topic Re: Sticky bit in Operating System - HP-UX

Sticky bit

Don Bowne — Wed, 13 Dec 2000 20:32:16 GMT

A software vendor reciently requested a sticky bit on an nfs exported directory be changed to 2655 from 777 . Is this going to open a security hole? . The oner of the directory is a power user.

Re: Sticky bit

James R. Ferguson — Wed, 13 Dec 2000 21:50:15 GMT

Don:

The current permissions are 0777 (rwxrwxrwx) without any setuid, setgid or sticky bit set.

By migrating to 2655 you are setting the SETGID bit on the directory to force files created in that directory to inherit the group id of the parent directory rather than the user who creates them. Based on the contents and the usage of this directory, you can decide how this impacts your security needs.

If the sticky bit were set on the directory, then users could only remove files for which they had explicit write permission.

See the man pages for 'chmod'.

...JRF...

Re: Sticky bit

Dan Hetzel — Thu, 14 Dec 2000 06:00:56 GMT

Hi Don,

The permissions you're showing are unrelated to the STICKY BIT.

Here is a short list:
4xxx SETUID
2xxx SETGID
1xxx STICKY BIT

They add-up, so 6xxx is SETUID and SETGID

A filesystem with a STICKY BIT set, would prevent a user to delete a file for which he doesn't have write permission.

A 'man chmod' will tell you that, and a lot more...

Best regards,

Dan

Re: Sticky bit

John Waller — Thu, 14 Dec 2000 08:38:24 GMT

If anything this is going to close a security hole. at 777 anybody can create delete stuff in the directory 2655 removes the write permission for group and other so only the owner of the directory can create new files. By setting a sticky bit on the group bit I suspect that the directory has been modified to a different group ID from the default group of the owner , eg User root and group data rather than group sys.