Linux Sticky bit directory permissions RWT permissions

Source: Internet
Author: User

    • What ls-al/tmp see today is RWXRWXRWT is surprised what this t is, how is it not X or-? Search for the following discovery:

This t represents the so-called sticky bit.

    • Sticky bit: This bit can be understood as an anti-delete bit. Whether a file can be deleted by a user depends primarily on whether the group to which the file belongs has write access to the user. Without write permissions, all files in this directory cannot be deleted and new files cannot be added. If you want users to be able to add files but cannot delete files at the same time, you can use the sticky bit bit for the files. When this bit is set, the file cannot be deleted even if the user has write access to the directory.

To delete a file, you do not have to have write permission for the file, but you must have write permission to the parent directory of this file. That is, even if you do not have a file to write permissions, but you have this file of the parent directory of Write permissions, you can also delete this file, and if there is no write permission to a directory, you will not be able to create files in this directory.

How can you make a directory that allows any user to write to a file without letting the user delete files from someone else in the directory, sticky can play this role. Stciky generally only used in the directory, used in the file does not play any role.

After setting the sticky bit in a directory, (for example,/home, with permissions of 1777) All users can create files in this directory, but only delete the files that they created (except root), which protects the user files in the directory that all users can write.

The sticky bit of the TMP directory can be set by chmod o+t tmp, and the/tmp directory defaults to this bit.

Stick bit is generally used in the directory, for the file is not very meaningful

So where did the original execution sign x go? The system specifies that if there is an X on the bit, these special flags are shown as lowercase letters (s, s, T). Otherwise, it is shown in uppercase letters (s, S, T)

This is summarized as follows: If a directory is set to sticky bit (which is set on the permissions of other users and the executable bit from X to T), then the user can create a file in that directory (assuming that the user has write permissions and executable permissions, and if you have enforceable permissions, set sticky The bit is t; If you do not have executable permissions, the sticky bit is set to T), and you can delete the files that you created, but you cannot delete files created by other users, which is a protective effect.

You can refer to the following articles:

As we all know, Linux file permissions such as: 777;666, in fact, as long as the corresponding file with the UID permissions, you can use to add the identity of the person to run this file. So we just need to copy bash out to another place, and then root with the UID permissions, as long as the user runs the shell can be used as root to execute any file

A file has an owner that indicates who created the file. Also, the file has a group number that represents the group to which the file belongs, typically the group to which the file owner belongs.

If it is an executable file, at execution time, the file typically has only the permissions of the user who called the file. And setuid, Setgid can change this setting.

Setuid: Sets the permission to have the file owner in the execution phase of the file. The typical file is/usr/bin/passwd. If the file is executed by an average user, the file can be rooted during execution so that the user's password can be changed.

Setgid: This permission is valid only for the directory. After the directory is set, any user who creates the file in this directory has the same group as the group to which the directory belongs.

Sticky bit: This bit can be understood as an anti-delete bit. Whether a file can be deleted by a user depends primarily on whether the group to which the file belongs has write access to the user. Without write permissions, all files in this directory cannot be deleted and new files cannot be added. If you want users to be able to add files but cannot delete files at the same time, you can use the sticky bit bit for the files. When this bit is set, the file cannot be deleted even if the user has write access to the directory.

Let's talk about how to manipulate these flags:

The operation of these flags is the same as the command to manipulate the file permissions, both of which are chmod. There are two ways to do this,

1) chmod u+s Temp--add setuid flag to temp file. (setuid only valid for files)

chmod g+s tempdir--add setgid flag for TempDir directory (setgid only valid for directory)

chmod o+t Temp--Adds a sticky flag to the temp directory (sticky is typically used for catalogs only)

2) Adopt Octal method. The general file is marked by three octal digits, such as 666, 777, 644, and so on. If these special flags are set, a set of octal digits is added outside of this set of numbers. such as 4666, 2777 and so on. The meaning of this set of octal digits three bits is as follows,

Abc

The A-SETUID bit, if the bit is 1, indicates the setting setuid

The B-setgid bit, if the bit is 1, indicates the setting setgid

The C-sticky bit, if the bit is 1, indicates the setting sticky

After you set these flags, you can use ls-l to view them. If these flags are present, they are displayed in the original execution flag position. Such as

rwsrw-r--indicates a setuid flag.

rwxrwsrw-indicates a setgid flag.

RWXRW-RWT indicates a sticky flag.

So where did the original execution sign x go? The system specifies that if there is an X on the bit, these special flags are shown as lowercase letters (s, s, T). Otherwise, it is shown in uppercase letters (s, S, T)

    • Linux directory Read permissions, execute permissions, and Write permissions

Today read Apue said that the directory Read permissions and execution permissions are different, not much attention before, today studied the next.

    • When a user has read access to a directory, the user can list the files in that directory (that is, you can use LL to list the files in the directory), but not the directory (that is, you cannot enter the directory with the CD directory name), that is, if the directory is a part of the user access path, it is not accessible here.
    • When a user has only execute permission on a directory, that user is allowed to enter the directory (that is, it can be accessed through the CD directory name), because a user who wants to enter a directory must have the executable permission to do so. However, the user is not able to list the files in this directory (that is, you cannot use the LL command to list the information in this directory)
    • When the user has write permissions, the user can add or delete files in the current directory, but requires a few prerequisites: 1, need to have executable permissions 2, to delete files, then the sticky bit bit is not set

Here are a few things to summarize:

rwx=== can enter the directory (x), can list files in that directory (r), add or delete files in the directory (W and X)

rwt=== can enter the directory, you can list the files in the directory, you can add files in the directory, but not delete other users ' files, their files can be deleted

rw-=== can list files in this directory, but cannot enter the directory (because it does not have executable permissions) and cannot add or delete files in the directory, because if you want to add or delete files in a directory, you must require both write and execute permissions. It is estimated that such a permission list is less common

r-x=== This list of permissions is common. You can enter the directory to list the files in that directory, but you cannot add or delete files in the directory

-wx== This estimate is also not common. You can enter the directory to add or delete files in the directory, but you cannot list the files in that directory

Other conditions such as R--、-W-、--R 、---are easy to analyze.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.