TechEarl

setuid, setgid, and the Sticky Bit Explained

What the s and t bits do, why /usr/bin/passwd is setuid and /tmp is sticky, how to set them, and how to audit a system for risky setuid binaries.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
What setuid, setgid, and the sticky bit do, why passwd is setuid and /tmp is sticky, and how to set and audit them.

Beyond the nine rwx bits there is a fourth octal digit holding three special bits: setuid, setgid, and the sticky bit. You have seen them in ls -l as an s or t where an x would be:

Terminal showing ls -l of /usr/bin/passwd with rws (setuid) and ls -ld of /tmp with a trailing t (sticky bit).
passwd shows rws: the setuid bit. /tmp ends in t: the sticky bit.

setuid (4): run as the file's owner

A setuid executable runs with the owner's identity, not the caller's. The canonical example is /usr/bin/passwd: it is owned by root and setuid, so an ordinary user running it can update /etc/shadow (which only root can write) for the duration of that command. You will see -rwsr-xr-x; the s replaces the owner's x.

bash
sudo chmod u+s /usr/local/bin/mytool     # or: chmod 4755

setuid on a program you do not fully trust is dangerous: any flaw in it becomes a root exploit. Set it sparingly, and never on a shell or interpreter.

setgid (2): run as the file's group, or inherit it on a directory

setgid does two different things:

  • On an executable, it runs with the file's group.
  • On a directory, new files created inside inherit the directory's group instead of the creator's primary group. This is the key to a shared project folder: everyone's new files stay group-owned by the team.
bash
sudo chmod g+s /srv/project       # or: chmod 2775   (directory: inherit group)

You will see drwxrwsr-x on such a directory; the s is in the group's slot.

Sticky bit (1): only the owner can delete, in a shared directory

On a world-writable directory, the sticky bit means a file can only be deleted or renamed by its owner (or root), even though anyone can create files there. That is why /tmp is drwxrwxrwt: everyone can write, but you cannot delete someone else's temp files.

bash
sudo chmod +t /shared/dropbox     # or: chmod 1777

The fourth digit, all together

In a four-digit octal mode, the leading digit is setuid (4) + setgid (2) + sticky (1):

ModeBitTypical use
4755setuida trusted root helper like passwd
2775setgida shared group directory
1777stickya world-writable scratch dir like /tmp

Audit setuid binaries (a real security task)

Attackers hunt for setuid binaries because each is a potential privilege-escalation path. List them:

bash
sudo find / -perm -4000 -type f 2>/dev/null      # all setuid files
sudo find / -perm -2000 -type f 2>/dev/null      # all setgid files

Compare against a known-good baseline; an unexpected setuid binary (especially one not from a package) is a red flag. The find -perm syntax is covered in find files by owner, group, or permission.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsetuidsetgidsticky bitPermissionsSecurity

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Linux

How to Exclude a Directory in find (the -prune Pattern Explained)

find -path './node_modules' -prune -o -type f -print skips a directory subtree instead of walking into it. The pattern looks strange because -prune is an action, not a test, and the trailing -print is mandatory once you write an explicit action. The breakdown, the multi-directory form, the slower -not -path alternative, and when each one is the right call.

RegEx

The Regex (*ACCEPT) Control Verb, Explained

What the PCRE (*ACCEPT) backtracking control verb does, how it forces an immediate successful match, how it behaves inside capturing groups, which engines support it, and where it is genuinely useful.