we know that in Linux, the root administrator's permissions are large, can support the execution of most programs and commands to make corresponding changes to the file, write. Of course, these functions can only be reflected on the root administrator. However, there is a phenomenon, some ordinary users can modify their own password through the passwd command, and then indirectly modified the/etc/passwd file. Formal thinking: Ordinary users are unable to modify the/etc/passwd file. Here, the average user is actually using the SUID permission. And of course there are sgid,sticky sticky bits. We open the veil of mystery. 1. First of all, let's talk about the magic of suid permissions. Previously mentioned that ordinary users can use passwd indirectly modify the/etc/passwd file, we first confirm the passwd command permission properties:! [] (http://i2.51cto.com/images/blog/201807/29/b57d2f2673f6d18f301bb49cd6a97e32.jpg?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=) See, passwd is present in this path, it is an external command. When you see an S-ID in the owner's permission, S is equivalent to X-permission. This s can be inherited for ordinary users. Simply put, passwd the root user has what permissions, a user executes passwd, also temporarily inherited the root account of the corresponding permissions, so you can understand why ordinary users can modify the user profile. Remember that this command only works for passwd. Suid Setup Method: Mode method: chmod u+s The corresponding executable command program. Number method: Chmod 4+ (original executable program permission) suid permissions are independent of normal permissions. Summarize suid:
(1) suid is generally used on binary files and generally does not work on the directory.
(2) when an ordinary user executes an executable program that has the SUID set, it inherits the permissions of the original owner.
The above is the corresponding introduction of SUID. The magic of
2.SGID
Sgid This permission is primarily in the directory, and is generally used in group projects. For example, a set up a dedicated directory for the use of a group, the file can be used for group members to develop and use. And all newly created files belong to a group. In this way, the efficiency of the team will be very high, easy to manage. So a good idea, how to achieve it? This will use the Sgid permission.
Sgid Setting Method:
Mode method: chmod g+s The corresponding directory or executable file.
Number method: chmod 2 (original directory permissions) SUID permissions are also independent of the original permissions.
For example:
First look at the owner of this directory and directory permissions
This directory belongs to the group root, of course, the new files are also root. The permissions for a group are RX permissions. Then the team member is able to view the files inside the access, and related operations. The
sets Sgid permissions on it, changes its owning group, and creates a new file to see the effect.
Advanced row Settings Sgid
has changed, with an extra s, indicating that the directory has Sgid permissions. The
modifies the owning group for the directory, so that the next file owner is automatically assigned the group name of the group to which the directory belongs.
Look at the effect:
Look, automatically get the group you belong to, this greatly improves the user's use of the file. You can add a lot of members to the Haoxianwang group. It is conceivable that it is convenient and efficient.
Summarize Sgid:
(1) role in the directory, when new files in the directory, as well as folders, then automatically get the directory of the owning group as a file or folder belongs to the group.
(2) It can also take effect on binary files, but is seldom used.
- Next introduce the effect of sticky sticky bit
Sticky permissions only work on the directory, and only for other people (other). This sticky bit, in fact, has played a safe role. If the directory has read and write execution permissions, then anyone can delete files in the directory, even if the file itself does not have write permissions and execute permissions. This time the sticky sticky bit is reflected. Its role is that all people can only create their own files, as well as delete their own files. Other people's you are not touched.
Nonsense not much to say,!
Set the directory to sticky permissions, so the security of the directory is higher.
We try to delete files, files I have set read and write execution permissions, directories also have execute permissions, we look at the effect of deleting files.
You can see that the deletion is not allowed. This greatly improves the security of the file.
To summarize:
The sticky sticky bit permission is only for the directory and only works on the directory.
Okay, here's the basic introduction.
I have just entered the road, knowledge where there is a poor place, but also ask the big boys to guide.
Thank you all for reading see!
Linux talking about the effect of suid,sgid,sticky sticky bits on directories and files