In Linux, if you have write access to a directory, then we can create a delete file in this directory.
Now we're going to create a directory where we can create files, but other users can't delete the file.
A special permission is used here: sticky bits
There are three special permissions in Linux, namely:
SetUID = 4: Permissions set on the owner
SetGID = 2: Permissions set in the owning group
Sticky bit = 1: Set in other people's position (denoted by T)
First, sbit the role of the adhesive bit permission
If the user has write access to the directory, they can delete the files and subdirectories, even if the user is not the owner of the files, and there is no read or write permission. Sticky bit in the location where the license is executed, in T, the other user cannot delete files and directories that do not belong to him after the bit is set. However, directories under this directory do not inherit this permission and are set to be used.
If there is no sticky bit, because the normal user has W permissions, so you can delete all files in this directory, including other user-created files. Once the sticky bit is given, in addition to root can delete all files, ordinary users, even if they have W permissions, can only delete their own files, but cannot delete other user-created files.
The sticky bits of normal files are ignored by the Linux kernel.
The sticky bit of the directory indicates that the files in this directory can only be deleted by owner and Root.
/tmp is often used by us to store temporary files and is for all users. But we do not want other users to casually delete their own files, so there is a sticky bit, its role is to let users can only delete their own files.
- $ ls-dl/tmp
- DRWXRWXRWT root root .....
So where did the original execution sign x go? The system specifies that if there were x on that bit, then these special signs (suid, sgid, sticky) are shown as lowercase letters (s, s, T). Otherwise, it is shown in uppercase letters (s, S, T).
For example:
The TMP directory has permissions of 777, which means that any user has full permissions on the files in this directory, including new and deleted.
But the problem, such as a user in this directory to create a new file is not finished editing it, something went home, ready to wait to continue to edit. At this time B users come in, see inside a user-created files, do not know what the use, so to delete, so that is tantamount to the management confusion, each user can delete the other user's files.
Then the solution is to add the identity of other people in the TMP directory Sbit permissions, then according to the previous Sbit permissions, in addition to the root of any ordinary users in this directory can only delete their own files, and not delete other users of the file, so that the confusion will not occur.
This is the role of the sticky bit sbit permission.
In fact, the/tmp directory does not use our special set sbit permissions, he has the default itself with this permission,
See, the other person's identity is RWT, that is, on the basis of rwx more than a T, this t is the meaning of sbit adhesive bit permission.
Second, the setting and cancellation of Sbit
Then the sticky bit of the setting is not and suid, sgid so dangerous.
As long as we need, we can create a new directory with 1777 permissions as a directory that can be shared by multiple users, and it is also very convenient.
1, set the adhesive position
A, chmod 1777 directory name
B, chmod o+t directory name
2, remove the sticky bit
A, chmod 777 directory name
B, chmod o-t directory name
Linux sticky bit