SUID (Set User ID) and SGID (Set Group ID) are special file permission bits. When set on an executable, the program runs with the file owner's privileges instead of the caller's. This is how passwd can modify /etc/shadow (owned by root) even when run by a normal user. It's also how many privilege escalation attacks work.
How SUID Works
# passwd is SUID root:
ls -la /usr/bin/passwd
# -rwsr-xr-x 1 root root /usr/bin/passwd
# ^
# s = SUID bit set
# Normal user can change their own password:
# 1. User runs /usr/bin/passwd
# 2. Kernel sees SUID bit + owner is root
# 3. Process gets euid=0 (root effective UID)
# 4. passwd can now open /etc/shadow (root-owned, mode 640)
# 5. Updates only the calling user's entry (passwd enforces this)
# Without SUID: passwd would run as uid=1000, can't open /etc/shadow
# SGID works the same but for groups:
ls -la /usr/bin/write
# -rwxr-sr-x 1 root tty /usr/bin/write
# ^
# s = SGID bit (runs with group 'tty')
Common SUID Binaries and Why They Need It
Binary
SUID as
Why needed
/usr/bin/passwd
root
Write /etc/shadow (root-only)
/usr/bin/sudo
root
Gain root to run authorized commands
/usr/bin/ping
root (or capability)
Create raw ICMP sockets (CAP_NET_RAW)
/usr/bin/su
root
Switch users, read /etc/shadow
/usr/bin/newgrp
root
Change group, read /etc/gshadow
/usr/bin/chsh
root
Write /etc/passwd (change shell)
/usr/bin/chfn
root
Write /etc/passwd (change GECOS)
/usr/bin/mount
root (historically)
Mount filesystems (now uses capabilities)
Auditing SUID/SGID Files
# Find all SUID files on the system:
find / -perm -4000 -type f 2>/dev/null
# -perm -4000 = SUID bit set
# Common output: /usr/bin/passwd, /usr/bin/sudo, etc.
# Find all SGID files:
find / -perm -2000 -type f 2>/dev/null
# Find both SUID and SGID:
find / -perm /6000 -type f 2>/dev/null
# Security audit — compare against known good list:
find / -perm /6000 -type f 2>/dev/null | sort > /tmp/current_suid.txt
diff /tmp/baseline_suid.txt /tmp/current_suid.txt
# Any additions are suspicious — possible rootkit or misconfiguration
# Remove SUID bit (when not needed):
chmod u-s /usr/bin/at # at command rarely needs SUID
chmod g-s /usr/bin/write # write command
Privilege Escalation via SUID
How do attackers use SUID files to escalate privileges?
If any SUID-root binary has a vulnerability (buffer overflow, command injection, insecure file handling), an attacker can exploit it to execute arbitrary code as root. Classic examples: a SUID binary that calls system() without sanitizing input, or one that opens a file specified by an environment variable (attacker sets the variable to /etc/passwd). This is why pentesters always look for unusual SUID files first.
# Common SUID-based privilege escalation patterns:
# 1. Misconfigured SUID binary (GTFOBins)
# If find has SUID: find . -exec /bin/sh -p \; (runs sh as root)
# If vim has SUID: vim -c ':!id' (root shell)
# If python has SUID: python -c 'import os; os.setuid(0); os.system("/bin/sh")'
# 2. PATH injection
# SUID binary calls system("ls") without full path
# Attacker creates malicious /tmp/ls, sets PATH=/tmp:...
# SUID binary runs attacker's ls as root
# 3. Shared library injection
# SUID binary loads .so file from user-writable path
# Attacker replaces .so with malicious one
# Defense:
# - Use capabilities instead of SUID where possible
# - Audit SUID files regularly (cronjob comparing against baseline)
# - Never set SUID on shell interpreters, text editors, or compilers
The Sticky Bit
The sticky bit on a directory prevents users from deleting files they don't own, even if they have write permission to the directory. Classic example: /tmp — everyone can write there, but you can't delete other users' files.
ls -la /
# drwxrwxrwt 1 root root /tmp
# ^
# t = sticky bit (saves/protects files)
# Users can write to /tmp:
touch /tmp/myfile # works
# Users cannot delete others' files:
rm /tmp/otheruser_file # Permission denied
# Set sticky bit:
chmod +t /shared/directory
# Octal: 1000 = sticky, 2000 = SGID, 4000 = SUID
# chmod 1777 /tmp = rwxrwxrwt (sticky + all permissions)
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.