Linux基础：Sticky Bit（粘滞位）使用说明

Sticky Bit是Linux或Unix系统下的一种特殊的权限标识位，它可以赋予文件或者目录。而被赋予此权限位的文件或者目录可以实现只有Owner或者root才可以进行移动、删除或者重命名操作。

Sticky Bit的起源

Sticky Bit并不是一个新的概念，而事实上早在1974年它就被引入了Unix操作系统中了，而当时引入的目的则是不同的，是用于降低每次应用程序执行时的时间延迟，程序在执行时，首先要加载至内存之中，在用户使用之前会需要一些时间，Sticky Bit为了对此进行改善而引入，操作系统会检测是否设定了Sticky Bit，如果设定了，会将可执行程序的text段数据保存在交换空间（swap）中，通过swap的使用降低了反复使用情况下的时间延迟。而当下Sticky Bit主要应用在是否允许其他用户来删除Owner创建的文件或者目录。

不同操作系统的实现

可以看到本文示例的Linux操作系统下对于文件的Sticky Bit是无视的，而事实上不同的操作系统动作可能是不同的，一部分操作系统关于Sticky Bit的实现如下图所示：

使用示例

Linux操作系统的/tmp目录一般缺省会在Others组设定此权限位

[root@liumiaocn ~]# uname -a
Linux liumiaocn 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@liumiaocn ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@liumiaocn ~]# ls -ld /tmp
drwxrwxrwt. 14 root root 4096 Dec  8 23:01 /tmp
[root@liumiaocn ~]#

设定/取消方法

• 事前准备 创建3个目录用于设定Sticky Bit

[root@liumiaocn ~]# ls -ld /root
dr-xr-x---. 12 root root 4096 Dec  9 02:10 /root
[root@liumiaocn ~]# mkdir stickybit
[root@liumiaocn ~]# cd stickybit/
[root@liumiaocn stickybit]# mkdir dir_stickybit1 dir_stickybit2 dir_stickybit3
[root@liumiaocn stickybit]# ls -l
total 0
drwxr-xr-x. 2 root root 6 Dec  9 02:14 dir_stickybit1
drwxr-xr-x. 2 root root 6 Dec  9 02:14 dir_stickybit2
drwxr-xr-x. 2 root root 6 Dec  9 02:14 dir_stickybit3
[root@liumiaocn stickybit]#

• 设定方法

设定方法：chmod +t 目录或者文件名

或者

设定方法：chmod o+t 目录或者文件名

或者

设定方法：chmod a+t 目录或者文件名

无论使用哪种方式，Sticky Bit只能设定到Others组上，在显示上替代了原先的x执行选项。比如：

[root@liumiaocn stickybit]# chmod o+t dir_stickybit1
[root@liumiaocn stickybit]# ls -ld dir_stickybit1
drwxr-xr-t. 2 root root 6 Dec  9 02:14 dir_stickybit1
[root@liumiaocn stickybit]#

• 取消方法

取消方法：chmod -t 目录或者文件名

或者

设定方法：chmod o-t 目录或者文件名

或者

设定方法：chmod a-t 目录或者文件名

使用方法示例如下所示：

[root@liumiaocn stickybit]# ls -ld dir_stickybit2
drwxr-xr-t. 2 root root 6 Dec  9 02:14 dir_stickybit2
[root@liumiaocn stickybit]# chmod -t dir_stickybit2
[root@liumiaocn stickybit]# ls -ld dir_stickybit2
drwxr-xr-x. 2 root root 6 Dec  9 02:14 dir_stickybit2
[root@liumiaocn stickybit]#

特殊的T

正常Sticky Bit会显示为t，如果缺少了x权限，加上Stick Bit时，在Linux下会显示为T，表示此文件或者目录的Others缺少x权限。

[root@liumiaocn stickybit]# chmod 744 dir_stickybit3
[root@liumiaocn stickybit]# ls -ld dir_stickybit3
drwxr--r--. 2 root root 6 Dec  9 02:14 dir_stickybit3
[root@liumiaocn stickybit]# chmod +t dir_stickybit3
[root@liumiaocn stickybit]# ls -ld dir_stickybit3
drwxr--r-T. 2 root root 6 Dec  9 02:14 dir_stickybit3
[root@liumiaocn stickybit]#

文件也是一样，加上x执行权限立即就会恢复为t，实际上t的显示只是替代了x，并不是说明去除了x，通过这种方式也能确认x的权限，另外目录没有x权限的情况下，cd到此目录都无法进入，也是一种特殊的限定了，所以通过T来予以标识。

