Linux SUID SGID Detailed __linux

SUID, SGID, Sticky introduction:

Before you know the special permission bits, first take a look at the security context concept.

Security context:
Which resources or files can be accessed by the process at run time, not depending on the owner group of the process file, but rather on the uid/gid of the user who is running the command, to obtain various system resources as that identity.

Special bit function:
SUID: To an executable file, not to obtain resources as initiator, but to execute as the owner of the executable file.
Sgid to an executable file, not to obtain resources as initiator, but rather to execute as a group of executable files.
STICKY: Sticky, usually for catalogs. Usually for the global writable directory (other can also write), so that the directory has sticky, delete only to their own files valid (but can still edit the file to modify others, in addition to root). You cannot obtain write access to other people's files based on the security context.

Set the way:
#chmod U+s
#chmod G+s
Ditto, remove special bit has: #chmou u-s.

SUID: Placed in the x bit of U, where the original position has execute permission, set to S, no S.
SGID: Placed in the x bit of G, where the original position has execute permission, is set to S, without S.
STICKY: Sticky bit, placed in the x bit O, the original position has execute permission, set to T, otherwise t.

Presentation method:
The three special bits are represented by octal values, before the u/g/o bit. of which Suid:4 Sgid:2 sticky:1

Example: For a directory:
#chmod 4551 File//permission: R-sr-x--x
#chmod 2551 File//permission: R-xr-s--x
#chmod 1551 File//permission: R-XR-X--T

Since Suid and sgid work when executing a program (where the program's executable bit is set), and the executable bit makes sense only for normal files and directory files, it makes little sense to set the suid and sgid bits of other kinds of files.

If you set the SUID bit for an executable file that is a master root, all other ordinary users will be able to run the file as root and obtain the appropriate system resources. Of course, this is necessary in some cases, but misuse can cause the system security problems.

For a globally writable directory, if it belongs to the MYGRP group, a user who is a member of the MYGRP Group is a private group of its own, but when added to the folder with the Sgid bit, you can have the files created by the user subordinate to the group that the directory belongs to, because it is created as a folder group.

For a globally writable directory, plus the sticky bit, a normal user will be able to delete only their own files, not other users ' files.

Sticky bit (sticky)-----tmp directory

In general, it's for catalogs.

Other users can write but just can't delete ...

CHMOD 777 ABC

chmod +t ABC

Equivalent to chmod 1777 ABC

, that is, when a directory is set to "sticky bit" (with chmod a+t), the file under that directory can only be
One, Super admin delete
Second, the owner of the directory delete
Third, the owner of the file delete
That is, even if the directory is writable by anyone, only the owner of the file can delete the file

UID---4
GID---2
Adhesive Position-1

user management of processes in Linux (relationship between PID and UID, GID) each process has real users, groups (UID, GID), valid users, groups (Euid, Egid), saved settings users, groups (Suid, Sgid), There are also Linux users, group IDs specifically for file storage access (Fsuid, Fsgid for UNIX systems without these two fields). Describes the capabilities of each type of user in the process:

(1) True user, group (UID, GID): The true owner of the process. Each time a user logs on to the Shell terminal, the logged-on user is the true owner of the logon process. By Getuid to obtain the true user owner of the process, the true user owner of the modification process can pass through setuid, Seteuid, Setresuid, Setreuid.

(2) Valid users, groups (Euid, Egid): Valid users, groups for the process. The permissions (process credentials) allowed for various operations performed by processes are judged by the effective users of the process (in Linux systems (more than 2.4) introduce a new process rights management model processes capabilities, Process capabilities is used to determine the various actions allowed by processes [see in-depth understanding of Linux kernel, table 20-3]. Through the geteuid to obtain the effective user of the process, the effective user of the modification process can pass through setuid, Seteuid, Setresuid, Setreuid, Seteuid.

(3) File system users, groups (Fsuid, Fsgid): For file access users, groups, this is a new type of Linux system users, groups, access to UNIX system files through the Euid to judge, no function to obtain the process of fsuid, A function that modifies a valid user modifies the Fsuid at the same time, and if you want to modify the fsuid individually without modifying the euid, you can invoke Setfsuid.

(4) Saved Settings user, group (suid, Sgid): Saved settings user, group. The primary use of users and groups of this type in the process is to restore valid users, and observe the functions that are used by non-superuser to modify valid users setuid, Seteuid, Setresuid, Setreuid, Seteuid There is a general premise that if the modified active user is the original SUID allows modifications, the process can modify the valid user to a new user, and then revert to the original value (the original value saved in the Save settings of the user). Through Getresuid to get the real user of the process, valid users, saved settings users.