1849998 Members
2716 Online
104049 Solutions
New Discussion

Re: Sticky bit

 
Don Bowne
Occasional Advisor

Sticky bit

A software vendor reciently requested a sticky bit on an nfs exported directory be changed to 2655 from 777 . Is this going to open a security hole? . The oner of the directory is a power user.
3 REPLIES 3
James R. Ferguson
Acclaimed Contributor

Re: Sticky bit

Don:

The current permissions are 0777 (rwxrwxrwx) without any setuid, setgid or sticky bit set.

By migrating to 2655 you are setting the SETGID bit on the directory to force files created in that directory to inherit the group id of the parent directory rather than the user who creates them. Based on the contents and the usage of this directory, you can decide how this impacts your security needs.

If the sticky bit were set on the directory, then users could only remove files for which they had explicit write permission.

See the man pages for 'chmod'.

...JRF...
Dan Hetzel
Honored Contributor

Re: Sticky bit

Hi Don,

The permissions you're showing are unrelated to the STICKY BIT.

Here is a short list:
4xxx SETUID
2xxx SETGID
1xxx STICKY BIT

They add-up, so 6xxx is SETUID and SETGID

A filesystem with a STICKY BIT set, would prevent a user to delete a file for which he doesn't have write permission.

A 'man chmod' will tell you that, and a lot more...

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
John Waller
Esteemed Contributor

Re: Sticky bit

If anything this is going to close a security hole. at 777 anybody can create delete stuff in the directory 2655 removes the write permission for group and other so only the owner of the directory can create new files. By setting a sticky bit on the group bit I suspect that the directory has been modified to a different group ID from the default group of the owner , eg User root and group data rather than group sys.