What Is SGID? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
SGID is a special permission in Linux and Unix systems. It makes a program run as if it belongs to the file's group, not your personal group. It also affects directories: new files created in an SGID directory automatically get the same group as the directory. This helps teams share files without manually changing group settings each time.
Commonly Confused With
SUID (Set User ID) changes the effective user ID to the file's owner when executed. SGID changes the effective GROUP ID to the file's group. SUID is about user elevation; SGID is about group elevation. On directories, SUID is rarely used and has no standard meaning, while SGID on directories inherits group ownership.
The passwd command uses SUID to run as root. A database query tool might use SGID to run as the 'dba' group.
The sticky bit (octal 1) on a directory restricts deletion: only the file owner, directory owner, or root can delete files. SGID on a directory controls group inheritance. They can coexist: /tmp often has both the sticky bit and a special ACL, but not SGID.
The /tmp directory has the sticky bit set so users cannot delete each other's temporary files. A shared project directory has SGID set so new files inherit the project group.
A default ACL (setfacl -d) specifies permissions that are automatically applied to new files and subdirectories. SGID only affects group ownership. Default ACLs can set user, group, and mask permissions. They are more flexible than SGID but more complex.
To ensure new files in /shared get both group ownership 'dev_team' and group rw permissions, you can set SGID for group ownership and use a default ACL to set permissions. SGID alone does not set permissions, only group.
Umask is a per-process setting that removes permissions when creating files. SGID does not affect umask. A restrictive umask (e.g., 0077) can cancel the benefit of SGID by stripping group permissions from new files, even though the group ownership is correct.
If Alice's umask is 0027, new files get permissions 640 (rw-r-----). Even with SGID inheriting the group, Bob cannot write to Alice's file. Setting SGID does not fix umask issues.
Must Know for Exams
SGID is a recurring topic in several IT certification exams, particularly those focused on Linux system administration. For the CompTIA Linux+ (XK0-005), SGID is explicitly listed under Exam Objective 2.3: "Given a scenario, manage file permissions and ownership." Candidates must be able to interpret the s and S representations in ls -l output, set SGID using both symbolic and octal modes, and explain what happens when SGID is applied to a file versus a directory. In this exam, you might be asked to identify why an SGID directory is not inheriting group ownership (often because the SGID bit is not set, or the directory's group execute bit is missing, which is shown as a capital S).
For the Red Hat Certified System Administrator (RHCSA) exam, SGID is part of the "Manage basic file permissions" objective. The exam typically requires you to configure SGID on a shared directory for a collaborative team environment. You will need to know how to verify the SGID bit using stat command or ls -l. The RHCSA also often combines SGID with Access Control Lists (ACLs) to implement fine-grained permission policies.
In the LPIC-1 (101-500) exam, SGID appears in Topic 104: "Devices, Linux Filesystems, Filesystem Hierarchy Standard." Exam questions may ask you to identify the octal notation for SGID, explain the effect of SGID on new files in a directory, or troubleshoot a scenario where a user cannot execute an SGID binary because the group owns the file but the binary lacks execute permission for that group.
For general IT certifications like CompTIA Security+ (SY0-601 or SY0-701), SGID appears under domain 3.0 (Implementation) as part of secure system administration. While not as heavily emphasized as SUID, Security+ may ask about the risks of SGID binaries: they can allow lateral privilege escalation if an attacker exploits a vulnerable SGID program to gain group-level access that leads to further compromise. The exam expects you to understand that SGID is a security-critical permission that must be audited regularly.
Even in cloud certifications like AWS Certified SysOps Administrator, SGID knowledge is relevant when managing Amazon Linux or EC2 instances. If a scenario involves a shared EFS directory shared among multiple EC2 instances, setting SGID on the directory ensures that files created by any instance inherit the correct group. This concept also appears in DevOps-focused exams where containerized applications need consistent permissions in persistent volumes.
Simple Meaning
Imagine you work in a shared office with several teams. Your team uses a specific color-coded badge to access certain rooms. Normally, if you enter a room, you can only see files that belong to your own team. But what if your manager wants everyone in the building to be able to read a certain project folder, no matter which team they are from? Instead of asking each person to change their badge color every time, the manager sets up a magical door that automatically gives everyone who walks through the temporary group badge of that room. That is essentially what SGID does for computer files and directories.
In a Linux system, every file and directory has an owner and a group. When you run a program, it normally runs with your personal group permissions. That means if the program needs to access files that only a specific group (like "developers" or "admin") can use, the program might fail unless you are already in that group. SGID changes this. When the SGID permission is set on an executable file, anyone who runs that file runs it with the group identity of the file's owner group, not their own group. This allows ordinary users to perform tasks that require special group privileges, all without giving them permanent membership in that group.
