SetUID[permission value =4]
Question: Why can ordinary users change their passwords?
ll $ (which passwd)
1, SetUID: When an executable program / command has SetUID permissions , the user executes this program, will be executed as the owner of the program .
2, plus setuid permissions:
chmod u+s [filename] or chmod 4755 [filename] #SetUID权限值 =4
e.g.
chmod U+s $ (which touch)
#可以看到newfile2的所有者并不是guest, but root!.
3, Danger!
Setting the command to Setuid is a very dangerous thing, such as setting VI to setuid, then he can edit and save all the files in the system , even the system configuration file! He can allow a user to program the superuser instantly, he can keep your system rebooting, etc., or set the Kill to setuid ...
Prevention:
Find/-perm-4000-o-perm-2000
#查找权限为4000或2000的文件, which is a file with Setuid,setgid
4. Cancel Setuid Permissions:
chmod u-s [filename] or chmod 755 [filename]
Attached-the original file must be an executable program, if the original file does not have the X permission, then the setting setuid does not have any effect
#显示为S [UPPERCASE]!
SetGID[permission value =2]
1, SetGID: When an executable program/command has SetGID permissions, when the user executes the program, it will be executed in the identity of the group to which the program belongs .
2, plus Setgid permissions:
chmod g+s [filename] or chmod 2755 [filename] #SetGID权限值 =2
#可以看到testfile2的所属组并不是默认的guest, but root!.
"also set UID with the GID chmod 655 ... "
Sticky bit [privilege value =1]
1, Sticky bit: If a directory with permissions of 777, is set up a sticky bit, each user can create files in this directory, but only can delete the owner is their own files.
2, set the adhesive bit:
chmod o+t [filename] or chmod 1777 [filename] #粘着位用t来表示, permission value =1
#可以看到, it is possible to delete files belonging to the/t_test directory where it is set, but you cannot delete other people's files.
Attached-Special permissions for files:
The first bit of the umask command
Linux Special Permissions Analysis (second edition)