Linux, file permissions in addition to read, write, execute, there is a mandatory bit and the special privilege of the adventure bit
The permissions for the files in Linux are as follows (the directory in Linux is also a file):
Force/Adventure | User | Group | Other =========================================== SST rwx rwx rwx
Here's an explanation of the mandatory and adventure bits.
Mandatory bits are: setuid and setgid, mainly used for files and directories
Adventure bits are: sticky, only for directories, mostly shared directories
Setuid (use one s on x position of U) can only set the file
Effects on files:
By default, the user executes a directive that runs the process as the user. When a file is set to Suid, all users execute the file with the permission of the owner of the user. That is, you can have this file executed by a user who does not have permission to perform this file.
Setgid (using a s on X position of G) can only be set on the directory
Effect on directory:
By default, a user-created folder belongs to the group that the user is currently in, but after the Sgid is set, the file that anyone establishes in this directory belongs to the group to which the directory belongs, but the user is also the user who created it.
Sticky (using a t on the x position of O) can only be set on the directory
Effect on directory:
By default, if a directory O has W and x permissions, anyone can create and delete files in this directory. Once the adventure bit is set on the directory, it means that only the owner of the file, the owner of the directory, and the system administrator can delete the file in this directory. Other users are not.
Note: It is not useful to set the adventure bit directly above the file, the adventure bit to be created in the directory above
Mandatory bit and adventure bit performance mode:
The force bit and the adventure bit are added at the execution permission location, the force bits are represented by S and S, and the adventure bits are represented by T and T. If the execution permission is already in place, the force bit and the adventure bit are represented in lowercase letters. Otherwise, it is indicated in uppercase letters. That
S: Indicates that the bit has no X-bit s: Indicates that the bit has an X-bit
T: Indicates that the bit has no X-bit T: Indicates that the bit has an X-bit
Ps: If S is uppercase in the force bit, it means that the corresponding execution permission bit is not set, which is a useless suid setting to ignore its existence.
Set mandatory and adventure bits
1:set by +,-Mandatory bit and adventure bit
Set UID:# chmod u+s filename
# chmod u-s filenameTo cancel a forced bit on a file
Set GID:# chmod g+s filename
Sticky# chmod o+t dir
2:set by numberForce bit and adventure bit, put in read and write execution of three digits come to specify
4 (Set UID) 2 (set GID) 1 (sticky)
# chmod 4---file Settings setuid
# chmod 2---directory Settings setgid
# chmod 1---directory settings sticky
# chmod 6---Directory/File Settings Guid,uid
Note: The chmod command does not perform the necessary integrity checks to give any permissions to a useless file, but does not check for the combination of permissions that you set. Therefore a file with Execute permissions is not necessarily a program or a script.
suid Example:
By default, all users can ping this command, but when looking at the file where the ping command is located, the user and group that this file belongs to is root, which is to say that only the root user can execute the command, but in fact it is found that all users can use the command. Because the ping command is located in the file where the permission x has an S
# ping-c 4 www.doiido.com
If you remove suid, you'll find that other users can't use the change command.
# chmod U-s/bin/ping
# Su-doiido
$ ping-c 4 www.doiido.com
PING:ICMP Open Socket:operation not permitted
In the example above, the mandatory bit on the instruction file allows the user to execute the instruction to run the process as an instruction to the owner of the file or the identity of the owning group. It also shows that if a command does not have S permission, the normal user cannot use the
Sgid Example:
A team together to develop a project, all the project files are stored in a directory, the directory is set Sgid, you can make all the user new files belong to the same group. Then set permissions on the directory so that everyone can see the files created by other users.
Sticky example:
If a team develops a project together, after setting the sticky bit in a directory, all team members can create files in this directory, but only delete the files (except root) that they create, which protects the user files in the directory.
Other:
Find suid files
# Ls-l | grep ' ^...s '
Find Suid and GUID document
# ls-l |grep ' ^...s. S '
Linux file permissions enforcement bit and adventure bit detailed