For directories, SGID works differently but just as helpfully. When an SGID bit is set on a directory, any new file or subdirectory created inside it automatically inherits the group of the parent directory, instead of the creator's default group. This is extremely useful in shared project directories where multiple users need to collaborate. Instead of each user having to manually change the group of every file they create, the system does it automatically, ensuring consistent group ownership across the entire project space.
Full Technical Definition
SGID (Set Group ID) is one of three special permission bits in Unix-like operating systems, along with SUID (Set User ID) and the sticky bit. It is represented numerically as octal value 2000 (the '2' in the fourth digit of a four-digit octal permission string like 2755). When displayed via ls -l, SGID on an executable file appears as an 's' in the group execute position (e.g., -rwxr-sr-x). On a directory, it appears as an 's' in the group execute position as well, but if the group execute bit is not set, it shows as a capital 'S', indicating the SGID bit is set but the group execute permission is missing (which is typically considered an invalid or useless state).
SGID works by altering the effective group ID (EGID) of a process. In Linux, each process has several user and group IDs: real UID/GID, effective UID/GID, and saved set-user-ID / saved set-group-ID. The effective group ID is the one used by the kernel to check most group-based access permissions. When a user executes a file with the SGID bit set, the kernel sets the effective group ID of the new process to the group ID of the file's group owner, not the user's primary group. This change happens at the moment of execve() system call. The real group ID remains the user's own group, but the effective group ID now matches the file's group. This allows the process to access resources that are protected by that group, as if the user were a member of that group.
For directories, the SGID bit works differently and is implemented at the filesystem level. When a directory has the SGID bit set, the kernel's file creation routines (part of the Virtual File System, VFS) automatically assign the group ownership of any new file or subdirectory to the group of the parent directory, overriding the current process's effective group ID. This is defined in POSIX standards and is consistently implemented across Linux, BSD, macOS, and other Unix-like systems. The sticky bit on directories (chmod +t) affects deletion permissions, while the SGID on directories affects inheritance of group ownership. These are independent mechanisms that can be combined.
Real-world implementation requires careful attention to security. A set-group-ID executable that is world-executable allows any user on the system to run it with elevated group privileges. This can be a security risk if the program has bugs like buffer overflows or insecure environment handling. Many Linux distributions therefore restrict the use of SGID binaries only to well-audited system programs, such as /usr/bin/write (which uses SGID to allow users to send messages to each other's terminals) or /usr/bin/crontab (which uses SGID to access the cron spool directory owned by group crontab). System administrators set SGID using the chmod command: chmod g+s filename sets SGID, and chmod g-s removes it. Numerically, chmod 2755 sets SGID with rwx permissions for owner and group, and read/execute for others.
Real-Life Example
Think about a public library that has a special "staff only" room with reference books that must not be taken out. The room is locked with a magnetic badge system. Normally, only employees with a staff badge can enter. One day, the library wants to allow volunteers from a local college to help organize the reference section, but only on weekends. They don't want to give the volunteers permanent staff badges because that would let them enter any time. Instead, the library sets up a temporary pass that can be used on Saturday mornings. When a volunteer scans in, they get temporary access, exactly like a staff member, only for that day.
SGID works similarly. In a Linux system, there might be a database management program that needs to read a configuration file owned by the group "dba" (database administrators). Normal users on the system don't belong to the dba group. However, the administrator can set the SGID bit on the database client program. Now, when any user runs that program, it temporarily runs as if it belonged to the dba group. The program can access the configuration file, perform its task, and then exit. The user's normal account never gains permanent group membership. This is exactly like the volunteer getting a temporary badge that works only for that specific purpose.
For the directory version, imagine a shared art studio where multiple artists leave their works. If there is a rule that every new painting must be tagged with the studio's official group name instead of the artist's personal tag, the director can set up the room so that any new artwork created inside automatically gets the studio's tag. This is exactly what SGID on a directory does for files and subdirectories. It keeps group ownership consistent, preventing confusion like "which team owns this file?" when many people are collaborating.
Why This Term Matters
SGID matters because it is a fundamental security mechanism that enables principle of least privilege in multiuser systems. Instead of adding a user to a privileged group permanently (which grants that user all permissions associated with the group at all times), SGID allows temporary elevation of group privileges only when a specific program is executed. This reduces the attack surface and limits the potential damage from a compromised user account.
