16th Day-linux File System special permissions Suid-sgid

Source: Internet
Author: User

In a Linux system, sometimes when a command is executed, another file needs to be manipulated, and the file to be made is not an ordinary user with permission to operate. For example, to modify the user password passwd, the command file owner and group are root, the same group of users and other users have execute permissions, that is, ordinary users can also use the command to modify their own password, and the modified file/etc/passwd without the privileges of ordinary users, This can be solved by suid. Tip: Use octal number 4000 to indicate the setuid permission bit.


Suid Knowledge Summary:
1, the user corresponding to the first three x-bit if there is a s on the suid set. When there is no X on the X-position, suid is S.
2. The setuid bit is a program or command that allows a normal user to run root (or other) accounts in the role of root (or other) users.
3, only for binary command or program is valid, not used in shell and other similar script file (because the shell script only calls the binary command program, so, have permission also need to look at the binary command itself).
4. Binary command or program requires executable permission X.
5. suid modifies the permission to execute the command, not the permission of the target file to be processed.
6. suid permissions are only valid during program execution.
7. Any system user who executes the command can obtain all the permissions of the corresponding owner during the execution of the command program.
8, Suid is a double-edged sword, is a more dangerous function, the system security has a certain threat. The SUID function commands are rarely used in the system to cancel Suid permissions (Security Optimizations).

Example:

[Email protected]:~$which passwd/usr/bin/passwd[email protected]:~$ls-L 'which passwd`-rwsR-xr-x1Root root51224July A  +: the/usr/bin/passwd[email protected]:~/test/suid$TouchSuid[email protected]:~/test/suid$ls-L-rw-rw-r--1Xiaorui Xiaorui0November -  -: -Suid[email protected]:~/test/suid$chmod 4664Suid[email protected]:~/test/suid$ls-L-rwSrw-r--1Xiaorui Xiaorui0November -  -: -Suid[email protected]:/lrz$RM-F suidRM: Cannot remove'suid': Permission denied[email protected]:/lrz#chmodu+s Suid[email protected]:/lrz#ls-L-rwSr--r--1Root root0November -  +: -Suid[email protected]:/lrz$RM-F suidRM: Cannot remove'suid': Permission denied[email protected]:~#which RM/bin/RM[email protected]:~#chmodu+s/bin/RM[email protected]:~#ls-l/bin/RM-rwsR-xr-x1Root root60160November5  on: $/bin/RM[email protected]:/lrz$ls-l SUID-rwSr--r--1Root root0Nov -  +: -Suid[email protected]:/lrz$RM-f Suid[email protected]:/lrz$ls 

How do I find files that have suid permissions?

[Email protected]:~#Find/usr/bin-type F-perm4755/usr/bin/passwd/usr/bin/pkexec/usr/bin/Newgrp/usr/bin/sudo/usr/bin/mtr/usr/bin/CHFN/usr/bin/gpasswd/usr/bin/Chsh[email protected]:~#[email protected]:~#Find/usr/bin-type F-perm4755|Xargs ls-L-rwsr-xr-x1Root root50712July A  +: the/usr/bin/CHFN-rwsr-xr-x1Root root41432July A  +: the/usr/bin/Chsh-rwsr-xr-x1Root root68312July A  +: the/usr/bin/gpasswd-rwsr-xr-x1Root root75320October -   the/usr/bin/mtr-rwsr-xr-x1Root root36688July A  +: the/usr/bin/Newgrp-rwsr-xr-x1Root root51224July A  +: the/usr/bin/passwd-rwsr-xr-x1Root root23304November -  to: -/usr/bin/pkexec-rwsr-xr-x1Root root151072March -   -/usr/bin/sudo[email protected]:~#Find/usr/bin-type F-perm4755-execls-l {} \;-rwsr-xr-x1Root root51224July A  +: the/usr/bin/passwd-rwsr-xr-x1Root root23304November -  to: -/usr/bin/pkexec-rwsr-xr-x1Root root36688July A  +: the/usr/bin/Newgrp-rwsr-xr-x1Root root151072March -   -/usr/bin/sudo-rwsr-xr-x1Root root75320October -   the/usr/bin/mtr-rwsr-xr-x1Root root50712July A  +: the/usr/bin/CHFN-rwsr-xr-x1Root root68312July A  +: the/usr/bin/gpasswd-rwsr-xr-x1Root root41432July A  +: the/usr/bin/chsh

