If you pass the suid/sgid bits to mkdirat, POSIX systems ignore those bits (Linux does honour the sticky bit but other operating systems don't). This is expected behaviour documented in the Linux man pages. Go's os.Mkdir only guarantees that the sticky bit is set and silently ignores the suid and sgid bits.

My philosophy was that we don't want to ignore bits users requested. However, it seems that with runc some users set nonsense bits and don't care about the results. In runc, we can fix this by masking those bits explicitly -- but should change our behaviour to give a more useful error if you pass those bits?

I noticed this while working on tests, but decided to not do any special handling until someone found a real example of it. Reported as an actual issue by @lifubang in opencontainers/runc#4393 (comment).