Sticky Bit, SUID and SGID in Linux with Examples

stickybit with examples

In this article, we explain special permissions that work on files and directories named as Sticky bit, SUID and SGID.

The sticky bit works on directories only. If a user wants to create or delete a file/directory in some directory, he needs write permission on that directory. The write permission on a directory gives a user the privilege to create a file as well as the privilege to remove it.

The /tmp directory is the directory for temporary files/directories. This directory has all the rights on all the three levels because all the users need to create/delete their temporary files. But as the users have write permission on this directory, they can delete any file in this directory. The permissions of that file do not have any effect on deletion.

But with sticky bit set on a directory, anyone can create a file/directory in it, but can delete his own files only. Files owned by other users cannot be deleted.

Sticky bit - How to view and set

You could notice t tag added to /tmp directory and it means bit is set for this directory.

$ ls -ld /tmp/
drwxrwxrwt 4 root root 4096 Aug 19 02:29 /tmp/

In Linux sticky bit can be set with chmod command. You can use +t tag to add and -t tag to delete sticky bit.

$ chmod o-t dir1
$ ls -l
total 8
drwxr-xr-x 2 root root 4096 Aug 19 03:08 dir1
$ chmod o+t dir1
$ ls -l
total 8
drwxr-xr-t 2 root root 4096 Aug 19 03:08 dir1


$ chmod 1777 dir1/
$ ls -l
total 8
drwxrwxrwt 2 root root 4096 Aug 19 03:08 dir1

Note: In Unix flavored OS, sticky bit has a different purpose but we are not discussing it here.

What is SUID Bit and How to set it

When an executable file runs, it runs under the ownership of the user who has executed it. It means that when student user runs ls command, then the corresponding process will run under the ownership of student. The SUID bit, also known as Set User ID bit, overwrites this behavior. If SUID bit is set on a program, then that program will run as the owner of that file, irrespective of who is executing it.

The passwd command in Linux has SUID bit set.

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 23420 Aug 3 2010 /usr/bin/passwd

This can be seen in the third field of permissions. The 's' in place of 'x' indicates that SUID bit is set. With SUID bit set, when a normal user (say student) runs the passwd command, the command runs with the ownership of 'root', and not as student, because root is the owner of this file. This behavior is required because the passwords are stored in the /etc/shadow file, which has no permission on group or other level.

$ ls -l /etc/shadow
-r-------- 1 root root 1027 Jul 13 21:56 /etc/shadow

You need to understand that all users cannot be given read or write permission on this file for security reasons; otherwise, they will read/change the passwords of other users. So this causes a problem that if the users don't have permission on this file, then how will they change their own passwords? So SUID bit solves the problem. The passwd command has SUID bit set, so when normal users execute this command, they run it with the ownership of root, i.e. the owner of passwd command.

How to Set and unset SUID bit

This is to be noted that SUID bit works on files only. To set the SUID bit on a file, use the chmod command as follows

$ ls -l
total 8
-rwxr--r-- 1 root root 104 Aug 19 01:26
$ chmod u+s
$ ls -l
total 8
-rwsr--r-- 1 root root 104 Aug 19 01:26

The numeric method for changing permissions can also be used. Suppose if the normal permissions for a file are 744, then with SUID bit set, these will become 4744. SUID bit has value 4.

$ ls -l
total 8
-rwxr--r-- 1 root root 104 Aug 19 01:26
$ chmod 4744
$ ls -l
total 8
-rwsr--r-- 1 root root 104 Aug 19 01:26

How SGID Bit work on file and directory

Unlike SUID bit, SGID bit works on both files and directories, but it has a different meaning in both cases.

On files:

For file, it has similar meaning as the SUID bit, i.e. when any user executes a file with SGID bit set on it, it will always be executed with the group ownership of that file, irrespective of who is running it. For example, the file /sbin/netreport has SGID bit set, which can be seen in the 's' instead of 'x' in group permissions.

$ ls -l /sbin/netreport
-rwxr-sr-x 1 root root 6020 Oct 13 2010 /sbin/netreport

This file has group ownership of root group. So when a user (say student) executes it, then the corresponding process will not have group ownership of student, but that of root group.

On directories:

Now let’s talk about SGID on directories. SGID on directories is used for creating collaborative directories. To understand SGID bit on directories, consider the following scenario:

Suppose three users jack, jones and jenny are working together on some project. All of them belong to a group named javaproject. For the course of the project, they need to share all the files related to the project. All of them must be able to see each other's file. This can be done simply by providing read permission on group level. Further, suppose that the directory used for the project is "/javaproject".

Here, a problem arises that when a file is created, it belongs to the primary group of the user who created the file. So, when different users create their files in this directory, those files will not have group ownership of javaproject group.

What we do for our problem is that we set the group of /javaproject directory to be javaproject group, and set the SGID bit set on it. When SGID bit is set on a directory, all the files and directory created within it has the group ownership of the group associated with that directory. It means that after setting SGID bit on /javaproject directory, all the files and directories being created in this directory will have the group ownership of "javaproject" group. Moreover, this behavior is recursive, i.e. the directories created in this directory will have SGID bit set as well. The permissions for the new directory will also be same as that of /javaproject directory.

The SGID bit can be set with chmod command as follows:

$ ls -ld /javaproject
drwxrwxr-x 2 root javaproject 4096 Aug 19 02:33 /javaproject
$ chmod g+s /javaproject
$ ls -ld /javaproject
drwxrwsr-x 2 root javaproject 4096 Aug 19 02:33 /javaproject

Now when jones user creates a file in this directory, it is created under the group ownership of javaproject group.

$ touch /javaproject/jones1.txt
$ mkdir /javaproject/jones1dir
$ ls -l /javaproject/
total 12
drwxrwsr-x 2 jones javaproject 4096 Aug 19 02:38 jones1dir
-rw-rw-r-- 1 jones javaproject 0 Aug 19 02:37 jones1.txt

The numeric value corresponding to SGID bit is 2. So to add SGID bit numerically, use the following command:

$ ls -ld /shared/
drwxrwxr-x 2 root adm 4096 Aug 19 02:47 /shared/
$ chmod 2775 /shared/
$ ls -ld /shared/
drwxrwsr-x 2 root adm 4096 Aug 19 02:47 /shared/

Thanks for reading this article and refer sticky bit wiki page as well.

Read Also:

12 Comments... add one

  1. Examples: StickyBit , SUID & GUID Bits Differentiate In Linux

    The title is wrongly put as GUID. It should be SGID instead.

    GUID - Globally Unique Identifier

  2. [root@r7prd1 tmp]# ll /usr/sbin/fdisk
    -rwxr-sr-x. 1 root root 182472 Aug 21 2015 /usr/sbin/fdisk

    [user1@r7prd1 test_dir]$ fdisk -c /dev/sda
    fdisk: cannot open /dev/sda: Permission denied

    why i am getting permissions denied for a normal user even though sgid is set on fdisk ?
    fdisk must be running as root right ?

  3. Brother, excellent article about the special permissions of this type. Now I have a better understanding about the theme.


Leave a Comment