What is Sticky Bit?
Sticky Bit is mainly used on folders in order to avoid deletion of a folder and its content by other users though they having write permissions on the folder contents. If Sticky bit is enabled on a folder, the folder contents are deleted by only owner who created them and the root user. No one else can delete other users data in this folder(Where sticky bit is set). This is a security measure to avoid deletion of critical folders and their content(sub-folders and files), though other users have full permissions.
Learn Sticky Bit with examples:
Example: Create a project(A folder) where people will try to dump files for sharing, but they should not delete the files created by other users.
How can I setup Sticky Bit for a Folder?
Sticky Bit can be set in two ways
- Symbolic way (t,represents sticky bit)
- Numerical/octal way (1, Sticky Bit bit as value 1)
Use chmod command to set Sticky Bit on Folder: /opt/dump/
Symbolic way:
chmod o+t /opt/dump/
or
chmod +t /opt/dump/
or
chmod +t /opt/dump/
Let me explain above command, We are setting Sticky Bit(+t) to folder /opt/dump by using chmod command.
Numerical way:
chmod 1757 /opt/dump/
Here in 1757, 1 indicates Sticky Bit set, 7 for full permissions for owner, 5 for read and execute permissions for group, and full permissions for others.
Checking if a folder is set with Sticky Bit or not?
Use ls –l to check if the x in others permissions field is replaced by t or T
For example: /opt/dump/ listing before and after Sticky Bit set
chattr attribute is used to stop accidentally delete of files and folder. You cannot delete the files secured via chattr attribute even though you have full permission over files. This is very use full in system files like shadow and passwd files which contains all user information and passwords.
Syntax for chattr command is
#chattr [operator] [switch] [file name]
The operator ‘+’ causes the selected attributes to be added to the existing attributes of the files; ‘-’ causes them to be removed; and ‘=’ causes them to be the only attributes that the files have.
-R
Recursively change attributes of directories and their contents. Symbolic links encountered during recursive directory traversals are ignored.
-a
A file with the ‘a’ attribute set can only be open in append mode for writing. Only the superuser can set or clear this attribute.
-i
A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.
Let's take a simple example
Create a file from root user and set full permission on this file form chmod and verify it
#cat > test This test file #chmod 777 test #ls –l
now secure this file with +i options
#chattr +i test
Now you can only read this file. All other actions excepts read will be denied including append, edit, rename or delete. chattr permission can be removed with –i options .
create a new file again This time we will secure this file with +a options
#chattr +a test
with a options you can read and append this file but all other recitations will be as it is. Main difference between a and iswitch is in i you cannot append the file while in a switch you can append the file.
To secure entire directory use –R switch. Directory secured with -R option can be reset only with –R switch.
No comments:
Post a Comment