Sgid Knowledge Summary:
Unlike Suid, Sgid can be set for files as well as for directories.
  For files, the Sgid function is as follows:
1. Sgid is only valid for binary commands and programs.
2. Binary commands or programs need to have executable permissions x.
3. Any user who executes the program can obtain the permissions of the group to which the command program was executed.
  For catalogs, the Sgid functions as follows:
1. The files and directories created by the user in this directory have the same user group as this directory.
Setgid bits are primarily used in the directory, and when the Setgid bit is set for a directory, the newly created file in that directory has owner permissions for that directory, not the default owner of the user who created the file. This makes it easier to share files in a directory among multiple users. Tip: Use octal number 2000 to indicate the Setgid permission bit.
Sgid Locate Command case:

[Email protected]:~#which Locate/usr/bin/Locate[email protected]:~#ls-L 'which Locate' lrwxrwxrwx1Root root -September -  -: the/usr/bin/Locate/etc/alternatives/Locate[email protected]:~#ls-l/etc/alternatives/Locatelrwxrwxrwx1Root root -September -  -: the/etc/alternatives/Locate/usr/bin/Mlocate[email protected]:~#ls-l/usr/bin/mlocate-rwxr-sr-x1Root Mlocate39520November -   the/usr/bin/Mlocate[email protected]:~#ls-l/var/lib/mlocate/mlocate.db-rw-r-----1Root Mlocate9988044November -  -: $/var/lib/mlocate/mlocate.db

RHCE Exam Questions:
Create a shared directory: Create a shared directory/home/admins, a group of Adminuser,adminuser group members to read and write to the directory and execute permissions, all other users do not have any permissions (except root), in the/home/admins directory created files, Adminuser groups are automatically inherited

[Email protected]:~# Groupadd Adminuser[email protected]:~#mkdir/home/Admins[email protected]:~#ls-LD/home/ADMINSDRWXR-xr-x2Root root4096November -  A: the/home/Admins[email protected]:~#Chown. adminuser/home/admins/[email protected]:~#ls-LD/home/ADMINSDRWXR-xr-x2Root Adminuser4096November -  A: the/home/Admins[email protected]:~#chmod 2770/home/admins/[email protected]:~#ls-LD/home/admins/Drwxrws---2Root Adminuser4096November -  A: the/home/admins/[email protected]:~#Touch/home/admins/Sgid.txt[email protected]:~#ls-l/home/admins/Sgid.txt-rw-r--r--1Root Adminuser0November -  A:Ten/home/admins/sgid.txt


Suid, Sgid Summary:
For Suid and Sgid, work as far as possible, with sudo management, if it is possible to find the system useless suid bits of the command and other removal. s s are suid (user bit), Sgid (user group bit), and X is displayed in lowercase letters s when coincident.

Sticky bit sticky bit (sbit) and setting method
For the understanding of sticky bits, let's look at an example first:

ls -ld /4096:approx./ tmp

We see that the last letter of the/tmp permission bit is T, which is to set the sticky bit.
The setting of the sticky bit, represented by an octal 1000-bit

The sticky bit function is now seldom used, but it makes sense for the entire system to be a temporary file store, such as the/tmp directory. A directory even if all of its permissions are rwxrwxrwx, if a sticky bit is set, unless the owner and root user of the directory has permission to delete it, other users cannot delete the directory. The purpose is generally to open a folder permissions, and then to share files, like the/tmp directory.
Sticky: More secure than sgid, allowing multiple users to have write access to a directory where each user can only delete their own files. Performance in the other bit, with T, if there is no execution permission, then is T, if there is execute permission, then is T.
Special permissions correspond to digital SUID 4000, Sgid 2000, sticky bit 1000

16th Day-linux File System special permissions Suid-sgid

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.