Linux File Permission forced bit and adventure bit details
In Linux, apart from reading, writing, and executing file permissions, file permissions also have special permissions for forcible bit and adventure bit.
In Linux, the File Permission is as follows (the directory in Linux is also a file ):
Forced/risky | user | group | others
========================================================== ===
Sst rwx
Here we will explain the mandatory and risky positions.
Mandatory BITs include setuid and setgid, which are mainly used for files and directories.
Adventure bit: sticky, used only for directories, mostly shared directories
Setuid (using one second at the x position of u) can only be set for files
Effect on files:
By default, a user executes a command to run the process as the user. When SUID is set for a file, all users execute the file based on the permission of the user owner. That is, users who do not have the permission to execute this file can execute this file.
Setgid (use one s at the x position of g) can only be set for directories
Role of directory:
By default, the folder created by the user belongs to the current group of the user, but after the SGID is set, the files created by anyone in this directory will belong to the group of the directory, however, the user belongs to the created user.
Sticky (use a t at o's x position) can only be set for directories
Role of directory:
By default, if a directory o has w and x permissions, anyone can create and delete files in this directory. Once an adventure bit is set on the directory, only the file owner, directory owner, and system administrator can delete the file. Other users cannot.
Note: setting an adventure bit directly on the file does not work. The Adventure bit must be created on the directory.
Forced bit and adventure bit:
The Force bit and the adventure bit are added to the execution permission positions. The Force bit uses S and s to represent, and the adventure bit uses T and t to represent. If you already have execution permissions at this location, the Force bit and adventure bit are represented in lowercase letters. Otherwise, it must be an uppercase letter. That is:
S: indicates that this bit does not have x-bit s: indicates that this bit has x-bit
T: indicates that the bit does not have x-bit t: indicates that the bit has x-bit
Ps: If S is capitalized in the Force bit, it indicates that the execution permission limit is not set. This is a useless suid setting that can ignore its existence.
Set force bit and adventure bit
1: Pass +,-set the forced bit and adventure bit
Set uid: # chmod u + s filename
# Chmod u-s filename unenforces the file bit
Set gid: # chmod g + s filename
Sticky: # chmod o + t dir
2: Set the forcible bit and adventure bit by number, and put them in the three digits of read/write execution to specify
4 (set uid) 2 (set gid) 1 (sticky)
# Chmod 4 --- set setuid in the file
# Chmod 2 --- directory setting setgid
# Chmod 1 --- directory setting sticky
# Chmod 6 --- set the GUID and UID for the directory/File
Note: The chmod command does not perform necessary integrity checks. You can grant any permissions to a useless file, but does not check the configured permission combinations. Therefore, a file does not have certain program or script execution permissions.
SUID example:
By default, all users can use the ping command. However, when you view the file where the ping command is located, you can find that the user and group to which the file belongs belong are root, it is reasonable to say that only the root user can execute this command, but in fact all users can use this command. Because the permission of the ping command file x has an s
# Ping-c 4 www.bkjia.com
If suid is removed, other users cannot use the command.
# Chmod u-s/bin/ping
# Su-bkjia
$ Ping-c 4 www.bkjia.com
Ping: icmp open socket: Operation not permitted
In the preceding example, the mandatory bit in the command file allows the user to execute the command to run the process as the owner of the command file or as a group. It also indicates that if a command does not have the s permission, the common user cannot use
SGID example:
A group develops a project together. All project files are stored in a directory. Setting SGID for this directory allows all newly created files to belong to the same group. Then set the permission for the directory so that you can see the files created by other users.
STICKY example:
If a group is used to develop a project and sticky bits are set in a directory, all Group members can create files in this directory, however, you can only delete files created by yourself (except root), which protects user files in the directory.
Others:
Search for suid files
# Ls-l | grep '^... s'
Search for suid and guid document
# Ls-l | grep '^... s... s'
This article permanently updates the link address: