Special Modes - Part II
Start course
1h 13m

This course covers the security features that you can use in order to secure your files and directories on Linux. We look at permissions, data sharing, special modes, file attributes, ACLs, and rootkits. You will also have the chance to follow along with guided demonstrations which will give you a practical understanding of the concepts covered.

Learning Objectives

  • Learn how Linux file and directory permissions work and how to apply the proper permissions to files and directories
  • Learn how to share data securely with groups and multiple users on a Linux system
  • Understand how special modes add extra security to file systems
  • Learn how to make files unchangeable even by the root user and how to secure the log files on a Linux system by making them append-only
  • Learn how to secure files and directories using ACLs
  • Learn about rootkits and how to discover and remove them

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


Using the find command to look for files that have setuid and setgid bit set is one way to monitor for changes. However, you can use a file integrity checker such as Tripwire, AIDE, OSSEC, Samhain, or even your distribution's package manager to find files that have improper permissions or that have been modified from their original state. Let's talk about the final special permission, it's called the sticky bit, and it's used on a directory to only allow the file's owner, the directory's owner, or the root user to rename or delete the file. Without the sticky bit set on a directory, the user could delete another user's file if the permissions on the directory allowed for it. For example, this would be applicable to a directory that had 777 permissions on it. To tell if a directory has the sticky bit set, you can look at its ls output. You will see a T in the execute field of the other section of the permissions. You'll usually only find the sticky bit set on the /tmp directory or the /var tmp directory, but you may also encounter it on directories that are being used to share data amongst several or all users on a system. To set the sticky bit on a directory, use chmod o+t, or use 1 in the special permissions field followed by the remaining permissions. Typically, using the sticky bit only makes sense with 777 permissions, so you would typically run chmod 1777 followed by a path to a directory. To remove the sticky bit, run chmod o-t followed by the path to the directory. Again, just like removing the other special permissions, you can subtract the numeric value in the special permissions field or use a zero to clear all special permissions. If you see a special permission represented with a capital letter in ls output, that means the permission that would normally show up in that position is not set. If you see a lowercase s or a lowercase t, then the underlying normal permission is set. Here's an example of a file that has 644 permissions. The user section of the permission shows rw, which is read and write permissions. If we add the setuid bit by running chmod u+s on the file, you'll see a capital S in the ls output. This permission really doesn't make any sense, because the program is not executable. But, in any case, if you see this in ls output, you know exactly what the file permission is. Now, if we add the execute bit for the owner by running chmod u+x on the file, then the ls output shows a lowercase s in the output. Here are a couple of more examples showing special permissions with capital letters. The first example shows that the setgid bit is set, but the execute bit is not set for the group. The second example shows that the sticky bit is set, but the execute bit is not set for others. Again, these permissions don't make any sense, but if you run across them or accidentally set them, you'll know exactly what you're looking at.

About the Author
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.