Sticky bit
In computing, the sticky bit is a special permission flag in Unix-like operating systems that can be set on files or directories to control access and execution behaviors.[1] Originally introduced in early Unix systems around 1974, it was applied to executable files to retain the program's text segment in swap space after execution, thereby accelerating subsequent loads of frequently used programs.[1][2] This historical functionality has largely been deprecated in modern systems due to advancements in memory management, where the bit on files typically has no effect or is ignored.[3] Today, its primary and most notable use is on directories, where it restricts the deletion or renaming of files within a shared writable directory to only the file's owner, the directory's owner, or privileged users such as root, preventing unauthorized removal by other users with write access.[4][1] This feature is commonly employed in public directories like/tmp to maintain security in multi-user environments.[3]
The sticky bit is part of the extended file permission model in Unix-like systems, alongside setuid and setgid bits, and is represented in the file mode bits as a special bit (octal 1000 or decimal 512), separate from the standard permissions, defined as S_ISVTX in POSIX.[1] When viewed with the ls -l command, it appears as a 't' in the permissions string if execute permission is also set for others (e.g., drwxrwxrwt), or 'T' otherwise.[4] It can be set using the chmod command with symbolic notation (chmod +t [directory](/page/Directory)) or numeric notation (e.g., chmod 1777 [directory](/page/Directory), where the leading '1' enables the sticky bit).[3] In POSIX-compliant systems, this bit is defined under the S_ISVTX macro in header files like <sys/stat.h>, ensuring portability across Unix variants.[1] While its file-related role has faded, the sticky bit remains a fundamental security mechanism for directory protection, highlighting the evolution of Unix permissions from performance optimization to access control.[2]
Overview
Definition
The sticky bit is one of three special permission bits in Unix-like operating systems, alongside the setuid and setgid bits, which modify the behavior of file access beyond standard read, write, and execute permissions.[5] It is represented in the file permission string as a modification to the execute permission for the "other" user category, typically appearing as a lowercase 't' in the tenth character position of the long listing output (e.g.,rwxrwxrwt), indicating its role in the final triplet of permissions.[6]
In binary terms, the sticky bit is set by the 0x200 bit (decimal 512, octal 1000) within the file mode field, as defined in the st_mode member of the stat structure.[7] Historically, when applied to executable files, the sticky bit served to retain the program's image in memory after execution to improve performance by avoiding reloading from disk on subsequent runs, a feature originating from early Unix systems. However, on modern systems, this effect on files is obsolete and has no practical impact, with the bit primarily functioning when set on directories.
When the sticky bit is enabled on a directory, it enforces a restriction such that files within that directory can only be unlinked (deleted) or renamed by the owner of the file, the owner of the directory, or a privileged process (such as root), regardless of whether other users possess write permissions on the directory itself.[7] This mechanism provides a layer of protection in shared environments, preventing unauthorized interference with files created by others.[8]
Purpose
The sticky bit primarily enhances security in multi-user Unix-like operating systems by restricting the ability to delete or rename files within a directory to only the file's owner, the directory's owner, or a privileged user, even when other users hold write permissions to the directory itself.[8][9] This permission flag, often denoted by a 't' in file listings, addresses vulnerabilities inherent in shared writable spaces where unauthorized modifications could compromise system integrity or user data.[10] A common application of this feature occurs in temporary directories like /tmp, enabling multiple users to create and access files collaboratively without the risk of one user overwriting or removing another's work, thereby fostering safe multi-user interactions in environments such as development servers or public workstations.[11][12] Historically, the sticky bit served a different purpose when set on executable files: it directed the operating system to retain the program's text segment in swap space after execution, facilitating quicker reloading for repeated invocations in resource-constrained systems; this mechanism has become obsolete in contemporary virtual memory implementations.[12][13] In broader terms, the sticky bit mitigates security risks in collaborative file systems by preventing denial-of-service attacks, where a malicious actor with write access to a directory could otherwise delete essential files to disrupt operations or services.[13][8]History
Origins in Early Unix
