Loading...

VONDS ©

Lab 21: Understand and Use Sticky Bit

Lab Index

Create a world-writable shared directory and apply the sticky bit so users can write freely but cannot delete files they do not own. Validate correct permissions by inspecting the directory mode and interpreting the sticky-bit indicator.

core security troubleshooting

Scenario

Your team needs a shared drop directory where multiple users can write files during a handoff workflow. The directory must be world-writable to avoid permission friction, but you must prevent users from deleting or renaming files they do not own. This is the exact problem the sticky bit solves (for directories like /tmp).

Operator context

If a shared directory is writable by many users without the sticky bit, anyone can delete anyone else’s files. Sticky bit makes the directory safe for “shared write” use cases.

Objective

  • Create a shared directory at /tmp/shared.
  • Make the directory world-writable.
  • Apply the sticky bit to restrict deletion/renames to file owners (and root).
  • Verify the sticky bit is set by inspecting directory permissions.

What You’ll Practice

  • Creating directories with mkdir -p.
  • Permission changes with chmod using both symbolic and octal modes.
  • Sticky bit behavior on directories and why it matters for shared-write locations.
  • Permission verification with ls -ld and interpreting the t indicator.

Walkthrough

Step 1 : Create the shared directory.
Command 
mkdir -p /tmp/shared

-p ensures the directory is created without errors if it already exists. Using /tmp keeps the scenario aligned with real-world sticky-bit use (like /tmp itself). 

# Directory exists:
ls -ld /tmp/shared
Step 2 : Make the directory world-writable.
Command 
chmod 777 /tmp/shared
# OR
chmod a+rwx /tmp/shared

World-writable permissions enable shared writes. On their own, this is unsafe because it allows arbitrary deletion. The sticky bit is the safety control that makes this pattern acceptable. 

# Expect rwx for user/group/other:
ls -ld /tmp/shared
Step 3 : Add the sticky bit to restrict deletion.
Command 
chmod +t /tmp/shared
# OR
chmod 1777 /tmp/shared

Sticky bit on a directory means files can only be deleted or renamed by the file owner, the directory owner, or root. This is why /tmp is typically 1777. 

# Confirm sticky bit (t) is present:
ls -ld /tmp/shared
Step 4 : Verify the sticky bit is set and interpret the output.
Command 
ls -ld /tmp/shared

The sticky bit appears as a t in the “other execute” position for directories (for example drwxrwxrwt). That single character is your fast confirmation that the directory is safe for shared write use. 

drwxrwxrwt 2 root root 4096 Jul 18 15:04 /tmp/shared
Step 5 : Understand what the sticky bit prevents.
Notes 
# With sticky bit set:
# - Users can create files in /tmp/shared
# - Users cannot delete/rename files they do not own

# Without sticky bit:
# - Any user with write permission on the directory can delete others' files

This is the key mental model. Sticky bit does not block reading or writing into files by itself. It controls deletion and rename operations at the directory level for shared-write directories.

Reference

  • mkdir -p : Creates directories and does not error if the target already exists.
  • chmod 777 <dir> : Makes a directory world-writable (shared-write).
  • chmod +t <dir> : Sets the sticky bit on a directory.
    • Sticky bit meaning: only the file owner, directory owner, or root can delete/rename entries in that directory.
  • chmod 1777 <dir> : Octal form for world-writable + sticky bit (common for /tmp-style dirs).
  • ls -ld <dir> : Shows directory permissions; sticky bit appears as t (for example drwxrwxrwt).