Special Permissions (setuid / setgid / sticky bit)

# -----------------------------------------------
#  Setting and checking special permissions
# -----------------------------------------------

# Symbolic notation with chmod:
#   u+s  → setuid  (sets s in the owner's execute bit)
#   g+s  → setgid  (sets s in the group's execute bit)
#   +t   → sticky  (sets t in the others' execute bit)
#   Example: sudo chmod u+s /usr/local/bin/kof_tool
#   Example: sudo chmod g+s /home/kof_team/shared
#   Example: sudo chmod +t /tmp/kof_arena

# Numeric notation with chmod:
#   chmod {special bit}{rwx permissions} {file/directory}
#     The special bit is a 4th octet prepended to the 3-digit permission
#     4 → setuid
#     2 → setgid
#     1 → sticky bit
#   Example: sudo chmod 4755 /usr/local/bin/kof_tool   # setuid + rwxr-xr-x
#   Example: sudo chmod 2775 /home/kof_team/shared      # setgid + rwxrwxr-x
#   Example: sudo chmod 1777 /tmp/kof_arena             # sticky + rwxrwxrwx

# Checking permissions (ls -l shows special bits in the output)
#   s in the owner's execute position  → setuid is active
#   s in the group's execute position  → setgid is active
#   t in the others' execute position  → sticky bit is active
#   Lowercase s / t → execute permission set + special bit set
#   Uppercase S / T → execute permission NOT set + special bit set (likely a misconfiguration)
ls -l /usr/bin/passwd
ls -l /tmp

Special Permission	Command (symbolic)	Command (numeric)	Description
setuid	chmod u+s {file}	chmod 4{xxx} {file}	Runs the file with the file owner's privileges. Used by /usr/bin/passwd to update the password file as root.
setgid (file)	chmod g+s {file}	chmod 2{xxx} {file}	Runs the file with the file's group privileges. Useful for commands shared by a group.
setgid (directory)	chmod g+s {directory}	chmod 2{xxx} {directory}	Files created inside the directory automatically inherit the directory's group. Convenient for shared team directories.
sticky bit	chmod +t {directory}	chmod 1{xxx} {directory}	Restricts file deletion inside the directory to the file owner, the directory owner, and root. Set by default on /tmp.
Remove permission (setuid)	chmod u-s {file}	—	Disables setuid.
Remove permission (setgid)	chmod g-s {file/directory}	—	Disables setgid.
Remove permission (sticky bit)	chmod -t {directory}	—	Disables the sticky bit.
Search for special permissions	find {path} -perm /4000	—	Finds files with setuid set. Use /2000 for setgid and /1000 for sticky bit.

Check the setuid bit on /usr/bin/passwd

# -----------------------------------------------
#  Check the setuid bit on the passwd command
# -----------------------------------------------

# Display permissions with ls -l
# setuid is active if the owner's execute bit shows s
ls -l /usr/bin/passwd

Run the following command:

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59976  3月 22 06:28 /usr/bin/passwd

The following example demonstrates this:

# -----------------------------------------------
#  Change a password as a regular user (kyo)
# -----------------------------------------------

# Run passwd as user kyo
# setuid allows it to write to /etc/shadow with root privileges
# (regular users cannot edit /etc/shadow directly)
passwd

Run the following command:

$ id
uid=1001(kyo) gid=1001(kyo) groups=1001(kyo)
$ passwd
Current password:
New password:
Retype new password:
passwd: password updated successfully

Set setgid on a directory to create a shared team folder

# -----------------------------------------------
#  Set setgid on a shared team directory
# -----------------------------------------------

# Create the kof_team group
sudo groupadd kof_team

# Add kyo and iori to the group
sudo usermod -aG kof_team kyo
sudo usermod -aG kof_team iori

# Create the shared directory and assign the group
sudo mkdir /home/kof_team/shared
sudo chown root:kof_team /home/kof_team/shared

# Set setgid (the group's execute bit becomes s)
sudo chmod 2775 /home/kof_team/shared

# Verify the settings
ls -ld /home/kof_team/shared

Run the following command:

$ ls -ld /home/kof_team/shared
drwxrwsr-x 2 root kof_team 4096  3月 25 10:00 /home/kof_team/shared

The following example demonstrates this:

# -----------------------------------------------
#  Files created by kyo automatically inherit the group
# -----------------------------------------------

# Create a file in the shared directory as user kyo
touch /home/kof_team/shared/kyo_movelist.txt

# Confirm that the file's group is kof_team
# Without setgid, it would use kyo's primary group (kyo)
ls -l /home/kof_team/shared/kyo_movelist.txt

Run the following command:

$ ls -l /home/kof_team/shared/kyo_movelist.txt
-rw-rw-r-- 1 kyo kof_team 0  3月 25 10:05 /home/kof_team/shared/kyo_movelist.txt

Check the sticky bit on /tmp

# -----------------------------------------------
#  Check the sticky bit on /tmp
# -----------------------------------------------

# The sticky bit is active if the others' execute bit shows t in ls -ld output
ls -ld /tmp

Run the following command:

$ ls -ld /tmp
drwxrwxrwt 18 root root 4096  3月 25 10:10 /tmp

The following example demonstrates this:

# -----------------------------------------------
#  Verify the deletion restriction enforced by sticky bit
# -----------------------------------------------

# kyo creates a file in /tmp
touch /tmp/kyo_temp.txt
chmod 777 /tmp/kyo_temp.txt

# iori tries to delete that file
# The sticky bit prevents users from deleting files they did not create
rm /tmp/kyo_temp.txt  # run as iori

Run the following command:

$ id
uid=1002(iori) gid=1002(iori) groups=1002(iori)
$ rm /tmp/kyo_temp.txt
rm: cannot remove '/tmp/kyo_temp.txt': Operation not permitted

Search the entire system for files with setuid set

# -----------------------------------------------
#  Search for setuid/setgid files for security auditing
# -----------------------------------------------

# Search for files with setuid set under /
# Useful for detecting suspicious setuid files during a security audit
sudo find / -perm /4000 -type f 2>/dev/null

# Search for files and directories with setgid set
sudo find / -perm /2000 2>/dev/null

# Search for both setuid and setgid in one command
sudo find / -perm /6000 -type f 2>/dev/null

Run the following command:

$ sudo find /usr/bin -perm /4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount

setuid, setgid, and sticky bit are special access control mechanisms that sit above the rwx permissions managed by chmod / chown. setuid causes a file to run with the file owner's privileges rather than the caller's, which is how /usr/bin/passwd allows a regular user to safely update a root-only file (/etc/shadow). Setting setgid on a directory automatically propagates the directory's group to newly created files, simplifying the management of shared team directories. sticky bit protects files in publicly writable directories (such as /tmp) from accidental or intentional deletion by other users. However, these permissions carry security risks — a program that is carelessly granted setuid can be exploited to execute arbitrary code with root privileges. Running find / -perm /4000 periodically to watch for unexpected setuid files is an important security practice. For the fundamentals of file permissions, see the chmod / chown page.