L016-linux System file permission system actual combat in-depth explanation section

Source: Internet
Author: User

L016-linux System file permission system actual combat in-depth explanation section

Do not know if I can finish the book today, I could write the issue is this week two times the summary, there is progress, oh, but L015 and L016 two lessons are really not much, into the topic

The previous lesson learned chmod, chown, umask, relative to the comparative basis of the command, then this section will contact these two commands, although the teacher also said, not used!

Setuid and Setgid

First, setuid

Let's take a look at how to check if a file has setuid properties and then summarize his functionality.

[[email protected] ~]# ls-l  ' which passwd '-rws130768   /usr/bin/passwd

Look closely, see the yellow background of s ? This is Setuid's mark, so you might ask, what about the original x? There is x for S, no x for S, or case.

Direct Summary:

1) The user corresponding to the first three x-bit if there is a s on the suid. When there is no X on the X-position, suid is S.

2)The setuid bit is a program or command that allows a normal user to run a root (or other) user's role only if the root (or other) account is running, or a program command corresponds to a file that does not have permission to operate. (Note the difference between Su and sudo)

It may be difficult to understand the text directly, so here is an example to understand:

Deepen understanding by setting Suid to RM commands

First use the traditional method to solve (sudo)

1) using sudo
Sudo is one way to learn (Imperial sword)
System administrator: Root
General Account: Oldboy

I want to delete test.txt on the Oldboy account.

[[Email protected] oldboy]$ RM-f test.sh rm:cannot remove ' test.sh': Permission denied        //mom, right Limited enough

This is because our average user does not have the "RM" permission, so we can add the "rm" command to sudo:

[Email protected] oldboy]# Visudo

After entering the Visudo configuration file, go to line 89th (89GG)

Oldboy  all= (All)       nopasswd:all,/bin/RM joined as /bin/rm (absolute path of RM)

Then save the exit and try again

[[email protected] oldboy]$ sudo rm-f test.sh     // successful removal, wood problem

2) Start using setuidNow (new method, more extensive application)

System administrator: Root
General Account: Oldboy

I want to delete test.txt on the Oldboy account.

[[Email protected] oldboy]$ RM-f test.sh rm:cannot remove ' test.sh': Permission denied        //mom, right Limited enough

Insufficient authority, what authority is not enough? It's important to note that it has nothing to do with the file, it has to do with your orders.
Delete with "rm" command, then check the permissions of this RM

[[email protected] oldboy]# ll ' which Rm|tail-1'    //used to tail because which RM has two rows of results, ll can only show one, so use tail -1 shows the last line.  157440   /bin/rm

As can be seen from the above because Oldboy is a normal user, no delete permissions. So what's the order? Yes, that's setuid.

To grant RM setuid permissions with Root:

[Email protected] oldboy]# chmod u-s ' which RM | Tail-1| Tail-1'157440   /bin/rm    //  From this we can see that the X-bits of the owner become S.

After setting up, we use Oldboy account to delete test.sh

OK delete successfully

Then let's take another bar:

Suid Knowledge Section: Suid modifies the executed command, not the target file to be processed

[Email protected] oldboy]# chmod u+10: test.sh

The following paragraph is important:

From the RM information can be seen in the RM command file is the owner is root, that is, RM has setuid permissions, other ordinary users use RM is the corresponding root of the RM command permissions, if the owner of the RM is Oldboy, Then the permissions that other users use RM are those that correspond to the oldbo to the RM command. This must be clear.

So, if you want to know what commands in the system have SUID permissions?

4755    // Perm is the parameter of the Find command Riga permission /usr/bin/crontab/usr/bin/chage/usr/bin/pkexec/usr/bin/ passwd/usr/bin/gpasswd/usr/bin/newgrp/usr/bin/at

can also be so, clearer and more intuitive

[Email protected] ~]# find/usr/bin/-type f-perm4755-exec LS-l {} \; -rwsr-xr-x.1Root root51784Nov at   -/usr/bin/crontab-rwsr-xr-x.1Root root66352Dec8   ./usr/bin/chage-rwsr-xr-x.1Root root27576Sep -   -/usr/bin/pkexec-rwsr-xr-x.1Root root30768Feb A   -/usr/bin/passwd-rwsr-xr-x.1Root root71480Dec8   ./usr/bin/gpasswd-rwsr-xr-x.1Root root36144Dec8   ./usr/bin/Newgrp-rwsr-xr-x.1Root root54240Jan -   -/usr/bin/at

Overall conclusion:
1) Suid modifies the execution of the command, rather than processing the target file.