The sticky bit was introduced in the Fifth Edition of Unix, released in June 1974 by Ken Thompson and Dennis Ritchie at Bell Laboratories.[14] This edition marked a significant step in Unix's development on the PDP-11 minicomputer, incorporating enhancements to the file system amid the system's evolution from its PDP-7 origins.[15] Originally designed for executable files, the sticky bit served to mark programs such that their text segments—containing the read-only code—remained resident in memory or swap space even after execution completed.[14] Implemented as the 001000 flag in the i-node structure, it addressed performance bottlenecks on resource-constrained hardware by preventing the need to reload frequently used binaries from disk, thereby reducing I/O overhead in multi-user scenarios.[14] This mechanism complemented Unix's core memory management strategy, where process text segments were shared and write-protected to promote efficiency in a time-sharing environment supporting up to dozens of concurrent users on limited RAM.[15] In the broader context of early Unix's file permission model, the sticky bit formed part of the i-node's mode bits, which already included read/write/execute permissions for owners and others, alongside the set-user-ID bit.[14] Its inclusion reflected the system's emphasis on optimizing resource utilization for a time-sharing setup, where disk access times (around 20-30 ms seek) and modest memory (typically 64-128 KB) necessitated clever techniques to minimize swapping and paging.[15] The feature's first documentation appeared in the UNIX Programmer's Manual for the Fifth Edition, detailing its role in the file system without extensive user-facing commands at the time.[14]Evolution Across Systems
The sticky bit's role evolved significantly from its initial application to executable files toward a primary focus on directories for security in multi-user environments. In 4.3BSD, released in 1986, the bit was adapted for use on directories to prevent unprivileged users from removing or renaming files owned by others within shared, world-writable directories, thereby addressing vulnerabilities in collaborative spaces like temporary file storage areas.[16] Over time, the sticky bit's original functionality for files—intended to retain program text in memory—was deprecated across major Unix variants due to advancements in virtual memory management that rendered it obsolete. In Linux, the bit has never been implemented on files and is ignored.[17] BSD systems followed suit, with FreeBSD dropping support for files in version 2.2.1 (released in 1996) and OpenBSD in version 3.7 (released in 2002), limiting it thereafter to directories.[18][19] In contrast, proprietary systems like HP-UX and UnixWare retained file support into the 2000s, with HP-UX documentation describing potential effects on regular files as late as version 11i.[20] Solaris phased out file-related behavior by 2005, coinciding with the Solaris 10 release, after which official documentation emphasized directory usage exclusively. This transition to directory-only application solidified as a core feature in POSIX-compliant systems during the 1990s, with the standard defining the sticky bit (S_ISVTX) to restrict file removal or renaming in a directory to the file's owner, the directory's owner, or a privileged process, a mechanism widely adopted for safeguarding shared resources such as /tmp. As of 2025, the sticky bit remains implemented solely for directories in contemporary systems including Linux, macOS (derived from BSD), and modern BSD variants like FreeBSD and OpenBSD, with its behavior unchanged since around 2010 and no notable deprecations or enhancements reported.[17][21]Technical Implementation
Permission Storage
The sticky bit is stored within the inode structure of Unix-like file systems, specifically in thest_mode field as bit 9 (0-based from the least significant bit, value 0x200 or octal 01000) of the 12-bit permission mode.[22] This bit is part of the broader mode field that also accommodates the setuid (octal 04000) and setgid (octal 02000) bits, allowing these special permissions to be represented compactly alongside standard read, write, and execute permissions.[22]
In octal notation, the sticky bit is indicated by adding 1 to the thousands place of the four-digit permission value. For instance, the mode 1777 combines full read-write-execute permissions for owner, group, and others (0777) with the sticky bit (1000), resulting in rwxrwxrwt for a directory.[8]
When displaying permissions via tools like the ls command, the sticky bit appears symbolically in the permission string: as a lowercase t appended to the others' execute position if the execute bit is set (e.g., rwxrwxrwt), or an uppercase T if the execute bit is unset (e.g., rwxrwxrwT).[8]
Implementation of the sticky bit occurs at the kernel level across Unix-like operating systems, ensuring compatibility regardless of the underlying file system. This includes support in Linux's ext4, macOS's APFS (where it is defined as S_ISVTX with octal 0001000 in <sys/stat.h>), and BSD's UFS.[22][23][24]
Enforcement Mechanisms
