Linux Special Permissions: SUID, SGID, and Sticky Bit
Linux normally uses three permission groups:
u = user/owner
g = group
o = others
And three basic permissions:
r = read
w = write
x = execute
Example:
ls -l file.txt
Output:
-rwxr-xr--
But Linux also has special permissions:
SUID = user +s
SGID = group +s
Sticky Bit = others +t
They appear in ls -l output as:
s, S, t, or T
1. SUID — Set User ID
Meaning
SUID means:
When an executable file runs, it runs with the permission of the file owner, not the user who started it.
SUID is mainly useful on executable programs, not normal text files.
Set SUID
chmod u+s filename
Numeric form:
chmod 4755 filename
The 4 means SUID.
Remove SUID
chmod u-s filename
Example: /usr/bin/passwd
The passwd command lets a normal user change their own password.
ls -l /usr/bin/passwd
Possible output:
-rwsr-xr-x 1 root root ... /usr/bin/passwd
Notice:
rws
The s appears in the user execute position.
Normal owner permission would be:
rwx
With SUID, it becomes:
rws
Because /usr/bin/passwd is owned by root, when a normal user runs:
passwd
the program temporarily runs with the file owner’s privilege, which is root, but only for the controlled task of changing the password.
SUID: lowercase s vs uppercase S
This is very important.
Lowercase s
Lowercase s means:
SUID is set AND owner execute permission exists.
Example:
touch demo
chmod 755 demo
chmod u+s demo
ls -l demo
Output:
-rwsr-xr-x 1 user user ... demo
Here:
rws
means:
owner has read + write + execute
SUID is also set
Uppercase S
Uppercase S means:
SUID is set BUT owner execute permission is missing.
Example:
touch demo
chmod 644 demo
chmod u+s demo
ls -l demo
Output:
-rwSr--r-- 1 user user ... demo
Here:
rwS
means:
SUID is set
but owner execute permission is missing
So uppercase S usually means the special permission is set, but it is not useful for execution because x is missing.
2. SGID — Set Group ID
Meaning on files
SGID on an executable file means:
When the file runs, it runs with the permission of the file’s group owner.
Meaning on directories
SGID is especially useful on directories.
On a directory, SGID means:
New files and subdirectories created inside the directory inherit the directory’s group ownership.
This is very useful for shared project folders.
Set SGID
chmod g+s filename_or_directory
Numeric form:
chmod 2755 filename_or_directory
The 2 means SGID.
Remove SGID
chmod g-s filename_or_directory
Example: Shared project directory
Suppose we have a group named developers.
sudo mkdir /project
sudo chgrp developers /project
sudo chmod 2775 /project
Check:
ls -ld /project
Possible output:
drwxrwsr-x 2 root developers ... /project
Notice the group part:
rws
That means:
group has read + write + execute
SGID is set
Now when a user creates a file inside /project, the file can inherit the directory’s group:
touch /project/app.txt
ls -l /project/app.txt
Possible output:
-rw-r--r-- 1 alice developers ... app.txt
Even if Alice’s normal primary group is different, the file is created with the developers group because the parent directory has SGID.
SGID: lowercase s vs uppercase S
Lowercase s
Lowercase s means:
SGID is set AND group execute permission exists.
Example:
mkdir shared
chmod 775 shared
chmod g+s shared
ls -ld shared
Output:
drwxrwsr-x 2 user user ... shared
The group permission part is:
rws
This means SGID is set and the group can enter/search the directory.
Uppercase S
Uppercase S means:
SGID is set BUT group execute permission is missing.
Example:
mkdir shared
chmod 764 shared
chmod g+s shared
ls -ld shared
Output:
drwxrwSr-- 2 user user ... shared
The group permission part is:
rwS
This means SGID is set, but group execute is missing.
For a directory, this is usually a problem because group members need x permission to enter or access items inside the directory.
3. Sticky Bit
Meaning
The Sticky Bit is mostly used on directories.
It means:
Users can create files in the directory, but they can delete only their own files.
This is useful for shared writable directories.
Set Sticky Bit
chmod o+t directory
Numeric form:
chmod 1777 directory
The 1 means Sticky Bit.
Remove Sticky Bit
chmod o-t directory
Example: /tmp
The /tmp directory is shared by many users and programs.
ls -ld /tmp
Possible output:
drwxrwxrwt 10 root root ... /tmp
Notice the last character:
t
That means Sticky Bit is set.
The directory is writable by many users, but one user cannot delete another user’s files.
