Linux Permission Management – Special File Permissions

In the previous article, we discussed the basic file permissions in Linux, namely r (read), w (write), and x (execute). However, there are also some special permission indicators in the Linux system:

  • s – SetUID (Owner permission bit <span>x</span> becomes <span>s</span>)

  • s – SetGID (Group permission bit <span>x</span> becomes <span>s</span>)

  • t – Sticky Bit (Other users permission bit <span>x</span> becomes <span>t</span>)

2.1 SUID (Set User ID)

SUID (Set User ID) is a special permission that allows a process to run with the identity of the file owner instead of the current user when executing a file with SUID permission.

Core Function: Executes the file with the identity of the file owner.

Some system commands in Linux (such as <span>/usr/bin/passwd</span>) have SUID permission enabled by default, allowing regular users to change their own account passwords. This is because the password file <span>/etc/shadow</span> can only be read and written by root.

# Check the permissions of the passwd command (has SUID)zc@ytbk2:~$ ls -l /usr/bin/passwd-rwsr-xr-x 1 root root 59976 Feb  6  2024 /usr/bin/passwd
# Check the permissions of the shadow file (no permissions for regular users)zc@ytbk2:~$ ls -l /etc/shadow  -rw-r----- 1 root shadow 1906 Oct  9 10:31 /etc/shadow
passwd Execution Process

  1. Regular user executes the <span>passwd</span> command

  2. Since passwd has SUID permission, the process runs as root.

  3. The root process can modify the <span>/etc/shadow</span> file (no permissions for regular users)

  4. After completing the password change, the process terminates.

Setting SUID Permission:

# Set SUID permissionchmod u+s filename      # Symbolic notationchmod 4755 filename     # Numeric notation (add 4 before normal permissions)
# Remove SUID permission  chmod u-s filename      # Symbolic notationchmod 0755 filename     # Numeric notation

Example:

zc@ytbk2:~$ ls -l ytfs.sh          # Check the original permissions of the file-rwxrw-r-- 1 zc zc 135 Jun 21  2023 ytfs.sh
zc@ytbk2:~$ chmod u+s ytfs.sh      # Add SUID permission
zc@ytbk2:~$ ls -l ytfs.sh          # Check the permissions after setting-rwsrw-r-- 1 zc zc 135 Jun 21  2023 ytfs.sh
# Permission change explanation:# Normal permission bits: -rwxrw-r--# SUID permission bit: -rwsrw-r--                └── Owner's execute bit x changes to s
Security Risks and Principles

SUID permission is a double-edged sword:

  • Proper Use: Provides necessary system functionality (such as passwd), allowing regular users to change their passwords.

  • Abuse Risk: Can lead to serious privilege escalation vulnerabilities; incorrect SUID settings may allow attackers to easily gain root access!

Core Security Principles for Using SUID:

  1. Least Privilege: Use SUID only when absolutely necessary.

  2. Regular Audits: Monitor all SUID files.

  3. Code Security: SUID programs must have strict security checks.

Security Check Mechanism of the passwd Command:

  • Regular users: Can only use <span>passwd</span> (no parameters) to change their own password.

  • Root users: Can use <span>passwd username</span> to change any user’s password.

2.2 SGID (Set Group ID)

SGID has two different mechanisms:

Effect on Files: When executing a file, it runs with the identity of the file’s group, similar to SUID, but the privilege is elevated to the group level rather than the user level.

Effect on Directories: New files created in the directory automatically inherit the directory’s group, and new subdirectories will automatically inherit SGID permissions.

Setting SGID Permission:

# Set SGID permissionchmod g+s file          # Symbolic notation (file)chmod g+s directory/    # Symbolic notation (directory)chmod 2755 filename     # Numeric notation (add 2 before normal permissions)chmod 2775 directory/   # Numeric notation (directory)
# Remove SGID permissionchmod g-s file_or_directory

Example:

# Check current user informationzc@ytbk2:~$ iduid=1000(zc) gid=1000(zc) groups=1000(zc),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
# Create a directory and set SGIDzc@ytbk2:~$ mkdir IT_sharezc@ytbk2:~$ sudo chown :IT_groups IT_share/     # Set directory groupzc@ytbk2:~$ sudo chmod g+s IT_share/            # Set SGID permission
# Verify directory permissionszc@ytbk2:~$ ls -ld IT_share/drwxrwsr-x 2 zc IT_groups 4096 Oct 13 14:24 IT_share/
# Test file inheritance effectzc@ytbk2:~/IT_share$ touch 111.txt      # Create filezc@ytbk2:~/IT_share$ mkdir test         # Create subdirectory
# Verify permission inheritancezc@ytbk2:~/IT_share$ ls -l-rw-rw-r-- 1 zc IT_groups    0 Oct 13 14:25 111.txtdrwxrwsr-x 2 zc IT_groups 4096 Oct 13 14:26 test/
# ✅ File 111.txt automatically inherits IT_groups group# ✅ Subdirectory test automatically inherits SGID permissions (displayed as rws)

Main Application Scenarios

Core Value of SGID: Solves file permission issues during multi-user collaboration.

In team project development, multiple developers need to work in the same directory. SGID ensures:

  • All members’ created files automatically belong to the project group.