The operating system kernel enforces the sticky bit primarily during file system operations that could alter or remove entries within a directory, such as unlink() and rename(), by performing ownership checks on the calling process. Specifically, if the sticky bit is set on the parent directory, the kernel verifies whether the effective user ID of the process matches the owner of the target file, the owner of the directory, or the superuser (root); if none of these conditions are met—even if the process has write permission on the directory—the operation is denied to prevent unauthorized deletions or renames in shared environments.[25][26] This enforcement aligns with POSIX standards, where the sticky bit (S_ISVTX) on directories restricts removal or renaming of files to the file owner, directory owner, or a privileged process, as defined in POSIX.1-2008; the behavior for non-directory files is unspecified and typically ignored in compliant systems.[25] In Linux, these checks occur at the Virtual File System (VFS) layer through inode operations, where the kernel examines the directory's mode bits during unlink() and rename() calls; for instance, in the namei.c implementation, the VFS denies the operation with EPERM if the sticky bit is set and the process lacks the CAP_FOWNER capability or appropriate ownership.[27] In macOS and BSD variants like FreeBSD and NetBSD, enforcement is similarly handled via inode-based permission checks in the kernel, restricting unlink() and rename() to the file owner, directory owner, or superuser when the sticky bit is active on the directory.[28] Solaris implements comparable directory enforcement, denying unlink() or rename() unless the user owns the file, owns the directory, or is superuser, with EACCES returned on failure; In Solaris, the sticky bit on non-executable files such as swap files indicates that the file contains swap data, so that when accessed, its pages are not retained in the system's page cache. This prevents flushing more valuable data from the cache and avoids deadlock conditions that could arise if the swap data were paged out.[29][30] If an unlink() or rename() attempt violates the sticky bit restrictions, the kernel returns EACCES (permission denied) or EPERM (operation not permitted) to the calling process, signaling the access failure without altering the file system state.[26][29] The sticky bit itself is represented in the inode's mode field, typically as the S_ISVTX flag.Usage
On Directories
In contemporary Unix-like operating systems, the sticky bit serves a critical role on directories by restricting the deletion or renaming of files within them to only the file's owner, the directory's owner, or a privileged user such as root, even when the directory permissions allow writing by other users.[8] This functionality is particularly valuable in shared, world-writable directories like /tmp and /var/tmp, where multiple users or processes might create temporary files without risking interference from others.[31] As of 2025, this directory-specific behavior remains consistently implemented across major systems, including Linux distributions such as Ubuntu and Fedora, where it is commonly set to mode 1777 for /tmp in compliance with practices for securing world-writable directories as per the Filesystem Hierarchy Standard (FHS), which requires /tmp to be world-writable.[31] Similarly, macOS on APFS supports the sticky bit for directories, treating them as append-only in terms of deletion to safeguard shared spaces.[32] In the BSD family—FreeBSD, NetBSD, and OpenBSD—the sticky bit enforces the same restrictions, ensuring that unprivileged users cannot remove or rename files they do not own within such directories.[33] The primary security benefit of the sticky bit on directories arises in multi-user environments, such as web servers or shared hosting setups, where it mitigates risks like symlink attacks; by preventing unauthorized deletion or renaming, it blocks attackers from replacing legitimate files with malicious symlinks that could exploit time-of-check-to-time-of-use (TOCTOU) vulnerabilities in privileged processes.[34] This protection is essential for maintaining integrity in collaborative file systems without overly restricting usability. However, the sticky bit has notable limitations: it does not inhibit the creation of new files or the modification of existing ones within the directory, focusing solely on unlink and rename operations to balance security with necessary flexibility.[8]On Files
