges.” For example, some older versions of <span>find</span> and <span>vim</span> can directly spawn a root shell through command parameters.
👉 Identification method: Use <span>ls -l</span> to check if the file’s execute bit has an <span>s</span>.
3. SGID — The “Amplifier” for Group Permissions
You may have seen file permissions like this:
-rwxr-sr-x 1 root mail 50K /usr/bin/mail
The <span>s</span> in the group position is SGID.
-
Meaning: When this program runs, it inherits the permissions of the file’s group.
-
Use case: Some programs need to share group resources, such as mail systems.
Where’s the risk? If SGID is bound to a sensitive group (like <span>shadow</span>), hackers can exploit it to read or modify critical files. Worse, if a directory has SGID and is writable, attackers can place malicious files inside, affecting the entire user group.
👉 Identification method: Use <span>ls -l</span> to check if the group position has an <span>s</span>.
4. ACL — The “Backdoor” in Flexible Permissions
Traditional permissions only have three types of subjects (user, group, others), but ACL can grant permissions to any individual user.
You may have seen ACL settings like this:
file: secrets.txt
owner: root
group: root
user::rw-user:alice:rwxgroup::r–mask::rwxother::—
Here, the ordinary user <span>alice</span> is granted read, write, and execute permissions individually.
-
Meaning: More granular permission control.
-
Use case: Collaboration among multiple users without wanting to change the main file permissions.
Where’s the risk? If an administrator carelessly grants permissions to critical files like <span>/etc/shadow</span><span> to ordinary users, it becomes a "backdoor expressway." More insidiously, hackers might use ACL to grant themselves permissions, even if the administrator cannot see it using traditional </span><code><span>ls -l</span><span>.</span>
👉 Identification method: Use <span>getfacl filename</span> to check for additional user permissions.
Summary
-
Sticky Bit: The insurance lock for shared directories; its absence may lead to file replacement.
-
SUID: Allows ordinary users to temporarily gain file owner permissions, easily abused for privilege escalation.
-
SGID: Expands group permission scope, potentially exploited to access sensitive data.
-
ACL: Flexible but dangerous; misconfiguration can create backdoors.
In summary: These permission features are meant for convenience, but if configured incorrectly, they become “invisible weapons” for hackers.