Understanding Sticky Bit, ACLs, and Special Permissions in Linux

Introduction

When working with files and directories in Linux, you may come across special permissions like sticky bit, ACLs (Access Control Lists), setuid, and setgid. These permissions allow for more control over file access beyond the standard read (r), write (w), and execute (x) permissions.

In this blog, we will break down these concepts in a simple and easy-to-understand manner, with practical examples that beginners can follow.

---

The Sticky Bit

What is it?

The sticky bit is a special permission applied to directories that prevents users from deleting files owned by others within that directory. If a directory has the sticky bit set, only the file's owner (or root) can delete it, even if other users have write access to the directory.

Why is it useful?

Imagine a shared workspace where multiple people store files. Without the sticky bit, anyone with write access to the directory could delete anyone else's files. The sticky bit ensures that only the owner of a file can remove it, preventing accidental or intentional deletion by others.

How to set the sticky bit

chmod +t /path/to/directory

Example:

chmod +t /tmp  # Commonly used for the /tmp directory

To check if the sticky bit is set, use:

ls -ld /tmp

Example output:

drwxrwxrwt 10 root root 4096 Feb 27 12:00 /tmp

The t at the end (rwt) indicates that the sticky bit is active.

---

Access Control Lists (ACLs): setfacl and getfacl

What are ACLs?

Standard Linux file permissions (rwx) are simple but sometimes limiting. ACLs allow you to define more specific permissions for users and groups beyond the traditional owner-group-others model.

Checking ACLs with getfacl

To see ACL permissions on a file or directory:

getfacl myfile.txt

Example output:

# file: myfile.txt
# owner: user1
# group: group1
user::rw-
user:user2:r--
group::r--
mask::r--
other::---

Here, user2 has read-only (r--) access even though the standard file permissions don’t show it.

Setting ACLs with setfacl

Give a specific user extra permissions:

setfacl -m u:user2:rw myfile.txt  # Give user2 read and write access

Give a group extra permissions:

setfacl -m g:group1:r myfile.txt  # Give group1 read access

Remove ACL permissions:

setfacl -x u:user2 myfile.txt

To remove all ACLs:

setfacl -b myfile.txt

---

Setuid and Setgid Permissions

What is setuid?

The setuid (Set User ID) bit allows a program to run with the file owner's permissions instead of the user's own permissions.

Why is it important?

Some system utilities, like passwd (used for changing passwords), require elevated privileges but need to be run by normal users. The setuid bit allows these programs to execute as the file owner (usually root), ensuring they function correctly.

How to set setuid

chmod u+s myprogram

To check if setuid is set:

ls -l myprogram

Example output:

-rwsr-xr-x 1 root root 12345 Feb 27 12:00 myprogram

The s in rws means setuid is active.

Example use case

To see how setuid is used in real-world applications, check the passwd command:

ls -l /usr/bin/passwd

Example output:

-rwsr-xr-x 1 root root 65536 Feb 27 12:00 /usr/bin/passwd

This means the passwd command runs as root, even when executed by a normal user.

---

What is setgid?

The setgid (Set Group ID) bit ensures that any new files created inside a directory inherit the directory's group instead of the user's default group.

Why is it useful?

In a shared project folder, setgid ensures that all new files belong to the correct group, simplifying collaboration.

How to set setgid

chmod g+s /shared_folder

Check if it's set:

ls -ld /shared_folder

Example output:

drwxrwsr-x 10 user1 devgroup 4096 Feb 27 12:00 /shared_folder

The s in rws means setgid is active.

---

Summary

Understanding these permissions can help improve security and collaboration when managing files in Linux.

---