Linux Learning-linux File special permissions and additional permissions

Source: Internet
Author: User

Linux file Special permissions and additional permissions

1. Special permission Suid

Scope: Only for binary command files

Role: Let ordinary users have the permissions of the binary command file owner

Example 1: Normal user using passwd command to change password

Cat/etc/shadow the file that holds the password, encrypt it with sha512 encryption method

Echo 123456|PASSWD--stdin A non-interactive setup password

[Email protected] ~]# ls-l/usr/bin/passwd

-rwsr-xr-x. 1 root root 30768 Nov 2015/usr/bin/passwd

[Email protected] ~]# Ll/etc/shadow

----------1 root root 977 Apr 3 14:11/etc/shadow

Visible, passwd has the S permission, has the root user right, can change the password, the ordinary user has the execution permission but does not necessarily have the permission to execute as the root, adds the S permission to have the root user's execution permission

Example 2:netstat command by modifying s permission can make a normal user have root identity

Use the netstat command under the root user

[Email protected] ~]# Netstat-lntup

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 1186/sshd

TCP 0 0::: 52113:::* LISTEN 1186/sshd

UDP 0 0 0.0.0.0:68 0.0.0.0:* 1109/dhclient

Use the netstat command under a normal user

[Email protected] ~]$ Netstat-lntup

(No info could is read for "-P": Geteuid () =502 but you should is root.)

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN-

TCP 0 0::: 52113:::* LISTEN-

UDP 0 0 0.0.0.0:68 0.0.0.0:*-

To view the permissions of the Netstat command under the root user

[Email protected] ~]# Ll/bin/netstat

-rwxr-xr-x 1 root root 128216 Mar 2017/bin/netstat

Use the stat command to view command detail properties under normal user, current permission is 0755

[Email protected] ~]$ Stat/bin/netstat

File: '/bin/netstat '

size:128216 blocks:256 IO block:4096 Regular file

device:802h/2050d inode:788614 links:1

Access: (0755/-rwxr-xr-x) Uid: (0/root) Gid: (0/root)

access:2018-04-03 14:46:08.529638732 +0800

Modify:2017-03-22 07:52:14.000000000 +0800

change:2018-04-03 14:48:07.523615430 +0800

Modify permissions under root user u+s

[Email protected] ~]# chmod u+s/bin/netstat

[Email protected] ~]# Ll/bin/netstat

-rwsr-xr-x 1 root root 128216 Mar 2017/bin/netstat

Use the Stat command to view the command detail properties again under a normal user, with the current permission of 4755

[Email protected] ~]$ Stat/bin/netstat

File: '/bin/netstat '

size:128216 blocks:256 IO block:4096 Regular file

device:802h/2050d inode:788614 links:1

Access: (4755/-rwsr-xr-x) Uid: (0/root) Gid: (0/root)

access:2018-04-03 14:46:08.529638732 +0800

Modify:2017-03-22 07:52:14.000000000 +0800

change:2018-04-03 14:46:46.432625876 +0800

Re-use the netstat command under a normal user, discovering that it has the same root identity as the result of executing under the root user

[Email protected] ~]$ Netstat-lntup

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 1186/sshd

TCP 0 0::: 52113:::* LISTEN 1186/sshd

UDP 0 0 0.0.0.0:68 0.0.0.0:* 1109/dhclient

Use the U-x command (no execute permission)

[Email protected] ~]# chmod u-x/bin/netstat

[Email protected] ~]# Ll/bin/netstat

-rwsr-xr-x 1 root root 128216 Mar 2017/bin/netstat

2. Special Permission Sgid

Role: As with suid, just Sgid is the right to get the user group that the program belongs to

Example: Locate find File principle: Store all file names in the system in a database and set up an index

So it's a lot quicker to find locate than find.

