Using the find command to look for files that have setuid and setgid bit set is one way to monitor for changes. However, you can use a file integrity checker, such as Tripwire, AIDE, OSSEC, Samhain, or even your distributions package manager to find files that have in proper permissions or that have been modified from their original state. Let's talk about the final special permission. It's called The Sticky Bit, and it's used on a directory to only allow the files owner, the directories owner, or the root user to rename or delete the file.

Without The Sticky Bit set on a directory, the user could delete another user's file, if the permissions on the directory allowed for it. For example, this would be applicable to a directory that had 777 permissions on it. To tell if a directory has The Sticky Bit set, you can look at its ls output. You will see a "t" in the execute field of the other section of the permissions. You'll usually only find The Sticky Bit set, on the /tmp directory or the /var/tmp directory but you may also encounter it on directories that are being used to share data amongst several or all users on a system.

To set The Sticky Bit on a director use chmod o+t or use one in the special permissions field, followed by the remaining permissions. Typically using The Sticky Bit only makes sense with 777 permissions. So you would typically run chmod 1777, followed by a path to a directory. To remove The Sticky Bit, run chmod o-t, followed by the path to the directory. Again, just like removing the other special permissions, you can subtract the numeric value, in the special permission's field or use a zero to clear all special permissions.

If you see a special permission represented with a capital letter in ls Output, that means the permission that would normally show up in that position is not set. If you see a lowercase "s" or a lowercase "t", then the underlying normal permission is set. Here's an example of a file that has 644 permissions. The user section of the permission zeros -rw-, which is read and write permissions. If we add the setuid bit by running chmod u+s on the file, you'll see a capital "S" in the ls output. This permission really doesn't make any sense because the program is not executable, but in any case if you see this in ls output, you know exactly what the file permission is.

Now, if we add The Execute Bit for the owner by running you chmod u+x the file, then the ls Output shows a lowercase s in the output. Here are a couple of more examples showing special permissions with capital letters. The first example shows that the setgid bit is set but The Execute Bit is not set for the group. The second example shows that The Sticky Bit is set but The Execute Bit is not set for others. Again, these permissions don't make any sense but if you run across them or accidentally set them, you'll know exactly what you're looking at.