Linux Learning-linux File special permissions and additional permissions

Linux file Special permissions and additional permissions

1. Special permission Suid

Scope: Only for binary command files

Role: Let ordinary users have the permissions of the binary command file owner

Example 1: Normal user using passwd command to change password

Cat/etc/shadow the file that holds the password, encrypt it with sha512 encryption method

Echo 123456|PASSWD--stdin A non-interactive setup password

[Email protected] ~]# ls-l/usr/bin/passwd

-rwsr-xr-x. 1 root root 30768 Nov 2015/usr/bin/passwd

[Email protected] ~]# Ll/etc/shadow

----------1 root root 977 Apr 3 14:11/etc/shadow

Visible, passwd has the S permission, has the root user right, can change the password, the ordinary user has the execution permission but does not necessarily have the permission to execute as the root, adds the S permission to have the root user's execution permission

Example 2:netstat command by modifying s permission can make a normal user have root identity

Use the netstat command under the root user

[Email protected] ~]# Netstat-lntup

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 1186/sshd

TCP 0 0::: 52113:::* LISTEN 1186/sshd

UDP 0 0 0.0.0.0:68 0.0.0.0:* 1109/dhclient

Use the netstat command under a normal user

[Email protected] ~]$ Netstat-lntup

(No info could is read for "-P": Geteuid () =502 but you should is root.)

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN-

TCP 0 0::: 52113:::* LISTEN-

UDP 0 0 0.0.0.0:68 0.0.0.0:*-

To view the permissions of the Netstat command under the root user

[Email protected] ~]# Ll/bin/netstat

-rwxr-xr-x 1 root root 128216 Mar 2017/bin/netstat

Use the stat command to view command detail properties under normal user, current permission is 0755

[Email protected] ~]$ Stat/bin/netstat

File: '/bin/netstat '

size:128216 blocks:256 IO block:4096 Regular file

device:802h/2050d inode:788614 links:1

Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)

access:2018-04-03 14:46:08.529638732 +0800

Modify:2017-03-22 07:52:14.000000000 +0800

change:2018-04-03 14:48:07.523615430 +0800

Modify permissions under root user u+s

[Email protected] ~]# chmod u+s/bin/netstat

[Email protected] ~]# Ll/bin/netstat

-rwsr-xr-x 1 root root 128216 Mar 2017/bin/netstat

Use the Stat command to view the command detail properties again under a normal user, with the current permission of 4755

[Email protected] ~]$ Stat/bin/netstat

File: '/bin/netstat '

size:128216 blocks:256 IO block:4096 Regular file

device:802h/2050d inode:788614 links:1

Access: (4755/-rwsr-xr-x) Uid: (0/root) Gid: (0/root)

access:2018-04-03 14:46:08.529638732 +0800

Modify:2017-03-22 07:52:14.000000000 +0800

change:2018-04-03 14:46:46.432625876 +0800

Re-use the netstat command under a normal user, discovering that it has the same root identity as the result of executing under the root user

[Email protected] ~]$ Netstat-lntup

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 1186/sshd

TCP 0 0::: 52113:::* LISTEN 1186/sshd

UDP 0 0 0.0.0.0:68 0.0.0.0:* 1109/dhclient

Use the U-x command (no execute permission)

[Email protected] ~]# chmod u-x/bin/netstat

[Email protected] ~]# Ll/bin/netstat

-rwsr-xr-x 1 root root 128216 Mar 2017/bin/netstat

2. Special Permission Sgid

Role: As with suid, just Sgid is the right to get the user group that the program belongs to

Example: Locate find File principle: Store all file names in the system in a database and set up an index

So it's a lot quicker to find locate than find.

