One of the least used and usually forgotten features in Linux/Unix filesystems, sticky bit is a great way to manage regular user access to a shared directory.
What is a sticky bit?
Sticky bit is a special flag that changes how a particular directory in Unix works. Without this flag, any user that has enough file permissions can remove or rename somebody else's file in a directory. With sticky bit set, only the original owner of a file can remove or rename it – other users will get permission denied.
IMPORTANT: there's also an even less popular scenario of using sticky bit for files – but I'll explain it in a separate post.
How sticky bit for a directory looks
Here's a directory I just created as myself on my laptop:
[email protected]:~ $ ls -lad /tmp/try drwxr-xr-x 2 greys wheel 64 17 Dec 08:33 /tmp/try
I plan on sharing this directory with another user, called unixtutorial. So I'm opening permissions wide (warning! do this only for shared directories that contain no sensitive data):
[email protected]:~ $ chmod a+rwx /tmp/try [email protected]:~ $ ls -lad /tmp/try drwxrwxrwx 2 greys wheel 64 17 Dec 08:33 /tmp/try
Let's set the sticky bit for this /tmp/try directory:
[email protected]:~ $ chmod +t /tmp/try
Here's how it will look (note how last rwx in permissions changed to rwt – t is the sticky bit):
[email protected]:~ $ ls -lad /tmp/try drwxrwxrwt 2 greys wheel 64 17 Dec 08:33 /tmp/try
How sticky bit works
I'm creating a file in the sticky-bit protected directrory /tmp/try that any user on my OS can access for read and write:
[email protected]:~ $ touch /tmp/try/file1 [email protected]:~ $ ls -lad /tmp/try/file1 -rw-r--r-- 1 greys wheel 0 17 Dec 08:34 /tmp/try/file1 [email protected]:~ $ chmod 666 /tmp/try/file1 [email protected]:~ $ ls -lad /tmp/try/file1 -rw-rw-rw- 1 greys wheel 0 17 Dec 08:34 /tmp/try/file1
… but if I start another terminal session as user unixtutorial, I can't remove this file even though rw- permissions should allow it:
[email protected]:~ $ sudo su - unixtutorial Password: [email protected]:~ $ cd /tmp/try [email protected]:/tmp/try $ rm /tmp/try/file1 rm: /tmp/try/file1: Permission denied
[email protected]:/tmp/try $ ls -la /tmp/try/file1 -rw-rw-rw- 1 greys wheel 0 Dec 17 08:34 file1
If as my original user greys I remove the sticky bit from /tmp/try:
[email protected]:~ $ chmod -t /tmp/try [email protected]:~ $ ls -ald /tmp/try drwxrwxrwx 2 greys wheel 64 17 Dec 08:36 /tmp/try
… I can now remove the file as another user:
[email protected]:/tmp/try $ rm /tmp/try/file1 [email protected]:/tmp/try $ ls -al /tmp/try/file1 ls: /tmp/try/file1: No such file or directory
Sticky Bit Clarifications
- You can't apply sticky bit to a user or group, as you would with other file access permissions. It works on a file or directory level, not user or group level.
This is invalid: chmod u+t
This is correct: chmod +t - Sticky bit only controls regular users – super user root can still remove any files in sticky-bit protected directories, even owned by other users
That's it for today. Hope you have learned something new!
See Also
Leave a Reply