Special file permissions: SUID, SGID, sbit

• Set UID

When the s flag appears on the X permission of the file owner, for example, the permission status of the file/usr/bin/passwd just mentioned: "-RWSR-XR-X "is called set UID, which is short for SUID special permission. So what is the special function of SUID for a file? Basically, SUID has the following restrictions and functions:

• SUID permission is only valid for Binary Program (Binary program;
• The operator needs to have X running permissions for the program;
• This permission is only valid during running of the Program (run-time );
• The Walker has the permissions of the owner of the program.

You may not have any idea about suid. It doesn't matter. Let's give an example to illustrate this. In our Linux system, the passwords of all accounts are recorded in the/etc/shadow file. The permission for this file is: "-r -------- 1 Root 』, this file is only root readable and only root can be forcibly written. Since this file can only be modified by the root user, can the vbird of laruence's general account user modify his/her own password? You can use your account to enter the "passwd" command! You can change your password!

No! Are there any conflicts! Clearly/etc/shadow won't allow the General Account vbird to access. Why can vbird modify the password in this file? This is the SUID function! With the above function description, we can know

1. Vbird has the X permission for the/usr/bin/passwd program, indicating that vbird can run passwd;
2. The owner of passwd is the root account;
3. When vbird runs passwd, it will "Temporarily" Get the root permission;
4. /Etc/shadow can be modified by the passwd run by vbird.

But can vbird read/etc/shadow through cat? Because cat does not have SUID permission, when vbird runs "cat/etc/shadow", it cannot read/etc/shadow. Here is a description:

Figure 4.4.1 SUID program running process

In addition, SUID can only be used on Binary program and cannot be used on shell script! This is because shell script only calls many binary running files for running! Therefore, the SUID permission must be configured for the program called by shell script, rather than the shell script itself. Of course, SUID is invalid for directories ~ Pay special attention to this.

• Set GID

When the s sign is SUID in the object owner's X Project, S is called set GID and SGID when the s sign is in group X! That's right! ^_^. For example, you can use the following command to observe files with SGID permissions:

[root@www ~]# ls -l /usr/bin/locate-rwx--s--x 1 root slocate 23856 Mar 15 2007 /usr/bin/locate

Unlike SUID, SGID can be configured for files or directories! For files, SGID provides the following functions:

• SGID is useful for Binary programs;
• The user who runs the program must have the X permission for the program;
• The runners will be supported by this program group during the running process!

For example, the above/usr/bin/locate program can search for/var/lib/mlocate. DB file content (detailed description will be described in the next section), mlocate. the database permission is as follows:

[root@www ~]# ll /usr/bin/locate /var/lib/mlocate/mlocate.db-rwx--s--x 1 root slocate 23856 Mar 15 2007 /usr/bin/locate-rw-r----- 1 root slocate 3175776 Sep 28 04:02 /var/lib/mlocate/mlocate.db

Similar to SUID, if I use the vbird account to run locate, vbird will obtain support from the slocate group, so it can read mlocate. DB! Very interesting!

In addition to binary program, SGID can also be used in directories, which is also a very common purpose! When a directory is configured with the sgid permission, it has the following features:

• If the user has the R and X permissions for this directory, the user can access this directory;
• The valid group in this directory will be changed to the group in this directory;
• Purpose: if the user has W permissions in this directory (you can create a file), the user creates a new file. The group of the new file is the same as the group in this directory.

SGID is very important for project development! Because this involves group permissions, you can refer to the subsequent situation simulation cases in this chapter to learn about SGID! Pai_^

• Sticky Bit

This sticky bit, sbit is currently only valid for directories and has no effect on files. The role of sbit on directories is:

• When the user has the W and X permissions for this directory, that is, the write permission is required;
• When a user creates a file or directory in this directory, only the user and the root user have the right to delete the file.

In other words, when user A has the identity of a group or another person and has the permissions of directory W, this indicates that "a user can delete, rename, or move any directory or file created by anyone in this directory. 』 However, if you add the sbit permission project to directory A, you can only delete, rename, or move the files or directories you have created, but cannot delete others' files.

For example, our/tmp permission is "drwxrwxrwt". With this permission, anyone can add or modify files in/tmp, however, only the creator and root of the file/directory can delete their own directories or files. This feature is also very important! You can perform a simple test like this:

1. Log on to the system as root and enter/tmp;
2. Touch test, and change the test permission to 777;
3. Log on as a common user and enter/tmp;
4. Try to delete the file test!

• SUID/SGID/sbit permission Configuration

I have previously introduced the SUID and SGID functions. How can I configure a file to have SUID and SGID permissions? Now you know that the number-type permission change method is a combination of three numbers. If you add a number before the three numbers, the number at the beginning indicates the permissions!

• 4 is SUID
• 2 is SGID
• 1 is sbit

Assume that if you want to change the File Permission to "-rwsr-XR-X", S is in the user permission, so it is suid. Therefore, add 4 before 755, that is, configure "chmod 4755 FILENAME! In addition, there are big S and Big T! Refer to the example below!

TIPS: Note: The examples below are just exercises. So laruence uses the same file for configuration. You must understand that SUID is not used in directories, but sbit is not used in files!

[Root @ WWW ~] # Cd/tmp [root @ www tmp] # Touch test <= create a test file [root @ www tmp] # chmod 4755 test; ls-l test <= add permission with SUID-rwsr-XR-x 1 Root 0 Sep 29 test [root @ www tmp] # chmod 6755 test; ls-l test <= add permission with SUID/SGID-rwsr-Sr-x 1 Root 0 Sep 29 test [root @ www tmp] # chmod 1755 test; ls-l test <= adds the sbit function! -Rwxr-XR-T 1 Root 0 Sep 29 test [root @ www tmp] # chmod 7666 test; ls-l test <= has an empty SUID/SGID permission-rwsrwsrwt 1 Root 0 Sep 29 0:06 Test

The last example should be very careful! How can there be uppercase S and T? Aren't all in lower case? Because S and T both Replace the X permission, but have you found that we have issued 7666! That is to say, user, group, and others do not have X, which can be run (because of 666). Therefore, this S, T represents "null! What do you say? SUID indicates "this file has the permission of the file owner when it is running", but the file owner cannot run it. Where can I grant this permission to others? Of course it is empty! Pai_^

In addition to the number method, you can also use the symbol method to handle it! SUID is u + S, SGID is G + S, and sbit is O + T Luo! Let's take a look at the following example:

# Configure the permission to be-RWS -- X: [root @ www tmp] # chmod u = rwxs, go = x test; ls-l test-RWS -- X 1 Root 0 Aug 18 test #, add SGID and sbit in the above file permissions! [Root @ www tmp] # chmod g + S, O + T test; LS-l test-RWS -- s -- T 1 Root 0 Aug 18 23:47 Test