Linux file Special permissions SUID SGID sbit

Files in addition to the general permissions R, W, X also have some special permissions, S and T permissions, the specific use of the following

　　1 SetUID

When s this flag appears on the file owner's X-permission, such as/USR/BIN/PASSWD,

[Email protected] ~]# ll-d/usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 Feb 2012/usr/bin/passwd

The permission state for this file is-rwsr-xr-x at this time called the set UID abbreviation SUID special permissions. So what is the special function of SUID permissions for a file?

SUID is only valid for binary programs;

Performer must have X executable permission for the program;

This permission is valid only in the process of executing the procedure;

The performer will have the permission of the owner of the program;

For example, in our Linux system, the passwords for all accounts are recorded in the/etc/shadow file, which has the permissions of----------1 root root 1401 June 16:17/etc/shadow, meaning this file is only rooted Can be forced to write. Since this file can only be changed by root, will other accounts be able to modify their own passwords? Obviously it is possible, the result is not very conflict!

On the surface/etc/shadow can only be the root force modification, the general user can not access, why the general user can also modify the password in this file? This is the function of suid,

• The ordinary user has X permission for/USR/BIN/PASSWD, it can execute passwd this command;
• passwd the owner of this command is root;
• The ordinary user executes the passwd process, will "temporarily" obtain the root authority;
• The normal user can modify the/etc/shadow when the passwd command is temporarily given root privileges

Can a normal user read a/etc/shadow when they execute the cat command? Obviously not, because cat does not have SUID permissions.

In addition, the suid can only be used on a binary program, not enough on the shell script.

2 Set GID

When the S-flag is in the file owner's X project for suid, that s is called the set GID at the user's X-SGID. Give an example to illustrate

[Email protected] ~]# ls-l/usr/bin/locate
-rwx--s--x. 1 root slocate 38464 Oct 2012/usr/bin/locate

/usr/bin/locate This program can go to query/var/lib/mlocate/mlocate.db the content of this file, because they belong to the same user group, if we use a regular account execution locate, then this account can be obtained slocate User group, so it can access the contents of the Mlocate.db

[Email protected] ~]# ll/usr/bin/locate/var/lib/mlocate/mlocate.db
-rwx--s--x. 1 root slocate 38464 Oct 2012/usr/bin/locate
-rw-r-----1 root slocate 4028188 June 03:13/var/lib/mlocate/mlocate.db

Unlike Suid, Sgid can be set for files or directories. If it is for files, Sgid is similar to suid

• SGID is only useful for binary programs;
• The program executor must have x permission for the program;
• The performer receives the support of the program User group during the execution;

In addition to the binaries, sgid can be used in the directory, and after a directory has been set Sgid, has the following functions:

• If the user has X and R permissions for this directory, the user can enter this directory;
• The user's valid user group in this directory will become the user group of that directory;
• If the user has W permissions in this directory, then the user group of the new file created by the user is the same as the user group of this directory;

　　3 Sticky Bit

The Sticky Bit is valid only for the directory, and its role for the directory is:

• When the user has W, x permissions for this directory;
• When a user creates a file or directory under that directory, only himself and Root have the right to delete the file;

For example, the right of/TMP itself is DRWXRWXRWT such that anyone can add, modify the file in/TMP, but only the file/directory creator and Root can delete their own directories or files, this feature is very important.

4 Suid/sguid/sbit permission settings

How to configure the file or directory so that it has suid and Sgid permissions, we can configure the permission with a number in front of the previous configuration R, W, X.

• 4 for Sguid
• 2 for Sgid
• 1 for Sbit

For example, if a file permission is changed to "-rwsr-xr-r", because S is in user rights, so is suid, before the original base 755 plus 4, chmod 4755 filename

Linux file Special permissions SUID SGID sbit