The permission flag is defined by three "bits:
- Setuid: set to grant the file owner permissions during execution. For example,/usr/bin/passwd. If a common user executes the file, the file can obtain the root permission during execution, so that the user's password can be changed.
- Setgid: this permission is only valid for directories. After the directory is set to this bit, any file created by the user in this directory has the same group as the group to which the directory belongs.
- Sticky Bit: This bit can be understood as a non-delete bit. Whether a file can be deleted by a user depends on whether the group to which the file belongs has the write permission for the user. If you do not have the write permission, all files in this directory cannot be deleted or new files cannot be added. If you want to add a file but cannot delete the file at the same time, you can use the sticky bit for the file. After this bit is set, the file cannot be deleted even if the user has the write permission on the directory.
Features of three Permissions
Sticky (example:/tmp directory)
① Sticky can only be applied to directories and other people.
② Only root and file owners can delete the file.
③ Lower case indicates that execution can be performed, and upper case indicates that execution cannot be performed.
SUID (example:/usr/bin/passwd directory)
① SUID can only be applied to binary files
② When SUID is applied to a file, anyone who executes the Command temporarily has the permissions of the file owner.
③ SUID can only be applied to the owner of a file.
④ Lower case indicates that execution can be performed, and upper case indicates that execution cannot be performed
SGID (the application environment shares resources with a group of developers to ensure security)
① SGID can be applied to files or directories.
② When the sgid is applied to a directory, anyone who establishes a sound file and directory owner in the directory belongs to the directory group
③ Apply to the owning group
④ When SGID is applied to a file, anyone who executes the file temporarily has the Group permission for the file
⑤ Lower case indicates executable, and upper case indicates reverse.
How to operate these labels
Operate these logos and operationsCompositionCommands with the same permissions are CHMOD. There are two ways to operate:
① Chmod U + S temp -- add the setuid flag to the temp file. (Setuid is only valid for files)
Chmod g + S tempdir -- add the setgid flag to the tempdir directory (setgid is valid for directories and files)
Chmod o + T temp -- add the sticky flag to the temp file (sticky is only valid for the file)
② Adopt the gossip mode. For general files, three Octal numbers are used to set the flag, such as 666,777,644. If these special signs are set, a group of Octal numbers, such as 4666 and 2777, are added to this group of numbers. The meanings of the three octal digits in this group are as follows,
ABC
A-setuid bit. If this bit is 1, setuid is set.
B-setgid. If this bit is 1, setgid is set.
C-Sticky Bit. If this bit is 1, sticky is set.
I am used to using the first method, but many times the File Permission expression is executed using numbers. Therefore, we recommend that you be familiar with both methods.
After setting these flags, you can use LS-L to view them. If these labels are available, they are displayed at the original execution mark position. For example
Rwsrw-r -- indicates that the setuid flag exists.
Rwxrwsrw-indicates that the setgid flag exists.
Rwxrw-rwt indicates sticky flag
So where did the original execution mark x go? The system stipulates that, if there is X in this bit, these special signs will be displayed as lowercase letters (S, S, T ). Otherwise, uppercase letters (S, S, T) are displayed)
Test:
Chmod 4644 file1
Chmod 6644 file1
Chmod 7644 file1