Since its inception, Linux was tailored to support a multi-user environment. With many users and groups on a working system, it is quite common to encounter directories shared between users of the same group, and issues arise from the sharing of files in the directories. In this article, we will discuss how you can make use of sticky bits to fine tune file access permission on shared directories.
For illustration purposes, we have a system with three users – john1, john2 and john3, all are members of the common group “johns”
Let’s say “john1” creates a new directory called “shared-dir” meant to be shared among all users of “johns” group.
ls command, we can view the permission of the “shared-dir”, which can be interpreted in the following table:
Only “john1” can read the directory’s contents and also write to the directory. Since we are working with a shared directory, we want all the users of the group to be able to write to “shared-dir”.
For this, we will modify the permissions using
chmod command. We will add the “write” permissions to all the users of “johns” group as shown below.
We can view the updated permissions for “shared-dir” as shown below. The portion underlined in yellow shows that “johns” group has been given “write” permissions.
Adding files to the Shared Directory
Now “john1” adds two files (j1_file1.txt and j1_file2.txt) to “shared-dir”
For easy understanding, the first two characters of the file name are synonymous with the user name.
Likewise, “john2” are also able to “write” to the directory “shared-dir”
There are four files in “shared-dir” now.
Is there a problem with the current setup?
The file “j1_file1.txt” was created by “john1” making “john1” the file owner. Now “john2” logs in and attempts to delete this file, and he will be able to do so.
“john1” was the file owner, but “john2” was able to delete it because the “write” permission was given to all the members of “johns” group.
This scenario is not ideal. We want all the users to be able to write to the directory, but only the file owner must be able to delete a file. How can this be achieved?
Introducing Sticky Bit
The sticky bit is a special permission that can be set on a directory which has “write” permissions set for the group with access to it. This bit ensures that all members of the group can write to the directory, but only the person who created a file, that is the file owner, can delete the file.
chmod command with the
+t flag can be used to set the sticky bit on a directory.
The updated permission can be seen below.
Now if “john2” attempts to delete the file “j1_file2.txt” that was created by “john1”, that operation is not permitted.
If you remove the “execute” permission for “others”, as shown below:
the existence of sticky bit on the directory is represented by an upper case “T” in the “others” portion of the permission string. The sticky bit behavior on the directory remains the same.
Variant of “chmod” command
The numerical form of
chmod command can also be used to set sticky bit on a directory.
- n = 1, referring to sticky bit. Other values of “n” refer to other special permissions.
- x : permission given to file owner
- y : permission given to group with access to the file
- z : permission given to others
To set sticky bit on “shared-dir”, use the following command:
which produces the same result as using
+t on existing default permissions.
The usage of sticky bit holds good only for directories, it would not make sense to use it for files.