Sticky bit

Sticky bit

I recently had an interview in which I got asked about the sticky bit. Honnestly, I can’t remember what this is. Of course I know it has something to do with access rights on a Linux filesystem, and I remember having checked Wikipedia or man at least 10 times about it but it just doesn’t stick in my head. So I’ll try to dig a little in its behaviour to make it stay up there !

How to set it

chmod +t somefile-or-dir
chmod 1xxx somefile-or-dir

Let’s play
I created 2 directories and 2 files, one with sticky bit set and one without for each type:

drwxrwxr-x  2 amandine amgrp 4,0K 2012-05-04 16:20 dirWithoutStickyBit
drwxrwxr-t  2 amandine amgrp 4,0K 2012-05-04 16:20 dirWithStickyBit
-rw-rw-r-T  1 amandine amgrp    0 2012-05-04 16:20 fileWithStickyBit
-rw-rw-r--  1 amandine amgrp    0 2012-05-04 16:20 fileWithoutStickyBit

First I noticed that the sticky bit on the directory is shown as “t” in place of the last x, and as “T” for the file. Maybe it’s because the file isn’t world executable? Let’s verify that :

amandine$ chmod +x fileWithStickyBit
amandine$ ls -lah
drwxrwxr-x  2 amandine amgrp 4,0K 2012-05-04 16:20 dirWithoutStickyBit
drwxrwxr-t  2 amandine amgrp 4,0K 2012-05-04 16:20 dirWithStickyBit
-rwxrwxr-t  1 amandine amgrp    0 2012-05-04 16:20 fileWithStickyBit
-rw-rw-r-x  1 amandine amgrp    0 2012-05-04 16:20 fileWithoutStickyBit

Ok, so “T” means sticky bit on but world executable off, “t” means both on.

The user “amandine” owns everything, and both users “amandine” and “test” belong to “amgroup”. Of course “amandine” can delete, rename and edit everything. What about user “test” ?

test$ mv dirWithoutStickyBit dirWithoutStickyBit2
test$ mv dirWithStickyBit dirWithStickyBit2
test$ mv fileWithoutStickyBit fileWithoutStickyBit2
test$ mv fileWithStickyBit fileWithStickyBit2
test$ echo test > fileWithoutStickyBit2
test$ echo test > fileWithStickyBit2
test$ touch dirWithoutStickyBit2/file1
test$ touch dirWithStickyBit2/file1

Ok. Nothing different, “test” can do everything too. Did I miss the point?? Let’s play more.

amandine$ touch dirWithoutStickyBit2/file2
amandine$ touch dirWithStickyBit2/file2
amandine$ ls -lah *
-rwxrwxr-x 1 amandine amgrp    5 2012-05-04 16:38 fileWithoutStickyBit2
-rwxrwxr-t 1 amandine amgrp    5 2012-05-04 16:38 fileWithStickyBit2

dirWithoutStickyBit2:
drwxrwxr-x 2 amandine amgrp    4,0K 2012-05-04 16:44 .
drwxrwxrwx 4 amandine amandine 4,0K 2012-05-04 16:38 ..
-rw-r--r-- 1 test     test        0 2012-05-04 16:43 file1
-rw-r--r-- 1 amandine amandine    0 2012-05-04 16:44 file2

dirWithStickyBit2:
drwxrwxr-t 2 amandine amgrp    4,0K 2012-05-04 16:44 .
drwxrwxrwx 4 amandine amandine 4,0K 2012-05-04 16:38 ..
-rw-r--r-- 1 test     test        0 2012-05-04 16:43 file1
-rw-r--r-- 1 amandine amandine    0 2012-05-04 16:44 file2

amandine$ rm dirWithoutStickyBit2/file1
rm: remove write-protected regular empty file 'dirWithoutStickyBit2/file1'? y
amandine$ rm dirWithStickyBit2/file1
rm: remove write-protected regular empty file 'dirWithStickyBit2/file1'? y

Now with user “test” :

test$ rm dirWithoutStickyBit2/file2
rm: remove write-protected regular empty file 'dirWithoutStickyBit2/file2'? y
test$ rm dirWithStickyBit2/file2
rm: remove write-protected regular empty file 'dirWithStickyBit2/file2'? y
rm: cannot remove 'dirWithStickyBit2/file2': Permission denied

Ha! Here’s one difference! I can’t delete another’s user file in a sticky bit enabled directory.

What about editing :

amandine$ ls -lah *
-rwxrwxr-x 1 amandine amgrp    5 2012-05-04 16:38 fileWithoutStickyBit2
-rwxrwxr-t 1 amandine amgrp    5 2012-05-04 16:38 fileWithStickyBit2

dirWithoutStickyBit2:
total 12K
drwxrwxr-x 2 amandine amgrp    4,0K 2012-05-04 16:56 .
drwxrwxrwx 4 amandine amandine 4,0K 2012-05-04 16:38 ..
-rw-rw-r-- 1 amandine amgrp       9 2012-05-04 16:56 file3

dirWithStickyBit2:
total 12K
drwxrwxr-t 2 amandine amgrp    4,0K 2012-05-04 16:56 .
drwxrwxrwx 4 amandine amandine 4,0K 2012-05-04 16:38 ..
-rw-rw-r-- 1 amandine amgrp       9 2012-05-04 16:56 file3
amandine$ cat dirWithoutStickyBit2/file3
that's amandine's file
amandine$ cat dirWithStickyBit2/file3
that's amandine's file

test$ echo "no, that's test's file" > dirWithoutStickyBit2/file3
test$ echo "no, that's test's file" > dirWithStickyBit2/file3
test$ cat dirWithoutStickyBit2/file3
no, that's test's file
test$ cat dirWithStickyBit2/file3
no, that's test's file

“test” can still edit both files.

test$ mv dirWithoutStickyBit2/file3 dirWithoutStickyBit2/file4
test$ mv dirWithStickyBit2/file3 dirWithStickyBit2/file4
mv: cannot move 'dirWithStickyBit2/file3' to 'dirWithStickyBit2/file4': Operation not permitted

but he can’t rename or delete them.

Ok for sticky bit on directories, but what’s the point of having a sticky bit switched on for a single file?

$ man chmod
[...]
RESTRICTED DELETION FLAG OR STICKY BIT
The restricted deletion flag or sticky bit is a single bit, whose
interpretation depends on the file type.  For directories, it prevents
unprivileged users from removing or renaming a file in the directory
unless they own the file or the directory; this is called the restricted
deletion flag for the directory, and is commonly found on world-
writable directories like /tmp.  For regular files on some older
systems, the bit saves the program's text image on the swap device
so it will load more quickly when run; this is called the sticky bit.
[...]

Ok, and on newer systems? Seems it’s just not used anymore on most systems :
From Wikipedia :
Linux : […] the Linux kernel ignores the sticky bit on files. […]
*BSD : […]The sticky bit can still be set on files, but without any effect.[…]
MAC OS X : […]the sticky bit has no effect on executable files[…]

except on solaris : […] Solaris (as of Solaris 2.5) defines special behavior when the sticky bit is set on non-executable files: those files, when accessed, will not be cached by the kernel. This is usually set on swap files to prevent access on the file from flushing more important data from the system cache. […]

Summary
The sticky bit on a directory allows users to create and modify their own files in it, edit other’s files if they are allowed to, but not delete or rename other’s files even if the classic rights allows them to normally do it. Typical usage of the sticky bit is /tmp .

That wasn’t so hard to learn after all ! 😉

Comments are closed.
a4117baa3a34de33fa81d9a4b752f8acs