Special permissions on the Linux file system
Permission model:
U,g,O
R,w,x
Security context for the process:
Prerequisite: The process is owned by the owner (the process is running as the user's identity);
1 Whether the user can start an executable program file as a process, depending on whether the user has execute permissions on the program file
2 After the program is started as a process, the owner of the process is the current user, that is, the initiator of the process, the group of the process, the base group for the initiator
3 The access rights that the process has, depending on its owner's access rights
The owner of a process is the same as the owner of the file, then the application file belongs to the owner's permission
The owner of the b process, belonging to the group of files, the permission to apply the file group
C Otherwise apply other permissions
SUID:
1 suid Permissions are valid only for binary programs
2 performer must have X executable permission for the program
3 This permission is valid only during the execution of the program
4 performer will have permissions for the program owner
any executable program file can be started as a process, depending on whether the initiator has EXECUTE permission on the program file
when started as a process, its owner is not the initiator, but the program files own owner, this mechanism is SUID
Permission settings:
chmod u+s FILE
chmod u-s FILE
Note:
S: Owner has x Execute permission
S: Owner does not have x Execute permission
SGID:
by default, when a user creates a file, its group is the base group to which this user belongs ( effective Group )
Once a directory has been set SGID permissions, users who have write permissions to this directory are created in this directory by the group that belongs to the group that owns the directory, not the base group of the user
Permission settings:
chmod g+s FILE
chmod g-s FILE
Sticky:
for a multi-person writable directory, this permission is used to restrict each file that can only be deleted
When the user has w,x permissions for this directory , that is, the permission to write;
When a user creates a file or directory under that directory, only himself and root have permission to delete the file
Permission settings:
chmod o+s FILE
chmod o-s FILE
SUID,SGID, STICKY
Octal permission Representation
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
decimal :
SUID: 4
SGID: 2
Sticky:1
Practice:
1, Allows ordinary users to use the /tmp/cat go to view /etc/shadow file ;
[[email protected]~]# cp ' Which cat ' /tmp/[[email protected]~]# ll / tmp/total 60-rwxr-xr-x.1 root root 54048 sep 7 05:31 CATDRWXR-XR--. 2 root root 4096 sep 7 01:03 test #没有添加SUID [ [email protected]~]$ /tmp/cat /etc/shadowcat: /etc/shadow:permission denied # Modify Permissions Add suid after [email protected]~]# chmod 4755 /tmp/cat [[email protected]~]$ /tmp/cat /etc/shadowroot:$6$t/wcpl78bqe44s/g$ tbmlzheehutjaqjaxrqmrhkk48nl7dab1mxwhvona5u8uklvezu5gj77blu7dnihiw/8dy3flb2bydb6/vsp7.:16666:0:99999:7:::bin:* : 16372:0:99999:7:::d aemon:*:16372:0:99999:7:::adm:*:16372:0:99999:7:::lp:*:16372:0:99999:7:::sync:* : 16372:0:99999:7:::shutdown:*:16372:0:99999:7:::halt:*:16372:0:99999:7:::mail:*:16372:0:99999:7:::operator:* : 16372:0:99999:7:::games:*:16372:0:99999:7:::ftp:*:16372:0:99999:7:::nobody:*:16372:0:99999:7::: avahi-autoipd:!! : 16666,:::::d bus:!! : 16666,:::::p olkitd:!! : 16666::::::tss:!! : 16666,:::::p ostfix:!! : 16666::::::sshd:!! : 16666::::::roger:$6$0kpqayotof.yg8bn$y6loirhlzwxo0uwyfdfkjwkd5d1ldlicmzpcrminrnwhsxyoj18mxluyt/ ot8pe8noy5wgsme3g2gj0mmc9bf1:16666:0:99999:7:::test1:$6$y1cedbcj$o92n.sece2stfirxb7qmd1arykahj226zzy0/ Lxlvq612xzg.cq6uqxhw8qygfps8.o9qgwyynrqiiv/e4sq9.:16684:0:99999:7:::
2, Create the directory /test/data
[[Email protected]]# lltotal 4drwxr-xr-x. 2root root 4096 sep 7 05:41 data [[email protected]]# chmod 3777 data[[email protected] test]# lltotal 4drwxrwsrwt. 2 Root root 4096 sep 7 05:59 data[[email protected] test]# su - test1last login: mon sep 7 05:20:02 cst 2015 from 192.168.1.199 onpts/2[[email protected] ~]$ cd /test/data/[[email protected] data]$ touch test1_file[[email protected] data]$ lltotal 0- Rw-rw-r--. 1 test1 root 0 Sep 7 05:58 test1_file[[email Protected] data]$ exitlogout[[email protected] test]# su - rogerlast login: mon sep 7 05:20:12 cst 2015 on pts/2[[email protected] ~]$ touch/test/data/ roger_file[[email protected] ~]$ lltotal 0[[email protected] ~]$ ll / Test/data/total 0-rw-rw-r--. 1 roger root 0 Sep 7 05:59 Roger_file-rw-rw-r--. 1 test1 root 0 sep 7 05:58 test1_file[[ Email protected] ~]$ rm/test/data/test1_filerm: remove write-protected regular emptyfile '/test/data/test1_file '? yrm: cannot remove '/test/data/test1_file ': O Peration not permitted[[email protected] ~]$ exitlogout [[email protected]] # su - test1last login: mon sep 7 05:57:44 cst 2015 on pts/0[[email protected] ~]$ rm/test/data/roger_filerm: remove write-protected regular emptyfile '/test/data/roger_file '? yrm: cannot remove '/test/data/roger_file ': O peration not permitted
Note: Some of the contents of "Bird's Linux Private Cuisine" Third edition reference
If there is any mistake, please correct me!
Thank you!
Special permissions on the Linux file system