2) only valid for binary command programs or programs, not on similar script files like shell (because shell scripts only call binaries, so specific permissions need to look at the binary command itself).

3) binary commands or programs need to have executable permissions x.

4) suid permissions are only valid during program execution.

5) Any system user who executes the command can obtain the permissions of the owner during the program's execution of the program's command

6) Suid is a double-edged sword, which has a certain threat to the system security. System suid useless function cancel suid right (security optimization)

Second, Setgid

Unlike Sgid, Sgid can be set for files as well as for directories! Sgid is modified for user group permissions.

Sgid Knowledge Section
For files, the Sgid function is as follows:
1) Sgid is valid only for binary command programs.
2) Binary command or program requires executable permission X.
3) The person who executes the program can obtain the permissions of the group to which the command program is executed.

For the directory: Sgid functions as follows:
Users create files and directories under this directory, with the same user group as the secondary directory.
Setgid bits are primarily used in the directory, and when the Setgid bit is set for a directory, the newly created file in that directory has owner permissions for that directory, not the default owner of the user who created the file, making it easy to share files among multiple users in the directory. Tip: Use octal number 2000 to indicate the Setgid permission bit.

Above, we put setuid and setgid respectively do summary and explanation, below we put setuid and setgid together, see their differences:

Command form difference: suid is for user sgid for user group

Setuid and setgid Setup instructions:
Special permission bit number permission (octal) method
Setuid bit is set with octal 4000,setgid occupy the octal 2000, for example, we said earlier Chmod 4755/bin/rm is the set of setuid bit;

Setuid Setup Method:

4755 /bin/rm    // set RM permissions to 4755, set the setuid bit well. is a 4

Another way:

[Email protected] admins]# chmod u+s/bin/rm

Setgid Setup Method:

2755 /home/admins/    // Set the admins directory permissions to 2755, the Setgid set, is a 2

Another way:

[Email protected] admins]# chmod g+s/home/admins/

Another situation
If you need to set setuid and setgid at the same time, you can set to 6:


Priority relationship: SUID priority is higher than sgid

Third, sbit sticky bit

Sticky bits appear as T in permissions, with execute permission displayed as T, which is displayed in other user rights
So what is sticky bit?
The sticky bits in the system are the TMP in the root directory (the classic sticky bit directory), and after the sticky bit, the children of each user group can create files in the directory, and everyone can only manage the things they create, others are unable to operate.

TMP is a classic sticky directory, especially, who have write permission, so security is problematic, often trojan first-hand springboard location.

Special permissions for the corresponding numbers:
SUID 4000 S
Sgid s
Sticky bit: t

// set Suid,sgid and sbit at the same time

In fact, if you want to set it up at the same time, add them.

Iv. relationship of file attributes and file system attributes

Chattr and Lasttr

These two commands in the previous Linux system optimization, when it was talked about using ' +i ' and '-i ' parameters to lock the command to unlock, play a system of protection, then this lesson, the main thing is ' +a ' and '-a ' parameters, let's look at it in detail below.

Chattr +i

Use chattr +i to lock the command file so that the file cannot be deleted, renamed, linked, and cannot be written or added. The I parameter is useful for file system security settings.

Chattr +a

A: Append, after setting this parameter, can only add data to the file, not delete, more for the server log file security, only root can set this property.

Let's do a sample:

+>>> Ceshi.txt      // Replace all, prompt without permission-bash:ceshi.txt:operation not Permitted

Through the interview example can be understood that everyone can fill in a file, but modify what is still forget, no right!


As for lsattr nature is the query set permissions of the file directory

[Email protected] home]# lsattr        // at a glance -------------E./lll-----a-------E./  Ceshi.txt-------------E./www-------------e./oldgirl-------------E./KKK----- --------E./o.txt-------------E./test-------------E./Oldboy-------------E./ MySQL-------------e./Apache-------------E./oldsister-------------E./admins

Finally, you can take a look at this article, written very comprehensive: http://www.ha97.com/5172.html

Setfacl and Getfacl

To make a file corresponding to a user right, exclusive

The teacher said that this use is very little, so skip, know what it is to do with the can. The Lord knows what he can do.

For Suid and Sgid, work as far as possible, use sudo to manage, if possible we want to find the system useless suid bit command, etc., to remove. SS are Suid,sgid (user bit), Sgid (user group bit), and x coincide, that is, the lowercase letter s is displayed.

L016-linux System file permission system actual combat in-depth explanation section

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.