Understanding the First Digit in 4-Digit Octal UNIX File Permissions (SUID, SGID, Sticky Bit Explained)


2 views

In UNIX-like systems, the 4-digit octal permission notation extends the standard 3-digit format by adding special permission flags. Where 0644 breaks down as:


0   6   4   4
└┬┘ └┬┘ └┬┘ └┬┘
 │   │   │   └─ Other permissions
 │   │   └───── Group permissions  
 │   └───────── User permissions
 └───────────── Special flags (SUID/SGID/sticky)

The first digit controls three critical security attributes:


4 = SUID (Set User ID)
2 = SGID (Set Group ID)  
1 = Sticky bit

These can be combined additively:


7 = SUID+SGID+sticky (4+2+1)
6 = SUID+SGID (4+2)
5 = SUID+sticky (4+1)
3 = SGID+sticky (2+1)

SUID Example (4755):


chmod 4755 /usr/bin/passwd
# -rwsr-xr-x  - 's' indicates SUID

SGID Example (2750):


chmod 2750 /shared/directory
# drwxr-s---  - 's' indicates SGID

Sticky Bit Example (1777):


chmod 1777 /tmp
# drwxrwxrwt  - 't' indicates sticky bit

The equivalent symbolic notation for special bits:


chmod u+s file  # SUID
chmod g+s dir   # SGID  
chmod +t dir    # Sticky bit

Special permissions require careful use:

  • SUID: Grants file access with owner's privileges
  • SGID: New files inherit directory's group
  • Sticky: Only file owner can delete in shared dirs

Use find to audit special permissions:


find / -perm -4000  # Find SUID files
find / -perm -2000  # Find SGID files
find / -perm -1000  # Find sticky bit dirs

Unix file permissions are typically represented in octal notation. The standard 3-digit format (644) is well-known:

6 4 4
| | |
u g o (user, group, other)

When you encounter a 4-digit permission like 0644, the first digit serves a special purpose:

0 6 4 4
| | | |
s u g o (special, user, group, other)

The first digit controls three special permission flags:

  • Setuid (4): Allows execution with owner's privileges
  • Setgid (2): Runs with group's privileges or keeps directory group
  • Sticky bit (1): Restricts file deletion in shared directories

Here are some common 4-digit permission examples:

# Setuid example (rwsr-xr-x)
chmod 4755 executable.sh

# Setgid example (rwxr-sr-x)
chmod 2755 shared_executable

# Sticky bit example (rwxrwxrwt)
chmod 1777 /tmp

The first digit is the sum of the special bits you want to set:

# Setuid + Setgid = 4 + 2 = 6
chmod 6755 file

# All special bits = 4 + 2 + 1 = 7
chmod 7755 file

Use ls -l to see special permissions:

$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 63936 Feb  7  2020 /usr/bin/passwd

The 's' in user permissions indicates setuid is set.

Special permissions should be used carefully:

  • Setuid root programs are security risks if not properly coded
  • Sticky bits on non-shared directories serve no purpose
  • Setgid on files should only be used when absolutely necessary

Developers often confuse:

  • Using 4-digit permissions when 3-digit would suffice
  • Setting special bits without understanding their implications
  • Forgetting that the first digit can be 0 (no special bits)

When working with 4-digit permissions:

  1. Always consider if you really need special bits
  2. Document why special permissions are being set
  3. Test permissions thoroughly before deployment
  4. Use symbolic notation (u+s) when possible for clarity