Linux file Special permissions and additional permissions
1. Special permission Suid
Scope: Only for binary command files
Role: Let ordinary users have the permissions of the binary command file owner
Example 1: Normal user using passwd command to change password
Cat/etc/shadow the file that holds the password, encrypt it with sha512 encryption method
Echo 123456|PASSWD--stdin A non-interactive setup password
[Email protected] ~]# ls-l/usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 Nov 2015/usr/bin/passwd
[Email protected] ~]# Ll/etc/shadow
----------1 root root 977 Apr 3 14:11/etc/shadow
Visible, passwd has the S permission, has the root user right, can change the password, the ordinary user has the execution permission but does not necessarily have the permission to execute as the root, adds the S permission to have the root user's execution permission
Example 2:netstat command by modifying s permission can make a normal user have root identity
Use the netstat command under the root user
[Email protected] ~]# Netstat-lntup
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign address State Pid/program Name
TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 1186/sshd
TCP 0 0::: 52113:::* LISTEN 1186/sshd
UDP 0 0 0.0.0.0:68 0.0.0.0:* 1109/dhclient
Use the netstat command under a normal user
[Email protected] ~]$ Netstat-lntup
(No info could is read for "-P": Geteuid () =502 but you should is root.)
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign address State Pid/program Name
TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN-
TCP 0 0::: 52113:::* LISTEN-
UDP 0 0 0.0.0.0:68 0.0.0.0:*-
To view the permissions of the Netstat command under the root user
[Email protected] ~]# Ll/bin/netstat
-rwxr-xr-x 1 root root 128216 Mar 2017/bin/netstat
Use the stat command to view command detail properties under normal user, current permission is 0755
[Email protected] ~]$ Stat/bin/netstat
File: '/bin/netstat '
size:128216 blocks:256 IO block:4096 Regular file
device:802h/2050d inode:788614 links:1
Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)
access:2018-04-03 14:46:08.529638732 +0800
Modify:2017-03-22 07:52:14.000000000 +0800
change:2018-04-03 14:48:07.523615430 +0800
Modify permissions under root user u+s
[Email protected] ~]# chmod u+s/bin/netstat
[Email protected] ~]# Ll/bin/netstat
-rwsr-xr-x 1 root root 128216 Mar 2017/bin/netstat
Use the Stat command to view the command detail properties again under a normal user, with the current permission of 4755
[Email protected] ~]$ Stat/bin/netstat
File: '/bin/netstat '
size:128216 blocks:256 IO block:4096 Regular file
device:802h/2050d inode:788614 links:1
Access: (4755/-rwsr-xr-x) Uid: (0/root) Gid: (0/root)
access:2018-04-03 14:46:08.529638732 +0800
Modify:2017-03-22 07:52:14.000000000 +0800
change:2018-04-03 14:46:46.432625876 +0800
Re-use the netstat command under a normal user, discovering that it has the same root identity as the result of executing under the root user
[Email protected] ~]$ Netstat-lntup
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign address State Pid/program Name
TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 1186/sshd
TCP 0 0::: 52113:::* LISTEN 1186/sshd
UDP 0 0 0.0.0.0:68 0.0.0.0:* 1109/dhclient
Use the U-x command (no execute permission)
[Email protected] ~]# chmod u-x/bin/netstat
[Email protected] ~]# Ll/bin/netstat
-rwsr-xr-x 1 root root 128216 Mar 2017/bin/netstat
2. Special Permission Sgid
Role: As with suid, just Sgid is the right to get the user group that the program belongs to
Example: Locate find File principle: Store all file names in the system in a database and set up an index
So it's a lot quicker to find locate than find.
