Configure setgid directories for shared work, create a controlled setuid helper, and lock down a world-writable drop zone using the sticky bit. Verify each special permission in real output so you can spot misconfigurations quickly.
You are preparing a multi-user development server. The dev team needs a shared workspace that preserves group ownership, a controlled helper that runs with root privileges, and a world-writable staging directory where users cannot delete each other’s files.
Special permission bits change how access control behaves at runtime. Set them intentionally and validate state using permission strings and ownership.
s in group perms.ls output.s
or t, and map cleanly to the leading octal digit
(4, 2, 1).
devs group exists.
sudo groupadd -f devs
-f
keeps the command repeatable by avoiding an error when the
group already exists.
/opt/devshare.
sudo mkdir -p /opt/devshareThis directory is the shared workspace. Next, assign group ownership and apply setgid so new files inherit the group.
devs.
sudo chgrp devs /opt/devshareGroup ownership is the baseline. setgid controls which group is applied to files created inside the directory.
sudo chmod 2775 /opt/devshare
2
sets setgid on the directory.
775
grants full access to owner and group, with read and execute
for others. On shared servers, align this with your umask and
group policy.
ls -ld /opt/devsharedrwxrwsr-x 2 root devs 4096 Jul 19 00:00 /opt/devshare
The group execute slot shows s when setgid is set
and group execute is enabled (the rws in the
middle).
setuid is a privilege escalation mechanism. In production,
do not set this on scripts or untrusted binaries. This lab
uses /bin/true as a harmless stand-in.
sudo install -o root -g root -m 4755 /bin/true /usr/local/bin/helper
install
copies the file and sets owner, group, and mode in one
operation. 4755 applies setuid (4)
plus executable permissions.
ls -l /usr/local/bin/helper-rwsr-xr-x 1 root root 0 Jul 19 00:00 /usr/local/bin/helper
The owner execute slot shows s when setuid is set
and owner execute is enabled (the rws at the
front).
sudo mkdir -p /tmp/shared && sudo chmod 1777 /tmp/shared
This mirrors the standard /tmp pattern. The
directory is writable by everyone, but the sticky bit prevents
users from deleting files they do not own.
ls -ld /tmp/shareddrwxrwxrwt 2 root root 4096 Jul 19 00:00 /tmp/shared
The last execute slot shows t when sticky bit is
set and others execute is enabled (the rwt at the
end).
If ls -ld shows drwxrwxr-x instead
of drwxrwsr-x, setgid is not set. Re-apply
chmod 2775 and confirm group ownership is
devs.
Uppercase S indicates the special bit is set but
the execute bit is not. Confirm the mode is 4755
and that the target is an executable binary.
Uppercase T indicates sticky is set but others
execute is missing. Sticky protection requires the directory
to be searchable, so set the mode to 1777.
Many environments restrict setuid usage and auditing will flag unexpected setuid binaries. Treat this as a controlled lab artifact and remove it when finished.
Remove the lab artifacts so the system returns to a clean state. This prevents leftover special bits from becoming accidental policy.
sudo rm -f /usr/local/bin/helper
sudo rmdir /opt/devshare 2>/dev/null || true
sudo rmdir /tmp/shared 2>/dev/null || trueThe helper binary is gone, and the directories no longer exist (or are empty and removed). No special bits remain on shared paths you did not intend to keep.
groupadd -f <group>
: Creates a group if it does not exist.
-f
: Do not fail if the group already exists.
mkdir -p <dir>
: Creates a directory path (including parents).
-p
: Create parent directories as needed.
chgrp <group> <path>
: Changes the group owner of a file or directory.
chmod 2775 <dir>
: Sets setgid on a directory so new files inherit the directory
group.
2
: setgid bit (directory group inheritance).
chmod 1777 <dir>
: Creates a world-writable directory protected by sticky bit.
1
: sticky bit (restricts deletion in a shared directory).
install -o root -g root -m 4755 <src> <dst>
: Installs a file with specified ownership and mode in one command.
-o
: Sets owner.
-g
: Sets group.
-m
: Sets permissions mode.
4755
: setuid (4) plus standard executable permissions.
ls -ld <dir>
: Shows directory permissions, including special bits.
s in the group execute position
(example: drwxrwsr-x).
t in the others execute position
(example: drwxrwxrwt).
ls -l <file>
: Shows file permissions, including setuid on executables.
s in the owner execute position
(example: -rwsr-xr-x).
rm -f <path>
: Removes a file without prompting.
-f
: Ignore missing files and never prompt.
rmdir <dir>
: Removes an empty directory.