This is the most helpful failure. BusyBox tells you exactly what's wrong.
Setting SUID on any binary is serious. A SUID-root BusyBox is dangerous because any bug in ls , cat , or echo could be exploited to gain root access. This is why BusyBox discourages setting SUID on the main binary. Instead, they recommend:
In the world of embedded Linux, recovery systems, and containerized environments, BusyBox is a ubiquitous swiss-army knife. It combines tiny versions of hundreds of common UNIX utilities into a single small executable. One of its most essential—and often misunderstood—commands is su (substitute user). busybox su must be suid to work properly
This prevents other applets from inheriting SUID.
In Linux, there are standard permissions: Read, Write, and Execute (r, w, x). However, there is a fourth permission that applies specifically to executable files. When the SUID bit is set on an executable, it tells the Linux kernel: "When this program is run, run it with the permissions of the file's owner, not the user who launched it." This is the most helpful failure
Ensure the correct su is first in your PATH . Typically:
If you are using Alpine, the easiest and safest way is to install the specific "SUID-enabled" version of the BusyBox applets. Run this command as root: "su: must be suid to work properly" => How to get rid of it A SUID-root BusyBox is dangerous because any bug
With great power comes great responsibility. Always audit your SUID binaries, restrict access to su to trusted groups, and consider whether sudo or doas might serve your use case more flexibly. But if you need a tiny, functional su on a BusyBox system, set that SUID bit—and test it thoroughly.
In Linux and Unix-like systems, most programs run with the permissions of the user who starts them. However, certain commands—like su or passwd —need to perform actions that only the root user can do (e.g., accessing sensitive system files like /etc/shadow ).
Notice the s in the permission string rws . This indicates that the SUID bit is set.