This record Linux special permissions suid, SGID, sbit related knowledge and use examples.
Because Suid and sgid involve system security, the mastery of their knowledge points is particularly important.
Suid is the set User Id,sgid is the set Group ID meaning.
Under Linux, you can use the Ls–l command to view file permissions. The format of the notation obtained with the LS command is similar to the following:-rwxr-xr-x This method has a total of ten
9 8 7 6 5 4 3 2 1 0
-R W x r-x r-x
The 9th bit represents the file type and can be-, D, B, S, C, L, p
第8-6位, 5-3-bit, 2-0-bit represent the permissions of the file owner, the permissions of the same group of users, and other user rights, in the form of rwx.
R is readable and can read the contents of a file
W indicates writable, can modify the contents of the file
x indicates executable and can run this file
Where no permissions are used - indicates
Example:
Ls-l myfile Shown as:
-rwxr-x---1 foo staff 7734 17:18 myfile
Indicates that the file myfile is a normal file, the owner of the file is Foo user, and the Foo user belongs to the Staff group, the file has only 1 hard connections, the length is 7,734 bytes, the last modified on August 5 17:18.
Owner Foo has read and write permissions to the file, members of the staff group have access to the file, and other users do not have permissions on the file.
1. SUID Permissions
Only valid for the binary program, the performer needs X execution permission for the program, and the executor has the permission of the program owner (owner) during the program's operation.
For example:
The normal user executes the passwd command.
First look at the absolute path and file permissions of the passwd command:
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/73/b7/wkiol1yfehhq8ktwaabdikshugo651.jpg "height="/>
We found that the owner of the passwd is root, and the one that should be x in the owner's permission shows S, which indicates that the command has SUID permissions. At the same time found that ordinary users do not have W permissions, so it is generally not possible for ordinary users to execute this command, because the command changed the password must be to write files.
Further analysis, in fact passwd This command will operate/etc/shadow this file, because the password is placed here, to view the password file permissions:
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/b7/wkiol1yfehgs-3k_aabvgms0q5w658.jpg "height="/>
The discovery permission is 000, (note: Root user has the RW permission to all files, has RWX permission to all directories), which means that the normal user does not read or write this file. However, because the passwd command has SUID permissions, when a normal user executes this command, when the system generates the corresponding process, the process has the permissions of the/usr/bin/passwd file owner root.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/73/b7/wkiol1yfehhwfx7iaacs006apww402.jpg "height=" 109 "/>
The above action when you want to enter the password , press CTRL + Z, enter .
View the process tree: You can see that the permissions that really passwd are not bash but root!
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/73/b7/wkiol1yfehlgvpmvaaf_bwh3pno937.jpg "height=" 298 "/>
This file is prefixed with 4000, which is recorded as 4755, before the original permission value (assuming 0755). Set by chmod u+/-s filename.
2. Sgid Permissions
Sgid permissions can be applied to a directory or executable file.
1) for files:
Sgid is useful for binary programs, the program performer has x permissions, and the performer gets the permissions of the program User Group (group) during execution, which is equivalent to the user groups that have temporarily joined the program.
For example:
Ordinary users use the Locate command.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/ba/wkiom1yfeg7bwfqbaabslgyjjae597.jpg "height="/>
The presence of x in the Discovery user group permission should show S, indicating that the command has Sgid permissions. The average user has only X permissions and no RW permissions. Locate this command actually accesses the/var/lib/mlocate/mlocate.db file.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/73/b7/wkiol1yfehlzmxloaablwnc5wvq717.jpg "height="/>
This file does not have any permissions for normal users. Therefore, in theory the ordinary user executes the Locate command is not possible. However, because the locate command has Sgid permissions, when the locate build process is run, the process gets the user group permissions for the Locate command, which is equivalent to Allen, which is temporarily joined to the user group Slocate. So the mlocate.db this file has R permission, can be accessed.
2) for the directory:
Users can enter the directory when they have r and X permissions for this directory;
The user's valid user group in this directory becomes the user group of that directory;
If the user has the W permission in this directory (a new file can be created), the user group of the new file that the users create is the same as the user group for this directory. A scenario that is useful for a group of developers to share resources.
Instance:
When a team wants to work on a cloud project in a directory of Linux, each team member has rwx permissions on all files in that directory.
So we first create a new user group named Cloudgrp, and then create a few more accounts, and each account user group is attached cloudgrp this group.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/73/b7/wkiol1yfehps7mctaae4wn4hxuq694.jpg "height=" 149 "/>
Then create a new folder that calculates the permissions for this folder as Drwxr-xr-x according to the folder default Umask permissions.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/ba/wkiom1yfeg-zn3tnaabwdk-ovmq182.jpg "height="/>
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/b7/wkiol1yfehowjmpdaabfgq3jdsa705.jpg "height="/>
You can see that only the root user can create a new file in this folder, while other users do not have write permissions. The directory permission must be set to 775, and the group changes to the CLOUDGRP group, so that other users belonging to this group have write file permissions.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/73/ba/wkiom1yfeg_ird6paadqobgfabq016.jpg "height=" 106 "/>
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/ba/wkiom1yfeg_dt93laacewafzj48480.jpg "height="/>
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/73/ba/wkiom1yfehccmutnaacupgeq92a726.jpg "height=" "/>"
Now the account developer can create a new file, and the file owner and user group will be developer, such as TECHUSR, etc. cannot access this file, can not achieve the goal of co-operation.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/73/b7/wkiol1yfehsh8n50aabgxeqz6ds433.jpg "height="/>
So we need to add Sgid permissions to this directory, then any user-created file, the file user group will be cloudgrp.
The folder is preceded by 2000, which is recorded as 2775, before the original permission value (assuming 0775). Set by chmod g+/-s filename.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/73/b7/wkiol1yfehww_shcaacahik_btg383.jpg "height="/>
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/b7/wkiol1yfehxci1h5aacp-bby9te264.jpg "height="/>
3. Sticky bit permissions
Action on directory: If the sticky bit of a directory is set, only the owner or root user of this directory can delete and rename files or subdirectories in the directory.
This bit can be understood as an anti-delete bit, and whether a file can be deleted by a user depends primarily on whether the group to which the file belongs has write access to the user. Without write permissions, all files in this directory cannot be deleted and new files cannot be added. If you want users to be able to add files but cannot delete files at the same time, you can use the sticky bit bit for the files. When this bit is set, the file cannot be deleted even if the user has write access to the directory.
Instance:
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/73/b7/wkiol1yfehwdv4onaacgrf_al8m533.jpg "height="/>
We create a new directory and copy a file to that directory, which is open to everyone.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/73/b7/wkiol1yfehadepn5aactqmhk8je773.jpg "height="/>
After adding the sticky bit, the folder will be preceded by 1000, which is recorded as 1755, before the original permission value (assuming 0755). Set by chmod o+/-t filename.
The permissions for the directory now change to:
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/73/b7/wkiol1yfehbdq650aacjju5akwi774.jpg "height="/>
Although the Developer.b file owner has full permissions, it is now renamed and deleted only by owner or root.
650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m02/73/ba/wkiom1yfehkgysjdaadt4l-iq7s234.jpg "height="/>
It can protect files, which is why/tmp has stick bit.
This article is from the "Craft Life" blog, so be sure to keep this source http://allenh.blog.51cto.com/481430/1698286
Linux Learning: File special Permissions suid, SGID, Sbit
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