In practical IT environments, SGID is used extensively for system utilities. For example, the passwd command traditionally uses SUID rather than SGID, but many system monitoring tools use SGID to read log files that belong to groups like "adm" or "syslog". The mail spool (often /var/mail) uses SGID directories so that all incoming mail files belong to the mail group, and the mail delivery agent can write them regardless of the recipient's primary group. The 'locate' command uses a database owned by group 'mlocate' and uses SGID to allow users to query it without full read access.
From a system administration perspective, understanding SGID is critical when securing shared directories. Without SGID, files created by different users in a shared project folder would belong to each user's default group. If the project requires a specific group (like "group-project-alpha"), each user would need to change the group manually using chgrp, or the admin would need to set up a cron job to fix permissions. SGID automates this, enforcing group inheritance and reducing human error.
However, misusing SGID can be dangerous. An SGID binary that is poorly written can allow users to write to files they should not, or worse, overwrite system files. Therefore, security audits often scan for SGID binaries that are world-writable or owned by non-root users. The find command is commonly used: find / -perm -2000 -type f lists all SGID files. In exam contexts, knowing how to identify, set, and remove SGID bits is a standard objective for Linux+ and LPIC certifications.
How It Appears in Exam Questions
Exam questions about SGID generally fall into three categories: interpretation, configuration, and troubleshooting. In interpretation questions, you are given an ls -l output or a stat output and asked to identify whether the SGID bit is set. For example: "Given the output -rwxr-sr-x, which special permission is applied?" The answer is SGID, because the group execute position shows an 's' instead of an 'x'. A trap often involves the capital 'S' (e.g., -rwxr-Sr-x), which means SGID is set but the group execute bit is not, making the SGID effectively useless.
Configuration questions present a scenario: "A team of developers needs to share a directory so that all new files are automatically owned by the 'developers' group." The correct solution is to set the SGID bit on the directory using chmod g+s /shared/dev or chmod 2770 /shared/dev. Questions may also ask for the numeric mode: "Which octal permission value sets SGID on a directory with rwx for owner and group, and no access for others?" The answer is 2770 (SGID bit 2000 + rwx for owner 700 + rwx for group 070 = 2770).
Troubleshooting questions describe a problem: "You set SGID on /data/project, but new files created by user alice still show alice as the group owner instead of the project group." The potential causes are: 1) The SGID bit was not set correctly (check with stat -c '%a' /data/project, should show a 2 in the thousands place). 2) The directory is on a filesystem that does not support SGID (rare, but possible with some network mounts). 3) The user's umask is stripping group write, but that does not affect group ownership-only the SGID bit controls that. A more subtle trap: if the SGID bit is set but the group execute permission is missing (capital S), the SGID effect on group inheritance still works on directories because the kernel only checks the SGID bit, not the execute bit, for group inheritance. However, users who lack execute permission on the directory cannot enter it or create files there, so the issue becomes one of accessibility, not SGID functionality.
Practise SGID Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a junior system administrator at a small marketing agency. The company has three departments: Design, Content, and Sales. Each department has its own directory under /shared. The Design team often works on collaborative projects and needs everyone to have write access to the same files. The problem is that when Alice (from Design) creates a file, it belongs to the group 'alice' (her default group), but when Bob (also from Design) creates a file, it belongs to 'bob'. Then Carol, the manager, cannot easily manage permissions because the group ownership is inconsistent.
You decide to use SGID. You set the group ownership of /shared/design to 'design_team' and ensure Alice, Bob, and Carol are all members of 'design_team'. Then you run chmod g+s /shared/design. Now, when Alice creates a new file using touch /shared/design/project_plan.txt, the file automatically inherits the group 'design_team' instead of 'alice'. Bob can also edit the file because he is a member of 'design_team'. Carol, as manager, can administer the directory without needing to run chgrp manually. This saves time and prevents errors.
However, after a few weeks, you receive a complaint: Carol cannot delete a file that Alice created, even though Carol is in the same group. Why? Because the file's permissions might not allow group write. SGID only affects group inheritance, not permission bits. Carol, as a member of 'design_team', can read and write (if group write is set), but unless Alice's umask allows group write, the file may be created with only read permission for group. To fully solve the problem, you also need to set a default ACL or ensure the umask is 0002 (group write). This scenario teaches that SGID works best alongside other permission mechanisms.
Common Mistakes
Assuming SGID on a file gives the user full root privileges.
SGID only elevates group privileges to the file's group owner, not to root (unless the file's group is root). It does not affect user ID elevation. SUID is used for user ID elevation.
Remember that SGID changes the effective GROUP ID, not the user ID. For root-level escalation, look for SUID, not SGID.
Confusing the SGID bit on a file with the sticky bit.
