Linux mandatory bit and adventure bit introduction SUID SGID STICKY

Source: Internet
Author: User

Linux, file permissions in addition to read, write, execute, there is a mandatory bit and the special privilege of the adventure bit

The permissions for the files in Linux are as follows (the directory in Linux is also a file):
Force/Adventure |   user |   Group | Other
===========================================
SST rwx rwx rwx


Here's an explanation of the mandatory and adventure bits.
Mandatory bits are: setuid and setgid, mainly used for files and directories
Adventure bits are: sticky, only for directories, mostly shared directories

I. Description of Setuid,setgid and sticky

Setuid: (using one s on x position of U) can only set the file
Effects on files:
By default, the user executes a directive that runs the process as the user. When a file is set to Suid, all users execute the file with the permission of the owner of the user. That is, you can have this file executed by a user who does not have permission to perform this file.



Setgid: (using a s on X position of G) can only be set on the directory
Effect on directory:
By default, a user-created folder belongs to the group that the user is currently in, but after the Sgid is set, the file that anyone establishes in this directory belongs to the group to which the directory belongs, but the user is also the user who created it.


Sticky: (o using a T at x position) can only be set on the directory
Effect on directory:
By default, if a directory O has W and x permissions, anyone can create and delete files in this directory. Once the adventure bit is set on the directory, it means that only the owner of the file, the owner of the directory, and the system administrator can delete the file in this directory. Other users are not.

Note: It is not useful to set the adventure bit directly above the file, the adventure bit to be created in the directory above


Second, the enforcement of the position and the performance of the Adventure bit way:
The force bit and the adventure bit are added at the execution permission location, the force bits are represented by S and S, and the adventure bits are represented by T and T. If the execution permission is already in place, the force bit and the adventure bit are represented in lowercase letters. Otherwise, it is indicated in uppercase letters. That
S: Indicates that the bit has no X-bit s: Indicates that the bit has an X-bit
T: Indicates that the bit has no X-bit T: Indicates that the bit has an X-bit
Ps: If S is uppercase in the force bit, it means that the corresponding execution permission bit is not set, which is a useless suid setting to ignore its existence.


Iii. setting mandatory and risk-taking bits
3.1. Set mandatory bit and adventure bit through +,-
Set uid:# chmod u+s filename
# chmod u-s filename Cancel force bit on file
Set gid:# chmod g+s filename
Sticky: # chmod o+t dir


3.2, by the number set mandatory bit and adventure bit, placed in read and write execution of three digits to come to specify
4 (Set UID) 2 (set GID) 1 (sticky)

# chmod 4---file Settings setuid
# chmod 2---directory Settings setgid
# chmod 1---directory settings sticky
# chmod 6---Directory/File Settings Guid,uid

Note: The chmod command does not perform the necessary integrity checks to give any permissions to a useless file, but does not check for the combination of permissions that you set. Therefore a file with Execute permissions is not necessarily a program or a script.


Iv. Examples:
suid Example:

By default, all users can ping this command, but when looking at the file where the ping command is located, the user and group that this file belongs to is root, which is to say that only the root user can execute the command, but in fact it is found that all users can use the command. Because the ping command is located in the file where the permission x has an S


# ping-c 4 www.doiido.com
If you remove suid, you'll find that other users can't use the change command.
# chmod U-s/bin/ping
# Su-doiido
$ ping-c 4 www.doiido.com
PING:ICMP Open Socket:operation not permitted

In the example above, the mandatory bit on the instruction file allows the user to execute the instruction to run the process as an instruction to the owner of the file or the identity of the owning group. It also shows that if a command does not have S permission, the normal user cannot use the


Sgid Example:
A team together to develop a project, all the project files are stored in a directory, the directory is set Sgid, you can make all the user new files belong to the same group. Then set permissions on the directory so that everyone can see the files created by other users.


Sticky example:
If a team develops a project together, after setting the sticky bit in a directory, all team members can create files in this directory, but only delete the files (except root) that they create, which protects the user files in the directory.




This article is from the "Doiido" blog, make sure to keep this source http://doiido.blog.51cto.com/5503054/1561890

Linux mandatory bit and adventure bit introduction SUID SGID STICKY

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.