UpdateDB Update commands for locate command database content
[Email protected] ~]# chmod g+s/usr/bin/locate
[Email protected] ~]# ll/usr/bin/locate
-rwx--s--x 1 root slocate 38464 Mar 2015/usr/bin/locate
[Email protected] ~]# chmod g-x/usr/bin/locate
[Email protected] ~]# ll/usr/bin/locate
-rwx--s--x 1 root slocate 38464 Mar 2015/usr/bin/locate
[Email protected] ~]# stat/usr/bin/locate
File: '/usr/bin/locate '
size:38464 blocks:80 IO block:4096 Regular file
device:802h/2050d inode:658161 links:1
Access: (2701/-rwx--s--x) Uid: (0/root) Gid: (21/slocate)
access:2018-04-02 15:23:19.000000000 +0800
modify:2015-03-12 17:21:21.000000000 +0800
change:2018-04-03 15:19:24.432622176 +0800
[Email protected] ~]# chmod g+x/usr/bin/locate
[Email protected] ~]# stat/usr/bin/locate
File: '/usr/bin/locate '
size:38464 blocks:80 IO block:4096 Regular file
device:802h/2050d inode:658161 links:1
Access: (2711/-rwx--s--x) Uid: (0/root) Gid: (21/slocate)
access:2018-04-02 15:23:19.000000000 +0800
modify:2015-03-12 17:21:21.000000000 +0800
change:2018-04-03 15:20:09.750626919 +0800
3. Special permission Sbit
Sticky bit sticky bit
Function: Only for the directory is valid, for the purpose of the directory is: when the user in the directory to create a file or directory, only their own and root have the right to delete
The most representative is the/tmp directory, anyone can add, modify files in/tmp (because the permissions are all rwx), but only the file/directory creator and Root can delete their own directories or files
[Email protected] ~]# stat/tmp/
File: '/tmp/'
size:4096 blocks:8 IO block:4096 Directory
device:802h/2050d inode:1048577 Links:3
Access: (1777/DRWXRWXRWT) Uid: (0/root) Gid: (0/root)
access:2018-04-03 13:49:59.000000000 +0800
modify:2018-04-03 14:14:02.000000000 +0800
change:2018-04-03 14:14:09.311623966 +0800
[Email protected] ~]# chmod o-x/tmp/
[Email protected] ~]# stat/tmp/
File: '/tmp/'
size:4096 blocks:8 IO block:4096 Directory
device:802h/2050d inode:1048577 Links:3
Access: (1776/DRWXRWXRWT) Uid: (0/root) Gid: (0/root)
access:2018-04-03 13:49:59.000000000 +0800
modify:2018-04-03 14:14:02.000000000 +0800
change:2018-04-03 15:21:02.341604692 +0800
4. Additional Privileges
Also called extended permissions.
Command format
chattr [+-=] option file or directory name
+ Add Permissions
-Delete Permissions
= equals a permission
Chattr change attributes changing additional permissions
The letters ' ACDEIJSTUADST ' Select the new attributes for the Files:append only (a), com-pressed (c), no dump (d), extent Format (e), immutable (i), Data journalling (j), secure Dele-tion (s), no tail-merging (t), undeletable (U), no atime upd Ates (A), Synchronous directory Updates (D), synchronous Updates (S), and top of directory hierarchy (T).
Some common parameter description:
+a Append (readable, can be appended, but not deleted if there is execute permission executable)
+i immutable (readable, if there is execute permission executable, cannot append, cannot delete)
Purpose: Add lock to key files of the system
+s secure Dele-tion (safely removed. Data cannot be recovered if deleted by mistake)
+a No atime updates (Do not update access time when accessed)
Purpose: In case of large concurrency, turn off update access time to reduce server pressure
+c com-pressed (compression)
+d No dump (no backup)
Purpose: Files that do not want to be recovered, Linux to retrieve mistakenly deleted files
+t no tail-merging (tail merge)
lsattr test.txt List Attributes View additional permission bits
Description: Additional permissions can be added to certain files according to actual needs
Reference Source:
Https://www.cnblogs.com/dyh004/p/6378456.html
Https://www.cnblogs.com/Q--T/p/7864795.html
Linux Learning-linux File special permissions and additional permissions