Determining User Access on a Linux Filesystem with „Classic Permissions“

Restricted Delegation

There are three „special mode bits“ that can be set on a file:

  • „Set User ID“ has the value 4.
  • „Set Group ID“ has the value 2.
  • „Restricted Delegation/Sticky“ has the value 1.

These mode bits are normally not set, and if unset they are usually omitted when denoting the mode of a file in octal. If they are set, they preceed the permission bits. For example, the mode of a set-user-ID file with all permissions for the owner, read- and execute-permission for the owner group and no permissions for everyone else would in octal be denoted „4750“.

„Set User/Group ID“, if set on an executable file, affects processes run from that file, „Set Group ID“, if set on a directory, affects permissions of newly created resources in that directory. Apart from that, those two mode bits do not directly influence the access an existing user has a to a specific existing file.

The special mode bit with value „1“ is  called „sticky bit“ if set on files and „restricted delegation flag“ if set on directories (see footnote [1]). Setting the sticky bit on a non-directory has no impact on the accessibility of that file.

Without the restricted delegation flag set, if a directory has write permission for others, a user without ownership or group-ownership of the directory is not only able to add new entries but can also modify existing entries of the directory. To modify an entry includes changing the mode of the entry, for example assigning read permission.

With the restricted delegation flag set on a directory, users can not modify entries in that directory if they are neither owner nor member of the owning group of those entries.

The restricted delegation flag was specifically created for the use case of a directory „/tmp“, where many users of a system should have the ability to create entries but they should not be capable to modify entries they are not the owner of.

To test this, create a directory /tmp/sticky, where user „user1“ is the owner and group „user1“ is the owning group. Give permission to read, write and execute to user, group and everyone else. Assign the restricted delegation flag using chmod +t.

mkdir /tmp/sticky
chown user1:user1 /tmp/sticky
chmod 777 /tmp/sticky
chmod +t /tmp/sticky

Note that user „user2“ is a member of the owning group „user1“, while user „user3“ is not. Try writing to the directory using each of the three users:

sudo -u user1 touch /tmp/sticky/user1
sudo -u user2 touch /tmp/sticky/user2
sudo -u user3 touch /tmp/sticky/user3

The first and second commands succeed, the owner and a member of the owning group can add entries to the directory. The last command fails, because „user3“ is neither the owner nor a member of the owning group.

Footnotes

[1] The documentation of GNU coreutils claims that the permission assigned by chmod +t ... is called „restricted delegation flag“ if applied to directories and „sticky bit“ if applied to files. Other sources refer to it as „sticky bit“ in either case.