acl sticky bit

Stuart Jansen sjansen at buscaluz.org
Wed Jan 7 13:06:57 MST 2009


On Wed, 2009-01-07 at 12:37 -0700, Kyle Waters wrote:
> I have a web application that I want to restrict access to on the 
> server.  There are a couple of devs that need to have write access and 
> we have an already established group for that.  So all the files belong 
> to that group and the stick bit is set.  I removed all access to the 
> files by world and then set an acl to allow apache to read the file.  
> The problem is that a lot of text editors copy the old file as a back up 
> and then write out the file as new when they save.  That means I lose 
> all of my acls since the stick bit doesn't apply.  I know I can add 
> apache to the group, but that weakens security.  Is there a better 
> solution that I'm not aware of(besides switching text editors)?

I knew there was something about you email that bugged me, and it wasn't
just that you misspelled sticky.

ACLs are distinct from traditional Unix file permissions. Traditional
Unix file permissions are also referred to as a file's mode, hence the
"chmod" command. In addition to user/group/other, read/write/execute, a
file's mode also includes "special" permissions: setuid, setgid &
sticky. Most modern Unix systems also support ACLs, although some
require that you manually activate ACL support. ACLs are modified using
the "setfacl" command and are much more powerful, but have their own
disadvantages.

In other words "I lose all my acls since the stick[y] bit doesn't apply"
makes no sense. I'm too lazy go into more detail, but you can find good
information after spending a little quality time with Google. Just watch
out for random forum questions and answers, most have dubious
information.

-- 
When you tell me I should give proprietary software a fair technical
evaluation because its features are so nice, what you are actually doing
is saying "Look at the shine on those manacles!" to someone who
remembers feeling like a slave. -- Eric S. Raymond




More information about the PLUG mailing list