Linux Special Permissions suid, SGID, Sbit

For the permissions of files or directories in Linux, you should know the normal rwx permissions. Let's take a look at the following two permissions.

650) this.width=650; "src=" Http://www.178linux.com/wp-content/uploads/2017/07/20170729110506_35743.png "style=" height:auto;vertical-align:middle;border:0px; "/> very strange, the/tmp directory and passwd file permissions How strange, how to have s and T permissions? Look at the following content, you will understand.

1 SUID

When s appears on the file owner's X permission, as we see above the/usr/bin/passwd this file permissions-rwsr-xr-x, at this time is called the set UID abbreviation SUID.SUID for a file what restrictions and functions?

SUID permissions are valid only for binary executables

Performer has x permissions on the file

This permission is valid only during the execution of the file

The performer will have the permissions of the owner of the file

For example, a normal user modifies his or her command with passwd, and in effect eventually changes the/etc/passwd file. This file is a user-managed profile that can only be changed with root permissions.

650) this.width=650; "Src=" Http://www.178linux.com/wp-content/uploads/2017/07/20170729110616_24790.png " Style= "height:auto;vertical-align:middle;border:0px;"/>

Since it is the root user who has this permission, why we can change the password through the passwd command, which is due to passwd set the SUID permission bit.

650) this.width=650; "src=" Http://www.178linux.com/wp-content/uploads/2017/07/20170729110628_27707.png "style=" height:auto;vertical-align:middle;border:0px; "/>

At this time, the ordinary user by executing the passwd command, temporary root permissions, and indirectly modify the/etc/passwd to achieve the right to modify their own password.

2 SGID

When s appears in the directory or the file belongs to the group's X permission, this is called the set GID abbreviation Sgid, that sgid to the file and directory division what function?

2.1 Sgid to the directory

Users can enter this directory if they have r and X permissions for this directory

A group of users in this directory will become a group of that directory

If the user has permission to W in this directory (can create a new file), the new file created by the consumer will be the same as the group for this directory

2.2 Sgid to File

SGID valid for binary executable files

The program performer must have x permission for the file.

The performer will receive support for the file group during execution (to change the permissions of the file group)

3 Sbit

When s appears in the directory other user's X permission, at this time is called sticky bit abbreviation sbit, that sbit have what restriction and function?

Valid only for directory, invalid for file

When a user creates a file or directory under that directory (with permission), only their own and root have the right to delete the newly created directory or file

We know that the/tmp directory is such a privilege.

650) this.width=650; "src=" Http://www.178linux.com/wp-content/uploads/2017/07/20170729110918_65731.png "style=" height:auto;vertical-align:middle;border:0px; "/>

Now let's verify that the root account is used to create a file in the TMP file test, and then use MRJ (other accounts) to enter the directory, delete the test file, to see what happens

650) this.width=650; "src=" Http://www.178linux.com/wp-content/uploads/2017/07/20170729110929_86903.png "style=" height:auto;vertical-align:middle;border:0px; "/> We see that it is not possible to delete a file. Because the/temp directory has sbit permissions.

4 How to operate suid, Sbid, Sbit

The operation of these flags is the same as the command to manipulate the file permissions, both of which are chmod. There are two ways to do this,

(1) Symbol type Change permission

chmod u+s testbin: Add setuid flag for Testbin file.

chmod g+s testdir: Add setgid flag for TestDir directory

chmod o+t testdir: Add sticky flag for TestDir directory

(2) Number type change file permissions

Adopted in octal mode. The general file is marked by three octal digits, such as 666, 777, 644, and so on. If these special flags are set, a set of octal digits is added outside of this set of numbers. such as 4666, 2777 and so on. The meaning of this set of octal digits three bits is as follows,

Abc

The A–SETUID bit, if the bit is 1, indicates that the setting setuid 4-

The B–setgid bit, if the bit is 1, indicates that the setting Setgid 2-

The C–sticky bit, if the bit is 1, indicates that the setting sticky 1-

After you set these flags, you can use ls-l to view them. If these flags are present, they are displayed in the original execution flag position. Such as

rwsrw-r– indicates a setuid flag.

rwxrwsrw-indicates a setgid flag.

RWXRW-RWT indicates a sticky flag.

So where did the original execution sign x go? The system specifies that if there is an X on the bit, these special flags are shown as lowercase letters (s, s, T). Otherwise, it is shown in uppercase letters (s, S, T)

Linux Special Permissions suid, SGID, Sbit