Introduction to special permissions for files on Linux systems

1. special File Permissions Example

[Email protected] test]# ls-ld/bin/passwd/tmp/

-RWsr-xr-x. 1 root root 27832 June 2014/bin/passwd

DRWXRWXRWT. Root root 247 Oct 22:17/tmp/

2, special permission Introduction: SUID, SGID, STICKY

Security context:

The process runs as a user, and the process is the agent that initiates the user of the process, so all operations are done as the user's identity and permissions.

Matching model for permissions:

The owner of the process, whether it is the owner of the file being accessed, if it is, the application is the master permission, otherwise, determine whether the owner of the process belongs to the group of access files, if it is, then apply the group permissions; otherwise, apply other user rights;

SUID:

By default, a user-initiated process, the owner of the process, is its initiator, so it runs as the initiator.

Features of the SUID: When a user runs a program, if the program has SUID permissions, and those programs run as processes, their process is not the initiator, but the program file's own owner.	Features of the Sgid: When a directory belongs to a group that has write permissions and has Sgid permissions, all of the genera belonging to this directory and when new files or directories are created in this directory as a group, the group of this file is not the base group of the user, but the genus of this directory.
Manage Suid Permissions: chmod u+s File chmod u-s File	Manage Sgid Permissions: chmod g+s File chmod g-s File
suid Permissions placements: Execution permission bit in the master      If the owner does not have execute permission, it is displayed as uppercase "S"	suid Permission Placements: Execute permission bit       if the group has EXECUTE permission, it is displayed as lowercase "s";      If the group does not already have execute permission, it is displayed as uppercase "S"
[[email protected] test]# cp/bin/ls/tmp/test/sls [[Email  protected] test]# ll sls  -rwxr-xr-x. 1 root root 117656 Oct 21:50 sls [[email protected] t est]# chmod u+s SLS [[email protected] test]# ll sls  -rwsr-xr-x. 1 root root 117656 Oct 21:50 SL s [[[email protected] test]# su user bash-4.2$/tmp/test/sls-l SLS -rwsr-xr-x. 1 root root 117656 OCT 21:50 SLS	[[email protected] tmp]# ls-ld test/ drwxrwxrwx. 2 User User OCT 21:50 test/ [[email protected] tmp]# chmod g+s test/ [[email protected] tmp]# ll-d test/ drwxrwsrwx. 2 User User (OCT) 21:50 test/ [[email protected] tmp]# su Lily bash-4.2$ touch fi Le bash-4.2$ ls-l  /tmp/test/file  -rw-r--r--. 1 Lily Lily 6 Oct, 22:08/tmp/test1/lily  //no suid permissions
Sticky features: For a group or globally writable directory, all users in the group, or all users on the system, can create new files or delete all existing files in this directory, and if you set sticky permissions for this directory, each user can create new files and delete only their own files.	Note: the/tmp and/VAR/TMP directories on the default system have sticky permissions by default;
Manage Sticky permissions: chmod o+t File chmod o-t File
Sticky Permissions Placements: Execution permission bits in other users If other users have execute permissions, they are displayed as lowercase "t" If other users do not have permission to execute, they are displayed as uppercase "T"
[Email protected] tmp]# mkdir sticky [Email protected] tmp]# chmod o+t sticky/ [email protected] tmp]# ls sticky/-ld DRWXRWXRWT. 2 root root 6 Oct 22:15 sticky/ [Email protected] tmp]# [email protected] tmp]# su Lily bash-4.2$ Cd/tmp/sticky bash-4.2$ Touch Lily bash-4.2$ Cd/tmp/sticky1 bash-4.2$ Touch Lily1 bash-4.2$ exit [email protected] tmp]# su Lucy [Email protected] tmp]$ Cd/tmp/sticky [[email protected] sticky]$ touch Lucy [email protected] sticky]$ LL Total 0 -rw-r--r--. 1 Lily Lily 0 Oct 22:18 Lily -rw-rw-r--. 1 Lucy Lucy 0 Oct 22:21 Lucy [Email protected] sticky]$ RM Lily Rm:remove write-protected Regular empty file ' lily '? Y Rm:cannot remove ' lily ': Operation not permitted [Email protected] sticky]$ [Email protected] sticky]$ Cd/tmp/sticky1 [email protected] sticky1]$ LL Total 0 -rw-r--r--. 1 Lily Lily 0 Oct 22:19 lily1 [email protected] sticky1]$ Touch Lucy1 [email protected] sticky1]$ LL Total 0 -rw-r--r--. 1 Lily Lily 0 Oct 22:19 lily1 -rw-rw-r--. 1 Lucy Lucy 0 Oct 22:23 Lucy1 [Email protected] sticky1]$ RM lily1 Rm:remove write-protected Regular empty file ' Lily1 '? Y [email protected] sticky1]$ LL Total 0 -rw-rw-r--. 1 Lucy Lucy 0 Oct 22:23 Lucy1 [Email protected] sticky1]$

Another way to manage Special permissions: (octal number representation, 0-7)

SUID SGID STICKY

2^2 2^1 2^0

Special privilege bits are displayed at the highest position, such as: chmod 1777 File1

An octal number is added to the left of the default three-bit octal digit, based on the octal method.

Umask defaults to four-bit.

3. Facl:file access control lists, file access controls list

Additional weighting mechanisms for documents:

In the original U, G, O, the other layer allows ordinary users to control the empowerment of other users or groups of the empowerment mechanism.

To view the facl of a file:

Getfacl [-ACEESRLPTPNDVH] File ...

Getfacl [-ACEESRLPTPNDVH]-

Such as:

[[email protected] tmp]# Getfacl AAA

# FILE:AAA

# Owner:root

# Group:root

user::rw-

group::r--

other::r--

To set the Facl of a file:

Setfacl [-BKNDRLPVH] [{-m|-x} Acl_spec] [{-m|-x} Acl_file] File ...

Setfacl--restore=file

Setfacl-m U:username:mode FILE

Setfacl-m G:groupname:mode FILE

Such as:

[Email protected] test]# setfacl-m u:user:rwx A.dan

[Email protected] test]# Getfacl A.dan

# File:a.dan

# Owner:root

# Group:root

user::rw-

User:user:rwx

group::r--

Mask::rwx

other::r--

Undo the Facl of the file:

Setfacl-x U:username FILE

Setfacl-x G:groupname FILE

Such as:

[Email protected] test]# setfacl-x g:root B.dan

If the file is set to Facl, the Ls-l command will show "+"

[email protected] test]# LL

Total 0

-rw-r--r--. 1 basher basher 0 Oct 21:28 Abfstab.dan

-rw-rwxr--+ 1 root root 0 Oct 21:28 A.dan

With the security context of the FACL:

First check the owner, then check the main facl

First examine the genus Group, then examine the group Facl

And then in check other;

Introduction to special permissions for files on Linux systems