Chmod g + S, chmod o + T, chmod U + s [conversion]

Source: http://blog.chinaunix.net/uid-26642180-id-3378119.html

 

Detailed description of three permissions of set UID, GID, and sticky bit

Each file has an owner, indicating who created the file. At the same time, the file also has a group number, indicating the group to which the file belongs, generally the group to which the file owner belongs.

If it is an executable file, the file generally only has the permission of the user who calls the file, while setuid and setgid can change this setting.

Setuid: set to grant the file owner permissions during execution. the typical file is/usr/bin/passwd. if a common user executes the file, the file will be given root privileges during execution.

To change the user's password.

Setgid: this permission is only valid for the directory. After the directory is set to this bit, any files created in this directory have the same group as the directory.

Sticky Bit: This bit can be understood as a non-delete bit. Whether a file can be deleted by a user depends on

Whether the group to which the file belongs has write permission for the user. if you do not have the write permission, all files in this directory cannot be deleted or new files cannot be added. if you want to add files

But you cannot delete the file at the same time, you can use the sticky bit for the file. After this bit is set

You have write permission and cannot delete the file.

The following describes how to operate these labels:

The operation marks are the same as the operation File Permission command, and are all CHMOD. There are two methods to operate,

1) chmod U + S temp-Add the setuid flag to the temp file. (setuid is only valid for the file)

Chmod g + S tempdir-Add the setgid flag to the tempdir directory (setgid is only valid for the Directory)

Chmod o + T temp-Add the sticky flag to the temp file (sticky is only valid for files)

2) The octal notation is used. Three Octal numbers are used to mark a general file, for example, 666,777,644. If these special numbers are set, a group of Octal numbers is added to these numbers. For example:

4666,277 7. The meaning of the three octal digits in this group is as follows,

ABC

A-setuid bit. If this bit is 1, setuid is set.

B-setgid bit. If this bit is 1, setgid is set.

C-sticky bit. If this bit is 1, sticky is set.

After these flags are set, you can use LS-L to view them. If these flags exist, they will be displayed in the original execution flags. For example:

Rwsrw-r-indicates that the setuid flag exists.

Rwxrwsrw-indicates that the setgid flag exists.

Rwxrw-rwt indicates sticky flag

So where did the original execution mark x go? The system stipulates that, if there is X in this bit, these special signs will be displayed as lowercase letters (S, S, T ). otherwise, uppercase letters (S, S, T) are displayed)

The numbers of these three permissions are understandable.

[[Email protected] Test] #1 1 1

[[Email protected] Test] # RW s RWS rwt

[[Email protected] Test] #

[[Email protected] Test] # suid sgid sticky

Therefore, we can conclude that

Chmod 4777 is set Sid

Chmod 2777 is set GID

Chmod 1777 sets sticky.

Common Operations

Find all the dangerous directories (set the directory to which all users can read and write but no sticky directory is set)

Find/-Perm-0007-type D

Find all files with SUID configured

Find/-Perm-4000-type F

Supplement: (Angelus)
SGID bit. A file can also be set to SGID. For example, if an executable file is assigned to SGID, it has the privileges of all groups and can access any system resources available to all groups, copy to owned

The original group settings can be retained only when the-p parameter is added to the file in the sgid directory during replication.

There is also the sticky-bit permission. Simply put, other users of the file cannot delete the file even if they have the write permission.

And can only be deleted or moved by the file owner.

A typical example in the system is/tmp (temporary file directory of the system) to prevent unauthorized users from arbitrarily deleting files placed by other users.

The SUID occupies the X (execution) bit of the owner, the sgid occupies the Group x digits, and the sticky-bit occupies the other X digits,

If this bit has the X permission, it uses lowercase S. If not, it uses uppercase S.

Set special permissions with numeric values. Four Octal numbers are required. The first value indicates special permissions, and the last three digits indicates basic permissions.

Only the first 8-digit permission indicates the permission.

0: Do not set special permissions
1: Set only sticky
2: Set only SGID
3: Set only SGID and sticky
4: Set SUID only
5: only set SUID and sticky
6: only set SUID and SGID
7. set three Permissions

Chmod g + S, chmod o + T, chmod U + s [conversion]