Protecting Directories with Sticky Bit
One of the least used and usually forgotten features in Linux/Unix filesystems, sticky bit is a great way to manage regular user access to a shared directory.
What is a sticky bit?
Sticky bit is a special flag that changes how a particular directory in Unix works. Without this flag, any user that has enough file permissions can remove or rename somebody else’s file in a directory. With sticky bit set, only the original owner of a file can remove or rename it – other users will get permission denied.
IMPORTANT: there’s also an even less popular scenario of using sticky bit for files – but I’ll explain it in a separate post.
How sticky bit for a directory looks
Here’s a directory I just created as myself on my laptop:
greys@maverick:~ $ ls -lad /tmp/try drwxr-xr-x 2 greys wheel 64 17 Dec 08:33 /tmp/try
I plan on sharing this directory with another user, called unixtutorial. So I’m opening permissions wide (warning! do this only for shared directories that contain no sensitive data):
greys@maverick:~ $ chmod a+rwx /tmp/try greys@maverick:~ $ ls -lad /tmp/try drwxrwxrwx 2 greys wheel 64 17 Dec 08:33 /tmp/try
Let’s set the sticky bit for this /tmp/try directory:
greys@maverick:~ $ chmod +t /tmp/try
Here’s how it will look (note how last rwx in permissions changed to rwt – t is the sticky bit):
greys@maverick:~ $ ls -lad /tmp/try drwxrwxrwt 2 greys wheel 64 17 Dec 08:33 /tmp/try
How sticky bit works
I’m creating a file in the sticky-bit protected directrory /tmp/try that any user on my OS can access for read and write:
greys@maverick:~ $ touch /tmp/try/file1 greys@maverick:~ $ ls -lad /tmp/try/file1 -rw-r--r-- 1 greys wheel 0 17 Dec 08:34 /tmp/try/file1 greys@maverick:~ $ chmod 666 /tmp/try/file1 greys@maverick:~ $ ls -lad /tmp/try/file1 -rw-rw-rw- 1 greys wheel 0 17 Dec 08:34 /tmp/try/file1
… but if I start another terminal session as user unixtutorial, I can’t remove this file even though rw- permissions should allow it:
unixtutorial@maverick:~ $ sudo su - unixtutorial Password: unixtutorial@maverick:~ $ cd /tmp/try unixtutorial@maverick:/tmp/try $ rm /tmp/try/file1 rm: /tmp/try/file1: Permission denied
unixtutorial@maverick:/tmp/try $ ls -la /tmp/try/file1 -rw-rw-rw- 1 greys wheel 0 Dec 17 08:34 file1
If as my original user greys I remove the sticky bit from /tmp/try:
greys@maverick:~ $ chmod -t /tmp/try greys@maverick:~ $ ls -ald /tmp/try drwxrwxrwx 2 greys wheel 64 17 Dec 08:36 /tmp/try
… I can now remove the file as another user:
unixtutorial@maverick:/tmp/try $ rm /tmp/try/file1 unixtutorial@maverick:/tmp/try $ ls -al /tmp/try/file1 ls: /tmp/try/file1: No such file or directory
Sticky Bit Clarifications
- You can’t apply sticky bit to a user or group, as you would with other file access permissions. It works on a file or directory level, not user or group level.
This is invalid: chmod u+t
This is correct: chmod +t
- Sticky bit only controls regular users – super user root can still remove any files in sticky-bit protected directories, even owned by other users
That’s it for today. Hope you have learned something new!