Example: Create a shared temporary directory
sudo mkdir /sharedtmp
sudo chmod 1777 /sharedtmp
ls -ld /sharedtmp
Output:
drwxrwxrwt 2 root root ... /sharedtmp
Now different users can create files inside /sharedtmp, but they cannot delete files owned by other users.
Sticky Bit: lowercase t vs uppercase T
Sticky Bit uses t or T, not s or S.
Lowercase t
Lowercase t means:
Sticky Bit is set AND others execute permission exists.
Example:
mkdir sharedtmp
chmod 777 sharedtmp
chmod o+t sharedtmp
ls -ld sharedtmp
Output:
drwxrwxrwt 2 user user ... sharedtmp
The others permission part is:
rwt
This means:
others have read + write + execute
Sticky Bit is set
Uppercase T
Uppercase T means:
Sticky Bit is set BUT others execute permission is missing.
Example:
mkdir sharedtmp
chmod 776 sharedtmp
chmod o+t sharedtmp
ls -ld sharedtmp
Output:
drwxrwxrwT 2 user user ... sharedtmp
The others permission part is:
rwT
This means Sticky Bit is set, but others do not have execute permission.
For a directory, this usually means others cannot properly enter or access the directory.
Quick Summary of s, S, t, and T
| Symbol | Location in ls -l | Meaning |
|---|---|---|
s | user execute position | SUID set and user execute exists |
S | user execute position | SUID set but user execute missing |
s | group execute position | SGID set and group execute exists |
S | group execute position | SGID set but group execute missing |
t | others execute position | Sticky Bit set and others execute exists |
T | others execute position | Sticky Bit set but others execute missing |
Visual Examples
Normal executable file
-rwxr-xr-x
Owner has execute permission.
SUID with execute
-rwsr-xr-x
SUID is active and owner execute exists.
SUID without execute
-rwSr-xr-x
SUID is set, but owner execute is missing.
Normal group-executable directory
drwxrwxr-x
Group has execute permission.
SGID directory with execute
drwxrwsr-x
SGID is active and group execute exists.
SGID directory without group execute
drwxrwSr-x
SGID is set, but group execute is missing.
Sticky Bit directory with others execute
drwxrwxrwt
Sticky Bit is active and others execute exists.
Sticky Bit directory without others execute
drwxrwxrwT
Sticky Bit is set, but others execute is missing.
Numeric Permission Summary
Special permissions are added before the normal three permission digits.
| Permission | Numeric value | Example |
|---|---|---|
| SUID | 4 | chmod 4755 program |
| SGID | 2 | chmod 2775 shareddir |
| Sticky Bit | 1 | chmod 1777 sharedtmp |
Examples:
chmod 4755 program # SUID + rwxr-xr-x
chmod 2755 directory # SGID + rwxr-xr-x
chmod 1777 directory # Sticky Bit + rwxrwxrwx
You can also combine them:
chmod 6755 program
Here:
6 = 4 + 2
So 6755 means:
SUID + SGID + rwxr-xr-x
Command Summary
Set SUID:
chmod u+s program
Remove SUID:
chmod u-s program
Set SGID:
chmod g+s directory
Remove SGID:
chmod g-s directory
Set Sticky Bit:
chmod o+t directory
Remove Sticky Bit:
chmod o-t directory
Check permissions:
ls -l filename
ls -ld directory
Practical Use Cases
SUID use case
Used when a normal user needs to run a specific program with the file owner’s privileges.
Common example:
ls -l /usr/bin/passwd
Possible output:
-rwsr-xr-x 1 root root ... /usr/bin/passwd
This allows users to change their passwords safely without giving them full root access.
SGID use case
Used for shared team directories.
Example:
sudo mkdir /team
sudo chgrp developers /team
sudo chmod 2775 /team
Result:
drwxrwsr-x root developers /team
Files created inside /team inherit the developers group.
Sticky Bit use case
Used for shared writable directories where users should not delete each other’s files.
Example:
sudo mkdir /publicdrop
sudo chmod 1777 /publicdrop
Result:
drwxrwxrwt root root /publicdrop
Users can create files, but they cannot delete other users’ files.
Final Blog Summary
SUID: Run an executable as the file owner.
SGID: Run an executable as the file group, or make files inherit a directory group.
Sticky Bit: In shared directories, users can delete only their own files.
The lowercase letters mean the related execute permission is present:
s = SUID/SGID + execute
t = Sticky Bit + execute
The uppercase letters mean the special permission is set, but execute is missing:
S = SUID/SGID set, execute missing
T = Sticky Bit set, execute missing
For practical use, lowercase s and t are usually what you expect to see. Uppercase S or T often indicates a permission setup that should be reviewed.
REF: AI Tools/ChatGPT
