Linux Rights Management II: Setuid, setgid, and sticky bit

Files and folders under Linux may have three special privileges in addition to the three basic permissions of rwx: Setuid (SUID), Setgid (SGID), and sticky Bit (sbit), which are described as follows:

Setuid (SUID)

The first thing to emphasize is that SUID is only valid for binary program files.
When a binary program has SUID, its permissions appear as follows (take/BIN/PASSWD as an example):

[admin@localhost ~]$ 127864Aug18  2014 /bin/passwd

The owner's x permission bit is a lowercase letter s, so what does SUID do?
To put it simply: If a program has SUID, when a user other than the program owner has the x permission for the program, he temporarily has the permission of the program owner to execute the program. Do not understand? Let's look at a test program:

//test.c#include<stdio.h>int main(){    FILE *fp;    fp = fopen("tmp""w"//在当前目录建立名为 tmp 的文件，这需要对该文件夹的 w 权限    fclose(fp);    return0;}

When this program executes, a file named "TMP" is created under the current folder, which of course requires the W permission for the current folder. We will test.c compile the connection, get the a.out binary executable file, and then build a test user, this user does not belong to the Admin user group, so there is no W permission to the current directory, first use the Admin user test:

[admin@localhostTest$ Ll-ddrwxrwxr-x.2Admin Admin the  May  -  A: the.#当前目录的权限设置[admin@localhostTest$ Lltotal --rwxrwxr-x.1Admin Admin8608  May  -  A: -A.out-rw-rw-r--.1Admin Admin187  May  -  A: -Test.c[admin@localhostTest$ ./a.out#执行a. out[admin@localhostTest$ Lltotal --rwxrwxr-x.1Admin Admin8608  May  -  A: -A.out-rw-rw-r--.1Admin Admin187  May  -  A: -Test.c-rw-rw-r--.1Admin Admin0  May  -  A: -Tmp#生成了 tmp file

Then delete the TMP file and run the program with the test user:

[admin@localhostTest$ RM-F tmp#删除 tmp file[admin@localhostTest$ Lltotal --rwxrwxr-x.1Admin Admin8608  May  -  A: -A.out-rw-rw-r--.1Admin Admin187  May  -  A: -Test.c[admin@localhostTest$ Su--Test#登录 Test UserPassword:[Test@localhostTest$ ./a.out#运行 a.outsegmentationFault (core dumped)#运行时出错[Test@localhostTest$ Lltotal --rwxrwxr-x.1Admin Admin8608  May  -  A: -A.out-rw-rw-r--.1Admin Admin187  May  -  A: -TEST.c#并未生成 tmp file

Although the test user has X permissions on a.out, to perform this program successfully, generating the TMP file is required for the current folder's W permissions. Because the test user does not have the W permission for the current folder, there is an error running the program.
What if SUID is set on the a.out? The test is as follows:

[Test@localhostTest$ Exit#登出 test user, using Admin userExit[admin@localhostTest$ chmod u+s a.out#为 a.out Settings SUID[admin@localhostTest$ Lltotal --rwsrwxr-x.1Admin Admin8608  May  -  A: -A.out#设置成功-rw-rw-r--.1Admin Admin187  May  -  A: -Test.c[admin@localhostTest$ Su--Test#使用 Test User LoginPassword:[Test@localhostTest$ ./a.out#执行 a.out#无出错信息[Test@localhostTest$ Lltotal --rwsrwxr-x.1Admin Admin8608  May  -  A: -A.out-rw-rw-r--.1Admin Admin187  May  -  A: -Test.c-rw-rw-r--.1Admin Test0  May  -  at:xxTmp#成功生成 tmp file

Haha, this success, because a.out set the suid, when the test executes this program is owned by the admin permissions, that is, the current folder has the W permission, so the TMP file was successfully generated. Don't believe you take the admin to the current directory W permissions to take off, try to also generate TMP file.
Every time you change your password, and this SUID have a lot of relationship, because the ordinary user is not authorized to modify the shadow file, but because passwd settings have SUID, so ordinary users can execute passwd indirectly modify the shadow file, and thus achieve the purpose of changing the password.

Setgid (SGID)

When a binary file or folder has SGID, the permissions are as follows (in the case of the test folder I created myself):

[admin@localhost test]$ 240May3023:41 .

The X permission bit of group is a lowercase letter s.
SGID is valid for binary programs and folders, when the binary program is equipped with SGID, and with SUID similar, only the ordinary user executes the program, temporarily obtains the program to belong to the user group's permissions, but not the permissions of the owning user, this is no longer verified.
When a folder has SGID permissions, if a user other than all groups in the folder has the W permission on the folder, if the user establishes a new file in that folder, all groups of the new file are all groups of folders:

[admin@localhostTest$ Ll-ddrwxrwxrwx.2Admin Admin +  May  -  at: A.#初始无 SGID[admin@localhostTest$ Su--TestPassword:[Test@localhostTest$ Touch Testdoc#test用户建立一个新文件[Test@localhostTest$ Lltotal0-rw-rw-r--.1Test test0  May  -  at: -Testdoc#新文件所有组为 test belongs to group[Test@localhostTest$ Exitexit[admin@localhostTest$ chmod g+s.#设置 SGID[admin@localhostTest$ Ll-ddrwxrwsrwx.2Admin Admin -  May  -  at: -. [admin@localhostTest$ Su--TestPassword:[Test@localhostTest$ Touch Newtestdoc# Test user creates a new file[Test@localhostTest$ Lltotal0-rw-rw-r--.1Test admin0  May  -  at: -Newtestdoc#新文件所有组为 Admin-rw-rw-r--.1Test test0  May  -  at: -Testdoc

SGID played an important role in group collaboration.

Sticky bit (sbit)

Sbit is only valid for folders.
The/tmp folder is an example with Sbit:

drwxrwxrwt.  rootroot   May 30 23:59tmp

Others's X-bit is a lowercase letter t,sbit and what does it do?
When a folder has Sbit, if a user has permission to create a new file (folder) under the folder, then the new file (folder) can only be deleted, renamed, moved by that user and root, and other users cannot do so, even if other users have W permissions to the directory:

[admin@localhosttmp$ Touch Admindoc# Admin user creates a new file[admin@localhosttmp$ chmod777Admindoc#设置新文件权限[admin@localhosttmp$ Su--Test#使用 Test User LoginPassword:[Test@localhosttmp$ LL-DDRWXRWXRWT. -Root root -  May  to xx:09.#当前目录的权限设置, the test user has W permissions[Test@localhosttmp$ ll Admindoc#文件的权限设置-rwxrwxrwx.1Admin Admin0  May  to xx:Admindoc[test@localhosttmp$ MV Admindoc TestdocMV:Cannot move ' admindoc ' to ' Testdoc ': Operation  notPermitted#无权限[Test@localhosttmp$ RM AdmindocRM:Cannot remove ' admindoc ': Operation  notPermitted#无权限

The above is my understanding of setuid (SUID), Setgid (SGID) and sticky bit (sbit).
(Setuid and setgid can actually be analyzed from the perspective of process permissions)

Linux Rights Management II: Setuid, setgid, and sticky bit