  • Avoid file permission conflicts, enabling seamless collaboration.

  • Newly created files are accessible and modifiable by other group members by default.

SGID permissions simplify file collaboration management in multi-user environments while maintaining system security through intelligent group permission inheritance mechanisms.

2.3 Sticky Bit

Sticky Bit is a special directory permission that primarily serves to: In a directory writable by multiple users, users can only delete files they created and cannot delete files created by others.

Core Function: Users can only delete files they created in the directory.

Setting Sticky Bit Permission:

# Set sticky bitchmod +t directory_name     # Symbolic notationchmod o+t directory_name    # Symbolic notation  chmod 1755 directory_name   # Numeric notation (add 1 before normal permissions)
# Remove sticky bitchmod -t directory_namechmod o-t directory_name
Normal directory permissions:  drwxr-xr-xSticky bit directory permissions:drwxr-xr-t                      └── Other users' execute bit x changes to t

Example:

# Create a shared directory and set sticky bitzc@ytbk2:~$ sudo mkdir -p /share/updatezc@ytbk2:~$ sudo chmod 1777 /share/update/    # Set sticky bit permission
# Verify directory permissionszc@ytbk2:~$ ls -ld /share/update/drwxrwxrwt 2 root root 4096 Oct 13 14:51 /share/update/
# Test file operation protectionsudo -u alice touch /share/update/alice1.txt   # User alice creates a filesudo -u bob touch /share/update/bob1.txt       # User bob creates a file
# User bob attempts to delete alice's filesudo -u bob rm /share/update/alice1.txt# Output:rm: cannot remove '/share/update/alice1.txt': Operation not permitted# ✅ Sticky bit protection is effective!
Sticky Bit Security Mechanism and Protection Principle
Directory permissions:drwxrwxrwt
├── All users can: create files, rename their own files
├── All users can: read and execute other users' files (if file permissions allow)
└── But can only: delete or rename files they created

Security Advantages

  1. Prevents Accidental Deletion: Users will not accidentally delete important files of others.

  2. Prevents Malicious Deletion: Prevents users from intentionally deleting competitors’ files.

  3. Maintains Directory Cleanliness: Users are responsible for cleaning up their created files.

  4. Supports Collaboration: Allows safe parallel work in shared spaces.

Sticky Bit Combined with Other Permissions
# Fully open temporary directory (similar to /tmp)chmod 1777 /shared/temp
# Group-shared working directorychmod 1770 /team/workspace    # Only group members can accesschmod 1775 /team/readonly     # Group members can write, others can only read
# Restricted upload directorychmod 1755 /uploads           # Everyone can read, but only the owner can delete
Used in Combination with SGID
# Create a directory that inherits group permissions and is protected by sticky bitsudo mkdir /team/projectsudo chown :developers /team/projectsudo chmod 3775 /team/project    # SGID(2) + Sticky Bit(1) = 3
# Verify combined permissionsls -ld /team/project# Output:drwxrwsr-t  # SGID(s) + Sticky Bit(t)

Sticky Bit Usage Principles:

  1. Necessary Protection: Set sticky bit on all shared directories writable by multiple users.

  2. Minimize Permissions: Combine with appropriate read/write permission restrictions.

  3. Regular Audits: Monitor the security status of sticky bit directories.

  4. Documentation: Provide usage instructions for sticky bit directories.

Remember: The sticky bit is a “safety net” for shared directories, preventing accidental or malicious file deletion!

Conclusion

The special permission mechanisms in Linux provide more granular access control:

  • SUID: Addresses the need for specific programs to temporarily elevate permissions.

  • SGID: Optimizes file collaboration management in multi-user environments.

  • Sticky Bit: Protects file security in shared directories.

Correctly understanding and using these special permissions can provide a more flexible and efficient permission management solution while ensuring system security.

Related posts

  1. How To Disable Bluetooth On Windows 10 Laptops To Save Battery
  2. An Overview of Linux Command Line Tools
  3. Daily Linux Command: fdisk
  4. Linux | 17. Output Redirection
  5. Daily Linux Command: cat
  6. Essential Guide to Deploying Linux Firewall: From Basic Protection to Advanced Rules, Easy for Beginners
  7. Zabbix Installation & Oracle Linux System Installation (with Links)
  8. How to Use Conda Installed R in RStudio on a Linux Server with Multiple Users
  9. How to Quickly Copy Files in Linux?
  10. Linux Open Source Daily Report – August 27, 2025
  11. 10 Lesser-Known but Super Useful Linux Administration Tips (Wish I Knew Sooner)
  12. Some High-Efficiency Tools for Ubuntu
  13. Installing Privoxy on Linux and Setting Up HTTP Proxy in Command Line Terminal
  14. Linux Command Line: A Practical Guide to Mastering the ps Command
  15. EVDI: Extensible Virtual Display Interface for Linux Kernel Modules
  16. A Detailed Explanation of System Password Recovery on Linux
  17. One-Click Inspection of Linux Servers and Generation of HTML Reports
  18. Using Linux Does Not Equal Localization: Don’t Let ‘Open Source Kernel’ Mislead Your Judgment of ‘Self-Control’
  19. Linux Basic Practice Multiple Choice Questions – 09

Leave a Comment