Why use sticky bit?

"The sticky bit applies only to directories, and is typically used on publicly-writeable directories. Within a directory upon which the sticky bit is applied, users are prevented from deleting or renaming any files that they do not personally own."

Does this mean if I run the following:

// only allow other users to read files in /directory
sudo chmod o-w -R /directory
sudo chmod o-x -R /directory
sudo chmod o+r -R /directory

users can still delete or rename any file that does not belong to them?


Solution 1:

The sticky bit is useful on directories that are world-writable, such as /tmp. In these directories, anyone can create a file, so the directory needs to be world-writable. But that would mean anyone could delete a file, too, even if it didn't belong to them, since deleting a file is controlled by the write permission on the directory. When a directory has the sticky bit, only the owner of a file has the permission to delete it.

In a directory with permissions rwx------ or rwxr-xr-x, only the owner of the directory can create or delete a file. If there are any files that belong to a different user (moved there by root, or created when the directory had more open permissions), it's still the owner of the directory who has permissions to delete them, not the owner of the file.

In a directory with permissions rwxrwx---, all members of the group can create and delete files. Any member of the group can delete any file even if it belongs to a different user. If the permissions are rwxrwx--T instead (capital T is like t, but t means that the x bit is set and T means that the x bit is clear), then any member of the group can create a file, and members of the group can delete files but only their own files.

You can use the following command to see which directories have the sticky bit on your system:

find / /run /run/lock /run/shm -xdev -path /usr -prune -o -perm -o+t -ls 2>/dev/null

You'll find some directories like /tmp which are open to everyone, and some directories like /var/spool/cron/crontabs which are reserved for a system program that runs as its own group (setgid), where the sticky bit ensures that the program can only delete files on behalf of the user who owns them (what ensures that the program can only create files on behalf of the user who owns them is that the program is running as that user, not as root, so cannot create files belonging to other users).