Sticky bit vs setgid for facilitating shared write access

filespermissions

Say two people with different primary unix GIDs share and need to frequently edit the same file. The users are not members of each others' primary unix GIDs, but they are both members of a common second group.

The accepted answer (and other posted answers) to this question suggest setting the sticky bit on the file's parent directory so that such a file does not get the user's primary group ID whenever one of the users modifies the file (i.e. they claim it removes the need to call newgrp in every login session whenever one of the users wants to edit the shared file)

However I thought that something like this could only be done with with the setgid bit.

From Wikipedia:

Setting the setgid permission on a directory (chmod g+s) causes new
files and subdirectories created within it to inherit its group ID,
rather than the primary group ID of the user who created the file (the
owner ID is never affected, only the group ID).

Why would the sticky bit help with this?

Best Answer

You're right, it's the setgid bit that has this effect. The sticky bit has an effect on a directory too, but it's unrelated: it means that only the owner of a file can delete it, as opposed to anyone with write permission on the directory (think /tmp).

Related Solutions

Ubuntu – When does chmod fail

Only the owner of the file, or the root user, may change a file's permissions. The current permissions on the file or on its parent directory are irrelevant¹. This is specified in POSIX:

The application shall ensure that the effective user ID of the process matches the owner of the file or the process has appropriate privileges in order to do this.

On most unices, “appropriate privileges” means running as root. If these conditions are not met, chmod usually fails with EPERM, though other behaviors such as aborting the program due to a security violation are permitted.

In addition, some unix variants have system-specific ways of authorizing or forbidding chmod. For example, Linux has a capability (CAP_FOWNER) that allows processes to change a file's permissions and other metadata regardless of its owner.

There are other reasons chmod might fail even though the file exists, is accessible and has the appropriate owner. Common ones include a read-only filesystem or a filesystem that does not support permissions such as FAT. Less common ones include system-specific restrictions such as the immutable attribute on Linux's ext2 filesystem and successors.

¹ _{Except insofar as he process running chmod must be able to access the file, so it must have execute permission on the directory containing the file and any other directory that it traverses to do so.}

Linux – How to Make a File Not Modifiable

You can set the "immutable" attribute with most filesystems in Linux.

chattr +i foo/bar

To remove the immutable attribute, you use - instead of +:

chattr -i foo/bar

To see the current attributes for a file, you can use lsattr:

lsattr foo/bar

The chattr(1) manpage provides a description of all the available attributes. Here is the description for i:

   A  file with the `i' attribute cannot be modified: it cannot be deleted
   or renamed, no link can be created to this file  and  no  data  can  be
   written  to  the  file.  Only the superuser or a process possessing the
   CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Best Answer

Related Solutions

Ubuntu – When does chmod fail

Linux – How to Make a File Not Modifiable

Related Question