System Administration Guide
Chapter 5, Maintaining system security

The sticky bit and directories

The sticky bit and directories

Another important enhancement involves the use of the sticky bit on directories. A directory with the sticky bit set means that only the file owner and the superuser may remove files from that directory. Other users are denied the right to remove files regardless of the directory permissions. Unlike with file sticky bits, the sticky bit on directories remains there until the directory owner or superuser explicitly removes the directory or changes the permissions.

You can gain the most security from this feature by placing the sticky bit on all public directories. These directories are writable by any non-administrator. You should train users that the sticky bit, together with the default umask of 077, solves a big problem for less secure systems. Together, both features prevent other users from altering or replacing any file you have in a public directory. The only information they can gain from the file is its name and attributes.

Example 5-2 illustrates the power of such a scheme. The sticky bit is the ``t'' in the permissions for the directory. 

Example 5-2 Sticky bit example

   $ id
   uid=76(slm) gid=11(guru)
   $ ls -al /tmp
   total 64
   drwxrwxrwt   2 bin      bin      1088 Mar 18 21:10 .
   dr-xr-xr-x  19 bin      bin       608 Mar 18 11:50 ..
   -rw-------   1 blf      guru    19456 Mar 18 21:18 Ex16566
   -rw-------   1 blf      guru    10240 Mar 18 21:18 Rx16566
   -rwxr-xr-x   1 slm      guru    19587 Mar 17 19:41 mine
   -rw-------   1 slm      guru      279 Mar 17 19:41 mytemp
   -rw-rw-rw-   1 root     sys        35 Mar 16 12:27 openfile
   -rw-------   1 root     root       32 Mar 10 10:26 protfile
   $ rm /tmp/Ex16566
   rm: /tmp/Ex16566 not removed. Permission denied
   $ rm /tmp/protfile
   rm: /tmp/protfile not removed. Permission denied
   $ cat /tmp/openfile
         Ha! Ha!
   You can't remove me.
   $ rm /tmp/openfile
   rm: /tmp/openfile not removed. Permission denied
   $ rm -f /tmp/openfile
   $ rm /tmp/mine /tmp/mytemp
   $ ls -l /tmp
   drwxrwxrwt   2 bin      bin      1088 Mar 18 21:19 .
   dr-xr-xr-x  19 bin      bin       608 Mar 18 11:50 ..
   -rw-------   1 blf      guru    19456 Mar 18 21:18 Ex16566
   -rw-------   1 blf      guru    10240 Mar 18 21:18 Rx16566
   -rw-rw-rw-   1 root     sys        35 Mar 16 12:27 openfile
   -rw-------   1 root     root       32 Mar 10 10:26 protfile
   $ cp /dev/null /tmp/openfile
   $ cat /tmp/openfile
   $ cp /dev/null /tmp/protfile
   cp: cannot create /tmp/protfile
   $ ls -l /tmp
   drwxrwxrwt   2 bin      bin      1088 Mar 18 21:19 .
   dr-xr-xr-x  19 bin      bin       608 Mar 18 11:50 ..
   -rw-------   1 blf      guru    19456 Mar 18 21:18 Ex16566
   -rw-------   1 blf      guru    10240 Mar 18 21:18 Rx16566
   -rw-rw-rw-   1 root     sys         0 Mar 18 21:19 openfile
   -rw-------   1 root     root       32 Mar 10 10:26 protfile
The only files removed are those owned by user slm (the user in the example). The user slm could not remove any other file, even the accessible file /tmp/openfile. However, the mode setting of the file itself allowed slm to destroy the file contents; this is why the umask setting is important in protecting data. Conversely, the mode on /tmp/protfile, together with the sticky bit on /tmp, makes /tmp/protfile impenetrable.

All public directories should have the sticky bit set. These include, but are not limited to:

If you are unsure, it is far better to set the sticky bit on a directory than to leave it off. You can set the sticky bit on a directory with the following command, where directory is the name of the directory:

chmod u+t directory

To remove the bit, replace the ``+'' with a ``-'' in the chmod command.