|
|
Another important enhancement involves the use of the sticky bit on directories. A directory with the sticky bit set means that only the file owner and the superuser may remove files from that directory. Other users are denied the right to remove files regardless of the directory permissions. Unlike with file sticky bits, the sticky bit on directories remains there until the directory owner or superuser explicitly removes the directory or changes the permissions.
You can gain the most security from this feature by placing the sticky bit on all public directories. These directories are writable by any non-administrator. You should train users that the sticky bit, together with the default umask of 077, solves a big problem for less secure systems. Together, both features prevent other users from altering or replacing any file you have in a public directory. The only information they can gain from the file is its name and attributes.
``Sticky bit example''
illustrates the power of such a scheme. The sticky
bit is the ``t'' in the permissions for the directory.
Sticky bit example
$The only files removed are those owned by user slm (the user in the example). The user slm could not remove any other file, even the accessible file /tmp/openfile. However, the mode setting of the file itself allowed slm to destroy the file contents; this is why the umask setting is important in protecting data. Conversely, the mode on /tmp/protfile, together with the sticky bit on /tmp, makes /tmp/protfile impenetrable.id
uid=76(slm) gid=11(guru) $ls -al /tmp
total 64 drwxrwxrwt 2 bin bin 1088 Mar 18 21:10 . dr-xr-xr-x 19 bin bin 608 Mar 18 11:50 .. -rw------- 1 blf guru 19456 Mar 18 21:18 Ex16566 -rw------- 1 blf guru 10240 Mar 18 21:18 Rx16566 -rwxr-xr-x 1 slm guru 19587 Mar 17 19:41 mine -rw------- 1 slm guru 279 Mar 17 19:41 mytemp -rw-rw-rw- 1 root sys 35 Mar 16 12:27 openfile -rw------- 1 root root 32 Mar 10 10:26 protfile $rm /tmp/Ex16566
rm: /tmp/Ex16566 not removed. Permission denied $rm /tmp/protfile
rm: /tmp/protfile not removed. Permission denied $cat /tmp/openfile
Ha! Ha! You can't remove me. $rm /tmp/openfile
rm: /tmp/openfile not removed. Permission denied $rm -f /tmp/openfile
$rm /tmp/mine /tmp/mytemp
$ls -l /tmp
drwxrwxrwt 2 bin bin 1088 Mar 18 21:19 . dr-xr-xr-x 19 bin bin 608 Mar 18 11:50 .. -rw------- 1 blf guru 19456 Mar 18 21:18 Ex16566 -rw------- 1 blf guru 10240 Mar 18 21:18 Rx16566 -rw-rw-rw- 1 root sys 35 Mar 16 12:27 openfile -rw------- 1 root root 32 Mar 10 10:26 protfile $cp /dev/null /tmp/openfile
$cat /tmp/openfile
$cp /dev/null /tmp/protfile
cp: cannot create /tmp/protfile $ls -l /tmp
drwxrwxrwt 2 bin bin 1088 Mar 18 21:19 . dr-xr-xr-x 19 bin bin 608 Mar 18 11:50 .. -rw------- 1 blf guru 19456 Mar 18 21:18 Ex16566 -rw------- 1 blf guru 10240 Mar 18 21:18 Rx16566 -rw-rw-rw- 1 root sys 0 Mar 18 21:19 openfile -rw------- 1 root root 32 Mar 10 10:26 protfile
All public directories should have the sticky bit set. These include, but are not limited to:
To remove the bit, replace the ``+'' with a ``-'' in the chmod command.