UpdateDB Update commands for locate command database content

[Email protected] ~]# chmod g+s/usr/bin/locate

[Email protected] ~]# ll/usr/bin/locate

-rwx--s--x 1 root slocate 38464 Mar 2015/usr/bin/locate

[Email protected] ~]# chmod g-x/usr/bin/locate

[Email protected] ~]# ll/usr/bin/locate

-rwx--s--x 1 root slocate 38464 Mar 2015/usr/bin/locate

[Email protected] ~]# stat/usr/bin/locate

File: '/usr/bin/locate '

size:38464 blocks:80 IO block:4096 Regular file

device:802h/2050d inode:658161 links:1

Access: (2701/-rwx--s--x) Uid: (0/root) Gid: (21/slocate)

access:2018-04-02 15:23:19.000000000 +0800

modify:2015-03-12 17:21:21.000000000 +0800

change:2018-04-03 15:19:24.432622176 +0800

[Email protected] ~]# chmod g+x/usr/bin/locate

[Email protected] ~]# stat/usr/bin/locate

File: '/usr/bin/locate '

size:38464 blocks:80 IO block:4096 Regular file

device:802h/2050d inode:658161 links:1

Access: (2711/-rwx--s--x) Uid: (0/root) Gid: (21/slocate)

access:2018-04-02 15:23:19.000000000 +0800

modify:2015-03-12 17:21:21.000000000 +0800

change:2018-04-03 15:20:09.750626919 +0800

3. Special permission Sbit

Sticky bit sticky bit

Function: Only for the directory is valid, for the purpose of the directory is: when the user in the directory to create a file or directory, only their own and root have the right to delete

The most representative is the/tmp directory, anyone can add, modify files in/tmp (because the permissions are all rwx), but only the file/directory creator and Root can delete their own directories or files

[Email protected] ~]# stat/tmp/

File: '/tmp/'

size:4096 blocks:8 IO block:4096 Directory

device:802h/2050d inode:1048577 Links:3

Access: (1777/DRWXRWXRWT) Uid: (0/root) Gid: (0/root)

access:2018-04-03 13:49:59.000000000 +0800

modify:2018-04-03 14:14:02.000000000 +0800

change:2018-04-03 14:14:09.311623966 +0800

[Email protected] ~]# chmod o-x/tmp/

[Email protected] ~]# stat/tmp/

File: '/tmp/'

size:4096 blocks:8 IO block:4096 Directory

device:802h/2050d inode:1048577 Links:3

Access: (1776/DRWXRWXRWT) Uid: (0/root) Gid: (0/root)

access:2018-04-03 13:49:59.000000000 +0800

modify:2018-04-03 14:14:02.000000000 +0800

change:2018-04-03 15:21:02.341604692 +0800

4. Additional Privileges

Also called extended permissions.

Command format

chattr [+-=] option file or directory name

+ Add Permissions

-Delete Permissions

= equals a permission

Chattr change attributes changing additional permissions

The letters ' ACDEIJSTUADST ' Select the new attributes for the Files:append only (a), com-pressed (c), no dump (d), extent Format (e), immutable (i), Data journalling (j), secure Dele-tion (s), no tail-merging (t), undeletable (U), no atime upd Ates (A), Synchronous directory Updates (D), synchronous Updates (S), and top of directory hierarchy (T).

Some common parameter description:

+a Append (readable, can be appended, but not deleted if there is execute permission executable)

+i immutable (readable, if there is execute permission executable, cannot append, cannot delete)

Purpose: Add lock to key files of the system

+s secure Dele-tion (safely removed. Data cannot be recovered if deleted by mistake)

+a No atime updates (Do not update access time when accessed)

Purpose: In case of large concurrency, turn off update access time to reduce server pressure

+c com-pressed (compression)

+d No dump (no backup)

Purpose: Files that do not want to be recovered, Linux to retrieve mistakenly deleted files

+t no tail-merging (tail merge)

lsattr test.txt List Attributes View additional permission bits

Description: Additional permissions can be added to certain files according to actual needs

Reference Source:

Https://www.cnblogs.com/dyh004/p/6378456.html

Https://www.cnblogs.com/Q--T/p/7864795.html

Linux Learning-linux File special permissions and additional permissions

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.