In early Unix systems, the sticky bit set on executable files directed the operating system to retain the program's text image in swap space following execution, thereby accelerating subsequent invocations by avoiding full reloads from disk.[17] This behavior was specific to executables and had no effect on non-executable regular files, where the bit was simply ignored.[35] In contemporary implementations, the sticky bit on regular files is ignored across major Unix-like systems, exerting no influence on file operations or performance.[17] For instance, in Linux, it holds no functional significance for files beyond its display in permission listings.[36] Similarly, macOS disregards the bit when applied to regular files, treating it as obsolete.[32] Most BSD variants, including FreeBSD and NetBSD, follow suit, with the bit ignored for non-directory file types.[36] Rare vestiges of file-specific sticky bit functionality persisted in certain systems into the early 2000s. Prior to its removal in Solaris around 2005, the bit on non-executable files—particularly swap files—signaled the kernel to bypass caching, preserving system memory by preventing these files from displacing other data in the page cache.[37] Due to its lack of effect in modern environments, setting the sticky bit on regular files is not recommended, as it provides no operational benefit and could mislead administrators or tools interpreting permission flags.[17]Examples
Command-Line Operations
The sticky bit on directories can be set using thechmod command in Unix-like systems, primarily through symbolic or octal notation. To set it symbolically, the command chmod +t <directory> is used, which appends the sticky bit to the existing permissions without altering other access rights.[17] For octal notation, chmod 1777 <directory> applies read, write, and execute permissions to owner, group, and others, while setting the sticky bit (represented by the leading '1' in the four-digit octal mode, yielding rwxrwxrwt).[17] These operations require appropriate privileges; for directories owned by the user, no elevated permissions like sudo are needed, but root access may be required otherwise.[8]
To unset the sticky bit, the symbolic mode chmod -t <directory> removes it while preserving other permissions.[17] Alternatively, in octal mode, chmod 0777 <directory> clears the sticky bit by omitting the leading '1', resulting in rwxrwxrwx permissions.[17] As with setting, ownership determines if [sudo](/page/Sudo) is necessary for the change.[9]
For applying the sticky bit recursively to a directory and its subdirectories, the -R flag is used with chmod -R +t <path/to/dir>, which propagates the change through the entire hierarchy.[17] The octal equivalent, chmod -R 1777 <path/to/dir>, achieves the same recursive effect.[17] Caution is advised with recursive operations, as they affect all nested items unless ownership restricts execution.[38]
Verification of the sticky bit's status is performed using ls -ld <directory>, which displays the directory's permissions in long format; a 't' in the permissions string (e.g., drwxrwxrwt) indicates the bit is set. This command requires no special privileges for directories owned by the user.[8]
Permission Display
In Unix-like systems, the sticky bit's presence in file permissions is commonly inspected using command-line tools that display file metadata in either symbolic or octal notation. Thels command, when invoked with the -l option for long format, reveals the sticky bit through specific symbols in the permission string. For directories where the sticky bit is set and the execute permission for others is granted, a lowercase 't' appears in the execute position of the others' permissions (e.g., drwxrwxrwt). If the execute permission for others is absent but the sticky bit is set, an uppercase 'T' is used instead (e.g., drwxrwxrwT). This notation replaces the standard 'x' or '-' in the ninth position of the 10-character permission field.[6]
The stat command provides a more numerical view of permissions, including the sticky bit, by outputting the file mode in octal format. Using the --format or -c option with the %a specifier (e.g., stat -c '%a %n' filename), the command displays the full octal value, where the sticky bit contributes the leading '1' in a four-digit mode (e.g., 01777 for a directory with full permissions and the sticky bit set). This octal representation encodes special bits like the sticky bit (value 1000) alongside standard read/write/execute permissions, allowing precise interpretation without symbolic mapping.[39]
To locate files or directories with the sticky bit set across a filesystem, the find command employs the -perm test with octal mode specification. The expression -perm -1000 matches items where the sticky bit is enabled, as the leading '1' in the octal mode signifies this flag; the '-' prefix requires all specified bits to be set. Alternatively, -perm /1000 matches if any bits in 1000 are set, though -perm -1000 is more precise for exact sticky bit detection (e.g., find /path -type d -perm -1000). This utility is particularly useful for auditing shared directories like /tmp.[40]
In graphical user interfaces, such as GNOME's Nautilus on Linux or Apple's Finder on macOS, the sticky bit is not prominently displayed in default file listings or property dialogs, which typically show only basic symbolic permissions (e.g., rwxrwxrwx). Access to the sticky bit requires viewing extended properties or integrating terminal output, as standard views omit special bits like 't' for clarity in non-technical workflows. For instance, in Finder's Get Info window, permissions appear in symbolic form without explicit sticky bit indicators, necessitating command-line verification for confirmation.[41]