In 2022, an attacker found a world-writable systemd service file and modified it to spawn a reverse shell on the next reboot. The root cause: a developer ran chmod -R 777 /etc/systemd/system because of a 'permission denied' error. POSIX permissions, SUID, SGID, and sticky bits form the bedrock of Linux/macOS security. Misconfiguring them opens direct privilege escalation paths. This lesson gives you the depth to never make that mistake.
Every file and directory has an owner, a group, and permissions in three triads. The execute bit on a directory allows traversal (list contents), while on a file it allows execution. The sticky bit on a directory (e.g., /tmp) prevents users from deleting files they don't own. Understanding these subtleties is key: a directory with 777 allows anyone to delete any file within, unless the sticky bit is set (1777).
The leading '1' is the sticky bit. The stat command confirms the octal representation.
A file with SUID (chmod u+s) executes with the permissions of the file owner. If that owner is root, the program runs as root regardless of who executed it. This is a deliberate privilege escalation mechanism—but misused, it's an attacker's dream. The classic passwd command is SUID root. Finding SUID binaries (find / -perm -4000 -type f 2>/dev/null) is the first step in auditing. SGID on directories forces new files to inherit the directory's group, critical for shared project folders.
# Find all SUID files on the system and list their permissions
find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null
# Example output:
# -rwsr-xr-x 1 root root 59704 Mar 5 2023 /usr/bin/passwd💡 A SUID root shell script is catastrophic because many shells ignore SUID for security reasons, but compiled binaries do not. Always audit SUID and remove unnecessary ones.
| Special Bit | Symbolic | Octal Prefix | Effect on Directories |
|---|---|---|---|
| SUID | u+s | 4 | No effect on directories |
| SGID | g+s | 2 | New files inherit group; new subdirs also get SGID |
| Sticky | +t | 1 | Only owner (or root) can delete files |
The umask value subtracts from the default file (666) and directory (777) permissions. A umask of 027 means files get 640 (rw-r-----), and directories get 750 (rwxr-x---). System-wide umask is set in /etc/login.defs and /etc/profile. Setting a restrictive umask (027 or 077) prevents accidental world-readable file creation, a common hardening step in CIS benchmarks.
⚠️ Finding a SUID binary that allows arbitrary code execution (like vim.basic with SUID root) is a known privilege escalation vector. If you must keep such a binary, consider using sudo instead and removing SUID.
Verify exercises to earn ★ 140 XP and unlock next lab level.