Before we talk about what is a Sticky bit let’s start by explaining why do we need it. For example we have a directory /var/share somewhere on the filesystem with a full access for all permission groups that is owner, group and any, thus all permission bits are set to “on” drwxrwxrwx:
# ls -ld /var/share/ drwxrwxrwx. 2 root root 4096 Mar 5 11:02 /var/share/
From the above, we can see that any user have read, write and execute permissions to the /var/share directory. Next, in our scenario we have two users named user1 and user2. Since everybody now have an access to /var/share directory, our user1 can navigate to this directory and simply create any arbitrary file:
user1@localhost ~]$ cd /var/share/ [user1@localhost share]$ touch file1 [user1@localhost share]$ ls -l file1 -rw-rw-r--. 1 user1 user1 0 Mar 5 11:08 file1 [user1@localhost share]$
The file1 was created with a permission bit set by user’s umask value and the user and group ownership is set to its creator that is user1. So far we have no issues and all works perfectly as intended. Later, our user2 navigates to the /var/share directory and decides to rename or delete file1 to file2:
[user2@localhost share]$ cd /var/share/ [user2@localhost share]$ ls -l total 0 -rw-rw-r--. 1 user1 user1 0 Mar 5 11:20 file1 [user2@localhost share]$ mv file1 file2 [user2@localhost share]$ ls -l total 0 -rw-rw-r--. 1 user1 user1 0 Mar 5 11:20 file2 [user2@localhost share]$ rm file2 rm: remove write-protected regular empty file ‘file2’? y [user2@localhost share]$ ls [user2@localhost share]$
What happened in the above example is that our user2 navigated to /var/share directory, listed all files and found file1. With a use of mv command the user renamed the file1 to file2. The file was renamed while the file’s owner and group were unchanged. After that user2 simply decided to remove the file using rm command.
At this stage we are in a need for some mechanism to prevent users who do not own the directory or the actual file within the directory from renaming or removing other user’s files. This mechanism is called “Sticky Bit”. Sticky bit only allows root, directory owner and file owner to rename and delete files. Use chmod command to set a sticky bit on a directory:
[root@localhost ~]# chmod +t /var/share/ [root@localhost ~]# ls -ld /var/share/ drwxrwxrwt. 2 root root 4096 Mar 5 11:21 /var/share/
The last executable permission bit for all users is now set to t which means that a sticky bit is now in place and only root, file or directory owners can rename and delete files. Let’s replicate the above scenario and let user1 to create a new file1 file:
[user1@localhost share]$ ls [user1@localhost share]$ touch file1 [user1@localhost share]$ ls -l total 0 -rw-rw-r--. 1 user1 user1 0 Mar 5 11:34 file1 [user1@localhost share]$
file1 is now created and since the sticky bit is now in place the user2 will now be prevented from renaming or deleting file which does not belong to him/her:
[user2@localhost share]$ ls -l total 0 -rw-rw-r--. 1 user1 user1 0 Mar 5 11:34 file1 [user2@localhost share]$ mv file1 file2 mv: cannot move ‘file1’ to ‘file2’: Operation not permitted [user2@localhost share]$ rm file1 rm: remove write-protected regular empty file ‘file1’? y rm: cannot remove ‘file1’: Operation not permitted [user2@localhost share]$ ls -l total 0 -rw-rw-r--. 1 user1 user1 0 Mar 5 11:34 file1 [user2@localhost share]$
From the above example we can see that user2 was unable to rename or delete a file because it is owned by other user, while this behavior is enforced by the Sticky bit mechanism. The best example of sticky bit usage is /tmp/ directory.
# ls -ld /tmp/ drwxrwxrwt. 18 root root 480 Mar 5 11:42 /tmp/
Any user has access to /tmp/, however, to prevent other users from renaming or deleting files owned by different users the sticky bit is set to this directory by default. Just for a completeness, note that you can remove a sticky bit from a directory by already mentioned chmod command:
[root@localhost ~]# ls -ld /var/share/ drwxrwxrwt. 2 root root 4096 Mar 5 11:38 /var/share/ [root@localhost ~]# chmod -t /var/share/ [root@localhost ~]# ls -ld /var/share/ drwxrwxrwx. 2 root root 4096 Mar 5 11:38 /var/share/ [root@localhost ~]#