Recipe 7.2 Securing a Shared Directory

7.2.1 Problem

You want a directory in which anybody can create files, but only the file owners can delete or rename them. (For example, /tmp, or an ftp upload directory.)

7.2.2 Solution

Set the sticky bit on a world-writable directory:

$ chmod 1777 dirname

7.2.3 Discussion

Normally, anyone can delete or rename files in a world-writable directory, mode 0777. The sticky bit prevents this, permitting only the file owner, the directory owner, and the superuser to delete or rename the files.[1]

[1] Directories with the sticky bit set are often called, somewhat inaccurately, "append-only" directories.

The sticky bit has a completely different meaning for files, particularly executable files. It specifies that the file should be retained in swap space after execution. This feature was most useful back in the days when RAM was scarce, but you'll hardly see it nowadays. This has nothing to do with our recipe, just a note of historical interest.

7.2.4 See Also


    Chapter 9. Testing and Monitoring