Network security Series 41 setting sticky bit sbit permissions in Linux

Typically, users can delete any file in the directory, regardless of the permissions of the file, as long as they have w write access to a directory.

For example, let's do the following:

#创建 the/test directory and give 777 permissions. [Email protected] ~]# mkdir/test [Email protected] ~]# chmod 777/test Create the file file1 #以root用户的身份在 the/test directory and view its default permissions. [Email protected] ~]# touch/test/file1 [Email protected] ~]# ll/test/file1 -rw-r--r--. 1 root root 0 December 2 20:32/test/file1 #以普通用户natasha的身份登录系统, you can delete/test/file1. [Email protected] ~]$ rm/test/file1 RM: Do you want to delete the plain empty file "/test/file1" with write protection? Y

Through the above operation can be found, although ordinary user Natasha to file/test/file1 only have "r--" permission, but because from the/test directory obtained "rwx" permission, so can still delete/test/file1.

A typical example of a Linux system is the "/tmp", "/var/tmp" directory. These two directories are the temporary folder of Linux system, the permission is "rwxrwxrwx", that is, allow any user, any program in this directory to create, delete, move files or subdirectories and other operations. Imagine, however, what would happen if any ordinary user were able to delete temporary files that were used in the running of the system service?

The sticky bit permission is set for this situation, and when the directory is set with the sticky bit permission, even if the user has write access to the directory, the file data of other users in that directory cannot be deleted, but only the owner and root user of the file has permission to delete it. After the sticky bit is set, it is possible to maintain a dynamic balance: Allow each user to write to, delete data in the directory, but prohibit the arbitrary deletion of other users ' data.

Note that the sticky bit permission can only be set for the directory and is not valid for the file.

A directory with sticky bit permissions set, and when you use the LS command to view its properties, the "X" at other user rights becomes "T".

For example, to see the permissions of the/tmp,/VAR/TMP directory itself, verify that there is a "T" tag.

[Email protected] ~]# ll-d/tmp DRWXRWXRWT. Root root 4096 December 2 17:16/tmp [Email protected] ~]# ll-d/var/tmp DRWXRWXRWT. 3 root root 4096 December 2 09:46/var/tmp

The sticky bit permissions are set for other users (other), and when you use the chmod command to set directory permissions, the "O+t", "o-t" permission modes can be used to add and remove sticky bit permissions, respectively.

For example, set the sticky bit permissions for the/test directory.

[Email protected] ~]# chmod o+t/test [Email protected] ~]# ll-d/test DRWXRWXRWT. 2 root root 4096 December 2 20:39/test

At this time the ordinary user Natasha can not delete the/test/file1 file.

[Email protected] ~]$ rm/test/file1 RM: Do you want to delete the plain empty file "/test/file1" with write protection? Y RM: Unable to delete "/test/file1": Operation not allowed

Sticky bit permissions are also widely used in production environments, and when you need to provide an open directory for users without causing administrative confusion, you can fix the problem by setting the sticky bit permissions for the directory.

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security Series 41 setting sticky bit sbit permissions in Linux