The sticky bit (octal 1000) on a directory restricts deletion to file owners. SGID (octal 2000) on a directory inherits group ownership. They serve completely different purposes.
Use the mnemonic: 'SGID = Share Group ID' (inherits group); 'Sticky = Sticky delete' (only owner can delete).
Thinking that SGID on a directory also sets the SGID on new files created inside it.
SGID on a directory causes new files to inherit the directory's GROUP, but it does not automatically set the SGID bit on those new files. The SGID bit on files is only set by explicit chmod or by a default ACL.
Test this: create a file in an SGID directory, then run ls -l. You will see the file's group matches the directory, but the file's own permissions will not show an 's' in the group execute position unless you specifically set it.
Believing that removing execute permission on a directory cancels the SGID effect on group inheritance.
The SGID bit on directories affects group inheritance at the filesystem level regardless of the execute bit. If execute is missing (capital S), users cannot enter the directory, but if they could (e.g., via ACL), new files would still inherit the group.
Understand that SGID group inheritance and directory execute are independent. The capital S warning is about usability, not about inheritance functionality.
Using chmod 777 on an SGID directory thinking it sets SGID.
777 sets full permissions for everyone but does not include the SGID bit. To set SGID, you need a four-digit octal number like 2777, or use symbolic mode g+s.
Always use chmod g+s for symbolic mode, or prepend a 2 (octal) for numeric mode. Verify with ls -l: look for 's' in group execute position.
Exam Trap — Don't Get Fooled
{"trap":"An exam question shows the output -rwxr-Sr-x and asks whether the file has SGID set and why the S is capital.","why_learners_choose_it":"Many learners believe that a capital S means SGID is not set, or that it means SUID is set instead. They may also think the S is a typo or indicates a broken system."
,"how_to_avoid_it":"Learn that a capital S in the group execute position means the SGID bit IS set (the 's' is lowercase when execute is present, capital when execute is missing). The difference is only about the execute bit. SGID is functional even if execute is missing on a directory (for group inheritance), but on a file, a capital S means the file has SGID but group execute is off, which typically makes the SGID ineffective because the file cannot be executed by the group.
For directories, capital S still works for group inheritance but prevents group members from listing or entering the directory. Always check the third character of the group permission field."
Step-by-Step Breakdown
Check current permissions
Before setting SGID, you must know the current permissions of the target file or directory. Use ls -ld or stat. For a directory, check if the group execute bit is set-without it, SGID may be usable but others cannot access the directory. For an executable file, ensure group execute permission is present so the SGID bit becomes active.
Choose appropriate group ownership
The group that will own the file or directory must exist and should contain the users who need elevated privileges. Use chgrp to change the group if needed. For a shared project directory, set the group to a team group. For an executable, set the group to the privileged group that should run the program.
Set the SGID bit using chmod
Use chmod g+s target to set SGID symbolically. Alternatively, use octal mode: chmod 2[permissions] target. The leading 2 adds the SGID bit. For example, chmod 2755 sets SGID with rwxr-xr-x. Always verify with ls -l: the group execute position should show 's' (lowercase) or 'S' (capital if execute missing).
Test the SGID behavior
For a directory, create a new file inside it and check its group ownership using ls -l. It should match the directory's group. For an executable, log in as a user who does not belong to the file's group but has execute permission. Run the executable and check the effective group ID using the id command while the program is running. This confirms the SGID is working.
Secure the SGID environment
Ensure that the SGID binary is not exploitable: it should be owned by a trusted user (often root) and not writable by others. Restrict write access to the binary itself. Regularly audit SGID files using find / -perm -2000 to detect unauthorized changes. For directories, combine SGID with a default ACL or appropriate umask to ensure new files have the correct permissions, not just the correct group.
Practical Mini-Lesson
In real-world system administration, SGID is a double-edged sword. It is incredibly useful for shared directories and system utilities, but it requires careful implementation. Let's walk through a practical scenario: setting up a shared directory for a team of developers working on a project called 'ProjectX'.
First, create the group: groupadd projectx_dev. Then add all developers to this group: usermod -aG projectx_dev alice, bob, carol. Next, create the shared directory: mkdir /srv/projectx. Change the group: chgrp projectx_dev /srv/projectx. Set permissions so that owner and group can do anything: chmod 2770 /srv/projectx. The 2 sets SGID. Now, when alice creates a file inside, it inherits group projectx_dev. But what about permissions? Alice's umask might be 0022, which gives new files 644 permissions. That means group members can read but not write. Carol, the manager, needs to edit files. You must either adjust Alices umask to 0002 or set a default ACL: setfacl -d -m g::rwx /srv/projectx. This makes new files group-writable.
