[Basic knowledge] Sticky Bit, SUID, SGID

Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/

1. Sticky Bit

1) Act on files: Some Old UNIX systems were used to put executable files in SWAp after the first execution to improve the running speed of the program. It is outdated now.

2) Act on the directory: If the sticky bit of a directory is set, only the owner and root users of this directory can delete and rename the files or subdirectories in the directory:

Gnuhpc @ gnuhpc-desktop :~ $ Mkdir teststickybit

Run the LS command to view the current permissions of the directory:

Drwxr-XR-x 2 gnuhpc 4096 teststickybit

The directory after we put a file a. out is:

Gnuhpc @ gnuhpc-desktop :~ /Teststickybit $ LS-l
Total 8
-Rwxrwxrwx 1 gnuhpc 7835 A. Out

Add sticky bit:

Gnuhpc @ gnuhpc-desktop :~ $ Chmod + T teststickybit

Now the directory permission is changed:

Gnuhpc @ gnuhpc-desktop :~ $ LS-LD teststickybit
Drwxr-XR-T 2 gnuhpc 4096 teststickybit

Although a. Out has all permissions for everyone, it can only be renamed and deleted by its owner or root:

Gnuhpc @ gnuhpc-desktop :~ /Teststickybit $ su guest
Password:
Guest @ gnuhpc-desktop:/home/gnuhpc/teststickybit $ mv a. Out B. Out
MV: cannot move 'a. out' to 'B. out': Permission denied
Guest @ gnuhpc-desktop:/home/gnuhpc/teststickybit $ rm a. Out
RM: cannot remove 'a. out': Permission denied

It can protect files, which is why/tmp has sticky bit.

2. SUID

The full name is set user ID. As the name implies, if the SUID of a file is set, the user ID will be "set" when the program is run (actually not, only permission.) The user ID of the owner of the file. For example, if I have a file with SUID set and its owner is root, I use a user, such as gnuhpc, to run this program, this program will be executed as root. This is used when you want a program to use the permissions of a specific user (such as root) to do something, and do not want to assign this user permission to users. To add or remove SUID, run chmod U +/-S filename.

For example:

Ping can be used to test whether the network is connected normally. It uses the ICMP protocol to send and receive packets. But only the root user can establish ICMP packets. How can this problem be solved? Solve the problem by using the SUID bit. Check the/bin/ping attribute and you will know (the one in RWSS).

3. SGID

Similarly, when a user runs a file with a SGID set, the permission is the same as that of a member of the group to which the file belongs. You only need to use chmod g +/-S filename to add or subtract SGID.

 

Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/