Sticky Bit – How to Set Sticky Bit by Default for New Directories via ACL

acllinuxpermissions

I want to set up a directory where all new files and directories have a certain access mask and also the directories have the sticky bit set (the t one, which restricts deletion of files inside those directories).

For the first part, my understanding is that I need to set the default ACL for the parent directory. However, new directories do not inherit the t bit from the parent. Hence, non-owners can delete files in the subdirectories. Can I fix that?

Best Answer

This is a configuration that allows members of a group, acltest, to create and modify group files while disallowing the deletion and renaming of files except by their owner and "others," nothing. Using the username, lev and assuming umask of 022:

groupadd acltest
usermod -a -G acltest lev

Log out of the root account and the lev account. Log in and become root or use sudo:

mkdir /tmp/acltest
chown root:acltest /tmp/acltest
chmod 0770 /tmp/acltest
chmod g+s /tmp/acltest
chmod +t /tmp/acltest

setfacl -d -m g:acltest:rwx /tmp/acltest
setfacl -m g:acltest:rwx /tmp/acltest

ACL cannot set the sticky bit, and the sticky bit is not copied to subdirectories. But, you might use inotify or similar software to detect changes in the file system, such as new directories, and then react accordingly.

For example, in Debian:

apt-get install inotify-tools

Then make a script for inotify, like /usr/local/sbin/set_sticky.sh.

#!/usr/bin/env bash
inotifywait -m -r -e create /tmp/acltest |
while read path event file; do
    case "$event" in
        *ISDIR*)
            chmod +t $path$file
            ;;
    esac
done

Give it execute permission for root: chmod 0700 /usr/local/sbin/set_sticky.sh. Then run it at boot time from, say, /etc/rc.local or whichever RC file is appropriate:

/usr/local/sbin/set_sticky.sh &

Of course, in this example, /tmp/acltest should disappear on reboot. Otherwise, this should work like a charm.

Related Question