Now consider a security audit. A team lead notices there is an executable file /usr/local/bin/projectx_tool that has SGID set. The tool reads a sensitive configuration file owned by group projectx_dev. The binary is owned by root and has permissions 2755 (rwxr-sr-x). Any user can run it and read the config. But what if an attacker gains access to a low-privilege user account? They can run projectx_tool to read the config. If the tool has a vulnerability that allows executing arbitrary commands with the group's privileges, the attacker might access other files owned by projectx_dev. This is a real risk. To mitigate, only install SGID binaries from trusted sources, keep them updated, and use access controls (like SELinux or AppArmor) to further restrict what the SGID process can do.
Another common pitfall: using SGID with NFS or other network filesystems. NFS may not support SGID inheritance across servers unless the filesystem is mounted with appropriate options (like no_suid or nosuid, which can disable SGID). Always test SGID behavior on network shares before relying on it. Similarly, containerized environments (Docker, Podman) often disable set-user-ID and set-group-ID bits for security. In such cases, SGID may be silently ignored. The professional know to check /proc/mounts for the 'nosuid' mount option.
Finally, documenting SGID usage is important. If you set SGID on a directory, note it in the system's configuration management (Ansible, Puppet, Salt) so that future administrators know not to remove it accidentally. A simple comment in a README file or in the Puppet manifest can prevent a production outage when someone runs chmod g-s on a critical shared directory.
Memory Tip
Think of SGID as 'Same Group ID' for directories: New files get the Same Group as the directory. For executables, think 'Switch Group ID': the process temporarily switches to the file's group.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)XK0-005XK0-006(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
What does SGID stand for?
SGID stands for Set Group ID. It is a special permission bit in Unix-like systems that controls group privilege elevation for executables and group ownership inheritance for directories.
How do I set SGID on a directory?
Use the command chmod g+s /path/to/directory or numerically chmod 2770 /path/to/directory. The 2 before the three-digit permission adds the SGID bit.
Does SGID work on Windows?
No, SGID is specific to Unix-like operating systems (Linux, macOS, BSD). Windows uses a different permission model based on Access Control Lists (ACLs). However, Windows Server has a 'Set-Group' concept in some contexts, but it is not the same.
Can SGID be set on a symbolic link?
No, SGID and other permission bits are meaningless on symbolic links. The permissions of a symlink are always lrwxrwxrwx, and the actual file is what matters. Setting SGID on a symlink affects the target file, not the symlink itself.
What is the difference between SGID and the sticky bit?
SGID (octal 2000) controls group ownership inheritance on directories and group elevation on executables. The sticky bit (octal 1000) on directories restricts file deletion to the file owner, directory owner, or root. They are independent and can be combined.
Why does my SGID directory show a capital S instead of s?
A capital S in the group execute position means the SGID bit is set but the group execute permission is off. For directories, this means group members cannot enter the directory (no execute), but new files still inherit the group. For files, it means the file cannot be executed by the group, which usually makes the SGID useless for executables.
Is SGID a security risk?
Yes, especially on executables. An SGID binary allows any user with execute permission to run it with the group's privileges. If the binary has vulnerabilities, it can be exploited for group privilege escalation. Regular auditing with find / -perm -2000 is recommended.
Summary
SGID, or Set Group ID, is a Unix/Linux special permission that serves two primary functions: it allows an executable file to run with the group privileges of the file's owner group, and it causes new files created within a directory to inherit the directory's group ownership. Understanding SGID is essential for IT professionals because it is a core mechanism for managing group access in multiuser environments, enabling the principle of least privilege while still granting necessary access.
In certification exams like CompTIA Linux+, RHCSA, LPIC-1, and Security+, SGID appears in questions about permission interpretation (the s versus S in ls -l output), configuration (chmod g+s, octal 2xxx), and troubleshooting (why group inheritance fails). A solid grasp of SGID helps you differentiate it from SUID and the sticky bit, and reduces mistakes in exam scenarios involving shared directories or privileged executables.
Remember that SGID is not a silver bullet. It works best when combined with appropriate umask settings, default ACLs, and regular auditing. Misconfigured SGID can lead to security holes or usability problems. As a sysadmin, you should know how to find all SGID files on a system, understand the implications of each one, and remove or secure those that are unnecessary.
The key exam takeaways: SGID on directories = group inheritance for new files; SGID on files = temporary group elevation for execution. Recognize the capital S trap, know the octal value 2000, and be able to explain the difference between SGID and other special permissions. With this knowledge, you will be prepared for any SGID-related question.