Category Archives: Solaris

Operation not permitted: Sticky and SETGID

  1. User “foo” creates a directory with group read-write and sticky, without setgid
    [foo@localhost ~]$ mkdir -p /tmp/test_sticky/test_setgid/{sub1,sub2,sub3}
    [foo@localhost ~]$ chmod 3775 /tmp/test_sticky
    
  2. User “foo” then creates a group read-write, setgid, non-sticky directory structure with few files underneath.
    [foo@localhost ~]$ chmod 2775 /tmp/test_sticky/test_setgid
    [foo@localhost ~]$ find /tmp/test_sticky/test_setgid -type d -exec chmod 775 "{}" ;
    [foo@localhost ~]$ touch /tmp/test_sticky/test_setgid/{sub1/file1,sub2/file2,sub3/file3}
    
  3. The resulting structure looks like this:
    [foo@localhost ~]$ find /tmp/test_sticky -printf "%#m:%M:%u:%g:%pn"|sort -n
    0644:-rw-r--r--:foo:shared:/tmp/test_sticky/test_setgid/sub1/file1
    0644:-rw-r--r--:foo:shared:/tmp/test_sticky/test_setgid/sub2/file2
    0644:-rw-r--r--:foo:shared:/tmp/test_sticky/test_setgid/sub3/file3
    02775:drwxrwsr-x:foo:shared:/tmp/test_sticky/test_setgid
    02775:drwxrwsr-x:foo:shared:/tmp/test_sticky/test_setgid/sub1
    02775:drwxrwsr-x:foo:shared:/tmp/test_sticky/test_setgid/sub2
    02775:drwxrwsr-x:foo:shared:/tmp/test_sticky/test_setgid/sub3
    03775:drwxrwsr-t:foo:shared:/tmp/test_sticky
    
  4. User “bar” attempts to remove /tmp/test_sticky/test_setgid:

    [bar@localhost ~]$ rm -rfv /tmp/test_sticky/test_setgid
    removed `/tmp/test_sticky/test_setgid/sub3/file3`
    removed directory: `/tmp/test_sticky/test_setgid/sub3`
    removed `/tmp/test_sticky/test_setgid/sub2/file2`
    removed directory: `/tmp/test_sticky/test_setgid/sub2`
    removed `/tmp/test_sticky/test_setgid/sub1/file1&`
    removed directory: `/tmp/test_sticky/test_setgid/sub1`
    rm: cannot remove `/tmp/test_sticky/test_setgid`: Operation not permitted
    

    The sticky bit set by “foo” on /tmp/test_sticky prevented “bar” from deleting
    /tmp/test_sticky/test_setgid, effectively overriding the setgid permissions.

  5. Deleting the test_setgid directory as “bar” without the sticky bit enabled
    [ As “foo”, drop the permissions back to setgid only: chmod 02775 /tmp/test_sticky ]

    [bar@localhost ~]$ rm -rfv /tmp/test_sticky/test_setgid
    removed directory: `/tmp/test_sticky/test_setgid`