动作确认 事前准备

为了验证权限，添加两个用户，并设定验证两个验证目录，一个带有Sticky Bit，一个不带。

[root@liumiaocn stickybit]# useradd liumiao
[root@liumiaocn stickybit]# useradd michael
[root@liumiaocn stickybit]# id liumiao
uid=1002(liumiao) gid=1002(liumiao) groups=1002(liumiao)
[root@liumiaocn stickybit]# id michael
uid=1003(michael) gid=1003(michael) groups=1003(michael)
[root@liumiaocn stickybit]#
[root@liumiaocn stickybit]# chmod 777 dir_stickybit1
[root@liumiaocn stickybit]# chmod +t dir_stickybit1
[root@liumiaocn stickybit]# chmod 777 dir_stickybit2
[root@liumiaocn stickybit]# chown liumiao:liumiao dir_stickybit[1-2]
[root@liumiaocn stickybit]# ls -ld dir_stickybit[1-2]
drwxrwxrwt. 2 liumiao liumiao 6 Dec  9 02:14 dir_stickybit1
drwxrwxrwx. 2 liumiao liumiao 6 Dec  9 02:14 dir_stickybit2
[root@liumiaocn stickybit]#

在此两个目录之下创建文件，分别给予777的权限位设定

[liumiao@liumiaocn stickybit]$ ls -ld dir_stickybit[1-2]
drwxrwxrwt. 2 liumiao liumiao 34 Dec  9 03:13 dir_stickybit1
drwxrwxrwx. 2 liumiao liumiao 34 Dec  9 03:15 dir_stickybit2
[liumiao@liumiaocn stickybit]$ ls -l dir_stickybit[1-2]
dir_stickybit1:
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file11
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file12

dir_stickybit2:
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file21
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file22
[liumiao@liumiaocn stickybit]$

由于目录是在/root下创建的，新创建的用户缺少相应的权限，此处为了验证，临时添加如下权限设定：

[root@liumiaocn stickybit]# chmod o+x /root
[root@liumiaocn stickybit]# chmod o+w /root/stickybit/
[root@liumiaocn stickybit]# ls -ld /root/stickybit/
drwxr-xrwx. 5 root root 88 Dec  9 02:47 /root/stickybit/
[root@liumiaocn stickybit]#

没有权限位的777的目录

没有权限位的普通目录下，777由于Others具有w的权限，所以可以随意进行mv操作

[michael@liumiaocn stickybit]$ ls -ld dir_stickybit2
drwxrwxrwx. 2 liumiao liumiao 34 Dec  9 03:15 dir_stickybit2
[michael@liumiaocn stickybit]$ cd dir_stickybit2
[michael@liumiaocn dir_stickybit2]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file21
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file22
[michael@liumiaocn dir_stickybit2]$ id
uid=1003(michael) gid=1003(michael) groups=1003(michael) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[michael@liumiaocn dir_stickybit2]$ mv file21 file211
[michael@liumiaocn dir_stickybit2]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file211
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file22
[michael@liumiaocn dir_stickybit2]$

当然Owner更没有问题了

[liumiao@liumiaocn stickybit]$ id
uid=1002(liumiao) gid=1002(liumiao) groups=1002(liumiao) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[liumiao@liumiaocn stickybit]$ ls -ld dir_stickybit2
drwxrwxrwx. 2 liumiao liumiao 35 Dec  9 03:18 dir_stickybit2
[liumiao@liumiaocn stickybit]$ cd dir_stickybit2
[liumiao@liumiaocn dir_stickybit2]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file211
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file22
[liumiao@liumiaocn dir_stickybit2]$ mv file211 file21
[liumiao@liumiaocn dir_stickybit2]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file21
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file22
[liumiao@liumiaocn dir_stickybit2]$

拥有Sticky Bit权限位的目录

拥有Sticky Bit的目录，对于非Owner的其他用户，也无法删除此目录下拥有权限的文件

[michael@liumiaocn stickybit]$ ls -ld dir_stickybit1
drwxrwxrwt. 2 liumiao liumiao 34 Dec  9 03:13 dir_stickybit1
[michael@liumiaocn stickybit]$ cd dir_stickybit1
[michael@liumiaocn dir_stickybit1]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file11
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file12
[michael@liumiaocn dir_stickybit1]$ mv file11 file111
mv: cannot move ‘file11’ to ‘file111’: Operation not permitted
[michael@liumiaocn dir_stickybit1]$ id
uid=1003(michael) gid=1003(michael) groups=1003(michael) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[michael@liumiaocn dir_stickybit1]$

