Sticky Bits, SUID, SUID

1. The Sticky Bit (The “Safety Lock” for Shared Folders)

Definition: A special permission flag set on a directory that restricts file deletion. Only the file owner, directory owner, or root user can delete or rename files within that directory, even if other users have write permissions to it.

Purpose: Used for shared directories (like /tmp) to prevent users from deleting each other’s files.

How to Identify:

Long Listing: Shown as ‘t’ (if execute permission is present) or ‘T’ (if execute permission is absent) at the end of directory permissions (e.g., drwxrwxrwt).

Commands & Examples:

Set Sticky Bit (Symbolic Method):
- Command: chmod +t
- Example: chmod +t /home/shared_folder
Set Sticky Bit (Numeric Method - 1000):
- Command: chmod 1777 (1 sets the sticky bit, 777 sets read/write/execute for all)
- Example: chmod 1777 /home/shared_folder
Remove Sticky Bit:
- Command: chmod -t
- Example: chmod -t /home/shared_folder

2. SUID (Set-User ID)

Usually, when you run a program, it runs with your permissions. SUID tells the system: “Run this program with the permissions of the file owner, not the person clicking it.”

Why it exists: The passwd command is the best example. To change your password, you must edit a system file that only root can touch. SUID allows the passwd program to act as root temporarily so you can update your password.
Visual Check: Appears as an s in the owner’s execute spot (e.g., rwsr-xr-x).
How to set it: chmod 4555 file_name (The 4 is the SUID bit).

3. SGID (Set-Group ID)

This is mostly used for Shared Folders in a team.

On a File: The file runs with the permissions of the file’s group.
On a Folder (Most Common): Any new file created inside this folder will automatically “inherit” the group of the parent folder, rather than the primary group of the user who created it.
Daily Life Use: Useful for a “Dev” folder where every file created by different developers must belong to the developers group so everyone can edit them.
Visual Check: Appears as an s in the group’s execute spot (e.g., drwxrwsr-x).
How to set it: chmod 2555 folder_name (The 2 is the SGID bit).

4. Attributes: `chattr` and `lsattr`

Permissions ($rwx$) are the “soft” rules. Attributes are the “hard” rules enforced by the filesystem itself. Even root is stopped by some of these until they are turned off.

lsattr: Use this to see attributes (standard ls -l won’t show them).
chattr: Use this to change them.

Attribute	Flag	What exactly is it?	Use Case
Immutable	`+i`	The file cannot be deleted, renamed, written to, or linked. Even by root!	Protecting critical config files like `/etc/resolv.conf`.
Append Only	`+a`	You can add new text to the end, but you can’t delete or change existing text.	Perfect for Log Files so a hacker can’t erase their tracks.
No Access Time	`+A`	The system won’t record the time you “read” the file.	Improves performance on busy databases or web servers.
Secure Deletion	`+s`	When deleted, the data is physically wiped (zeroed out) on the disk.	For highly sensitive secret files.

Command Examples:

Make a file un-deletable: sudo chattr +i sensitive_file.txt
Unlock that file: sudo chattr -i sensitive_file.txt
View the locks: lsattr sensitive_file.txt

Summary Table for Quick Reference

Special Bit	Numerical	Symbol	Key Benefit
Sticky Bit	1	`t`	Only file owners can delete their files in shared folders.
SGID	2	`s` (group)	New files inherit the folder’s group (Great for teams).
SUID	4	`s` (owner)	Run a file with the owner’s (usually root) power.

Summary

In a multi-user Linux environment, standard rwx permissions often aren’t enough. These special bits and attributes handle the “logic” of shared access and security.

1. Special Permissions (SUID, SGID, Sticky)

These modify how the kernel handles process execution and file deletion.

Bit	Full Name	Logic	Practical Example
SUID	Set User ID	Runs the file with the permissions of the owner, not the user executing it.	The `passwd` command. A normal user can’t write to `/etc/shadow`, but `passwd` has SUID, so it runs as `root` to update your password.
SGID	Set Group ID	Files: Runs as the group. Folders: New files inherit the parent folder’s group.	A shared `/projects` folder. Set SGID so every file created by User A is instantly accessible by everyone in the “developers” group.
Sticky	Sticky Bit	Only the owner (or root) can delete or rename a file within that folder.	The `/tmp` directory. Prevents User A from deleting User B’s temporary files, even though the folder is world-writable.

Quick Syntax:

SUID: chmod u+s file (Appears as s in user execution bit: rws------)
SGID: chmod g+s dir/ (Appears as s in group execution bit: rwxrws---)
Sticky: chmod +t dir/ (Appears as t at the end: rwxrwxrwt)

2. File Attributes (`chattr` & `lsattr`)

Standard permissions (chmod) are “Policy.” Attributes are “System Integrity.” They sit deeper in the filesystem (ext4/xfs) and can stop even root from making mistakes.

`chattr` (Change Attribute)

Immutable (+i): The file cannot be deleted, renamed, written to, or linked. Even by root.
- Scenario: Protect /etc/resolv.conf so a DHCP script doesn’t overwrite your custom DNS.
- Command: chattr +i /etc/resolv.conf
Append Only (+a): Data can be added to the end, but existing data cannot be modified or deleted.
- Scenario: Secure a log file (/var/log/secure) so a hacker can’t “erase their tracks” after a breach.
- Command: chattr +a /var/log/audit.log

`lsattr` (List Attribute)

Standard ls -l won’t show these. You must use lsattr to see if a file is locked at the filesystem level.

lsattr /etc/shadow ----i--------- /etc/shadow # The 'i' means it's immutable.

3. The “Gotcha” Patterns

Capital S or T: If you see rwS instead of rws, it means the execution bit (x) was not set. The special bit is active, but the file/folder isn’t executable, which usually breaks the logic.
Root vs Immutable: If you are root and get Operation not permitted while trying to rm -f a file, it’s almost certainly the +i attribute. Use lsattr to confirm.

Should we look at how to audit these permissions across your whole system using a Bash script to find “hidden” security holes?