/********************************************************************* * Author:samson * date:01/06/2015 * Test PL Atform: * 3.13.0-24-generic * GNU bash, 4.3.11 (1)-release * *********************************** ********************************/
The mechanism of file permissions is a feature of the Linux system, which is a basic privilege for beginners of Linux to be readable (r), writable (w), and executable (x). The permissions of a file are represented by 10 bits, divided into three groups. The first bit is a group that represents the type of file:
-: Indicates generic file
D: Represents a catalog file
L: Indicates a linked file
B: Represents a block device
C: Indicates a character device
P: Indicates pipeline
S: Indicates socket
But Linux also has three more special permissions, namely: Setuid,setgid,stick bit
If it is an executable file, at execution time, the file typically has only the permissions of the user who called the file. And setuid, Setgid can change this setting.
Setuid: Sets the permission to have the file owner in the execution phase of the file. The typical file is/usr/bin/passwd. If the file is executed by an average user, the file can be rooted during execution so that the user's password can be changed.
Setgid: This permission is valid only for the directory. After the directory is set, any user who creates the file in this directory has the same group as the group to which the directory belongs.
Sticky bit: This bit can be understood as an anti-delete bit. Whether a file can be deleted by a user depends primarily on whether the group to which the file belongs has write access to the user. Without write permissions, all files in this directory cannot be deleted and new files cannot be added. If you want users to be able to add files but cannot delete files at the same time, you can use the sticky bit bit for the files. When this bit is set, the file cannot be deleted even if the user has write access to the directory.
Let's talk about how to manipulate these flags:
The operation of these flags is the same as the command to manipulate the file permissions, both of which are chmod. There are two ways to do this,
1)
chmod U+s Temp--Adds the SETUID flag to the temp file. (setuid only valid for files)
chmod g+s tempdir--add setgid flag for TempDir directory (setgid only valid for directory)
chmod o+t Temp--Adds a sticky flag to the temp file (sticky only works on the file)
2) Adopt Octal method. The general file is marked by three octal digits, such as 666, 777, 644, and so on. If these special flags are set, a set of octal digits is added outside of this set of numbers. such as 4666, 2777 and so on. This set of octal digits three bits
The meaning is as follows,
Abc
A-setuid bit, if the bit is 1, the setting setuid 4xxx
B-setgid bit, if the bit is 1, the setting Setgid 2xxx
C-sticky bit, if the bit is 1, the setting sticky 1xxx
After you set these flags, you can use ls-l to view them. If these flags are present, they are displayed in the original execution flag position. Such as
rwsrw-r--indicates a setuid flag.
rwxrwsrw-indicates a setgid flag.
RWXRW-RWT indicates a sticky flag.
How to set special permissions for a file:
chmod u+s XXX # set setuid permissions
chmod g+s XXX # set Setgid permissions
chmod o+t XXX # set stick bit permissions for directory
chmod 4775 XXX # set setuid permissions
chmod 2775 XXX # set Setgid permissions
chmod 1775 XXX # set stick bit permissions for directory
So where did the original execution sign x go? The system specifies that if there is an X on the bit, these special flags are shown as lowercase letters (s, s, T). Otherwise, it is shown in uppercase letters (s, S, T)
GNU Linux Special Privileges-setuid, setgid, stick bit