而Owner则自由无碍

[liumiao@liumiaocn stickybit]$ ls -ld dir_stickybit1
drwxrwxrwt. 2 liumiao liumiao 34 Dec  9 03:13 dir_stickybit1
[liumiao@liumiaocn stickybit]$ cd dir_stickybit1
[liumiao@liumiaocn dir_stickybit1]$ id
uid=1002(liumiao) gid=1002(liumiao) groups=1002(liumiao) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[liumiao@liumiaocn dir_stickybit1]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file11
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file12
[liumiao@liumiaocn dir_stickybit1]$ mv file11 file111
[liumiao@liumiaocn dir_stickybit1]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file111
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file12
[liumiao@liumiaocn dir_stickybit1]$

T权限的验证

事前准备

[root@liumiaocn stickybit]# chmod o-x dir_stickybit3
[root@liumiaocn stickybit]# chown liumiao:liumiao dir_stickybit3
[root@liumiaocn stickybit]# ls -ld dir_stickybit3
drwxrwxrwT. 2 liumiao liumiao 34 Dec  9 03:25 dir_stickybit3
[root@liumiaocn stickybit]# ls -l dir_stickybit3
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file31
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file32
[root@liumiaocn stickybit]#

非Owner无法mv

[michael@liumiaocn stickybit]$ id
uid=1003(michael) gid=1003(michael) groups=1003(michael) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[michael@liumiaocn stickybit]$ cd dir_stickybit3
-bash: cd: dir_stickybit3: Permission denied
[michael@liumiaocn stickybit]$ mv dir_stickybit3/file31 dir_stickybit3/file311
mv: failed to access ‘dir_stickybit3/file311’: Permission denied
[michael@liumiaocn stickybit]$

拥有权限的Owner则可随意操作

[liumiao@liumiaocn stickybit]$ id
uid=1002(liumiao) gid=1002(liumiao) groups=1002(liumiao) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[liumiao@liumiaocn stickybit]$ ls -ld dir_stickybit3
drwxrwxrwT. 2 liumiao liumiao 34 Dec  9 03:25 dir_stickybit3
[liumiao@liumiaocn stickybit]$ cd dir_stickybit3
[liumiao@liumiaocn dir_stickybit3]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file31
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file32
[liumiao@liumiaocn dir_stickybit3]$ mv file31 file311
[liumiao@liumiaocn dir_stickybit3]$ ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file311
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file32
[liumiao@liumiaocn dir_stickybit3]$

同一group用户的验证

• 事前准备

[root@liumiaocn stickybit]# useradd -g liumiao liumiaocn
[root@liumiaocn stickybit]# id liumiaocn
uid=1004(liumiaocn) gid=1002(liumiao) groups=1002(liumiao)
[root@liumiaocn stickybit]#

可以操作t权限位下同一Group的目录下的文件

[root@liumiaocn stickybit]# ls -l
total 0
drwxrwxrwt. 2 liumiao liumiao 35 Dec  9 03:24 dir_stickybit1
drwxrwxrwx. 2 liumiao liumiao 34 Dec  9 03:21 dir_stickybit2
drwxrwxrwT. 2 liumiao liumiao 35 Dec  9 03:36 dir_stickybit3
-rwxrwxrwt. 1 root    root     0 Dec  9 02:47 testTbit
[root@liumiaocn stickybit]# cd dir_stickybit1
[root@liumiaocn dir_stickybit1]# ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file111
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file12
[root@liumiaocn dir_stickybit1]# mv file111 file11
[root@liumiaocn dir_stickybit1]# ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file11
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:13 file12
[root@liumiaocn dir_stickybit1]#

同样T权限位也一样

[root@liumiaocn dir_stickybit1]# cd ..
[root@liumiaocn stickybit]# ls -l
total 0
drwxrwxrwt. 2 liumiao liumiao 34 Dec  9 03:40 dir_stickybit1
drwxrwxrwx. 2 liumiao liumiao 34 Dec  9 03:21 dir_stickybit2
drwxrwxrwT. 2 liumiao liumiao 35 Dec  9 03:36 dir_stickybit3
-rwxrwxrwt. 1 root    root     0 Dec  9 02:47 testTbit
[root@liumiaocn stickybit]# cd dir_stickybit3
[root@liumiaocn dir_stickybit3]# ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file311
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file32
[root@liumiaocn dir_stickybit3]# mv file311 file31
[root@liumiaocn dir_stickybit3]# ls -l
total 0
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file31
-rwxrwxrwx. 1 liumiao liumiao 0 Dec  9 03:25 file32
[root@liumiaocn dir_stickybit3]#

总结

Linux下，Sticky bit主要作用于目录，保证目录下Others组的用户不会将一些使用中的临时文件删除，同一Group的用户可以进行操作。