UpdateDB Update commands for locate command database content

[Email protected] ~]# chmod g+s/usr/bin/locate

[Email protected] ~]# ll/usr/bin/locate

-rwx--s--x 1 root slocate 38464 Mar 2015/usr/bin/locate

[Email protected] ~]# chmod g-x/usr/bin/locate

[Email protected] ~]# ll/usr/bin/locate

-rwx--s--x 1 root slocate 38464 Mar 2015/usr/bin/locate

[Email protected] ~]# stat/usr/bin/locate

File: '/usr/bin/locate '

size:38464 blocks:80 IO block:4096 Regular file

device:802h/2050d inode:658161 links:1

Access: (2701/-rwx--s--x) Uid: (0/root) Gid: (21/slocate)

access:2018-04-02 15:23:19.000000000 +0800

modify:2015-03-12 17:21:21.000000000 +0800

change:2018-04-03 15:19:24.432622176 +0800

[Email protected] ~]# chmod g+x/usr/bin/locate

[Email protected] ~]# stat/usr/bin/locate

File: '/usr/bin/locate '

size:38464 blocks:80 IO block:4096 Regular file

device:802h/2050d inode:658161 links:1

Access: (2711/-rwx--s--x) Uid: (0/root) Gid: (21/slocate)

access:2018-04-02 15:23:19.000000000 +0800

modify:2015-03-12 17:21:21.000000000 +0800

change:2018-04-03 15:20:09.750626919 +0800

3. Special permission Sbit

Sticky bit sticky bit

Function: Only for the directory is valid, for the purpose of the directory is: when the user in the directory to create a file or directory, only their own and root have the right to delete

The most representative is the/tmp directory, anyone can add, modify files in/tmp (because the permissions are all rwx), but only the file/directory creator and Root can delete their own directories or files

[Email protected] ~]# stat/tmp/

File: '/tmp/'

size:4096 blocks:8 IO block:4096 Directory

device:802h/2050d inode:1048577 Links:3

Access: (1777/DRWXRWXRWT) Uid: (0/root) Gid: (0/root)

access:2018-04-03 13:49:59.000000000 +0800

modify:2018-04-03 14:14:02.000000000 +0800

change:2018-04-03 14:14:09.311623966 +0800

[Email protected] ~]# chmod o-x/tmp/

[Email protected] ~]# stat/tmp/

File: '/tmp/'

size:4096 blocks:8 IO block:4096 Directory

device:802h/2050d inode:1048577 Links:3

Access: (1776/DRWXRWXRWT) Uid: (0/root) Gid: (0/root)

access:2018-04-03 13:49:59.000000000 +0800

modify:2018-04-03 14:14:02.000000000 +0800

change:2018-04-03 15:21:02.341604692 +0800

4. Additional Privileges

Also called extended permissions.

Command format

chattr [+-=] option file or directory name

+ Add Permissions

-Delete Permissions

= equals a permission

Chattr change attributes changing additional permissions

The letters ' ACDEIJSTUADST ' Select the new attributes for the Files:append only (a), com-pressed (c), no dump (d), extent Format (e), immutable (i), Data journalling (j), secure Dele-tion (s), no tail-merging (t), undeletable (U), no atime upd Ates (A), Synchronous directory Updates (D), synchronous Updates (S), and top of directory hierarchy (T).

Some common parameter description:

+a Append (readable, can be appended, but not deleted if there is execute permission executable)

+i immutable (readable, if there is execute permission executable, cannot append, cannot delete)

Purpose: Add lock to key files of the system

+s secure Dele-tion (safely removed. Data cannot be recovered if deleted by mistake)

+a No atime updates (Do not update access time when accessed)

Purpose: In case of large concurrency, turn off update access time to reduce server pressure

+c com-pressed (compression)

+d No dump (no backup)

Purpose: Files that do not want to be recovered, Linux to retrieve mistakenly deleted files

+t no tail-merging (tail merge)

lsattr test.txt List Attributes View additional permission bits

Description: Additional permissions can be added to certain files according to actual needs

Reference Source:

Https://www.cnblogs.com/dyh004/p/6378456.html

Https://www.cnblogs.com/Q--T/p/7864795.html

Linux Learning-linux File special permissions and additional permissions