I've been working on the Samba service configuration today, deeply feel the difficulty of permission control, file permissions mechanism is a major feature of Linux system, in addition to our now well-known read (R), write (W), execute (x) permissions, there are three more special permissions, respectively: Setuid, Setgid and stick bit (sticky bit).
1, setuid and setgid explanation
Take a look at where it is used in the system, taking/etc/passwd and/usr/bin/passwd as examples:
[Plain] View plaincopy
[Root@salve1 school]# ll/etc/passwd/usr/bin/passwd
-rw-r--r--1 root 01:25/etc/passwd Apr
-rwsr-xr-x 1 root root 23420 Aug 2010/usr/bin/passwd
[Root@salve1 school]#
To analyze,/etc/passwd's permissions are-rw-r--r--, which means that the owner of the file has read and write permissions, while the user group members and other members only have permission to view. We know that in the system we want to modify a user's password, root and ordinary users can use/USR/BIN/PASSWD someuser This command to modify this/etc/passwd file, the root user itself has the/etc/ passwd Write permission, understandable; that ordinary user, here is used to the role of Setuid,setuid is "let the user executing the command to the command to execute", that is, ordinary users to execute passwd will have root permissions, so you can modify/etc/ passwd this file. Its logo is: s, where it will appear in X, Example:-rwsr-xr-x. The meaning of Setgid is the same as it is, so that the user executing the file is executed with the permissions of the group to which the file belongs.
2, stick bit (viscous)
Take a look at where it is used in the system, in/tmp for example:
[Plain] View plaincopy
[root@salve1/]# ll-d/tmp
DRWXRWXRWT root root 4096 Apr 02:06/tmp
[Root@salve1/]#
We know/TMP is the system's temporary file directory, all users have all the permissions in the directory, that is, the directory can create, modify, delete files, if user a created a file in the directory, User B deleted the file, this situation we can not allow. In order to achieve this goal, the concept of stick bit (sticky bit) appears. It's for the directory, if the directory has a stick bit (sticky bit), the files in that directory can delete and modify the stuff in the/tmp directory except for the creator and root of the file, which is the role of the sticky position.
3, how to set the above special permissions
chmod u+s XXX # set setuid permissions
chmod g+s XXX # set Setgid permissions
chmod o+t XXX # Set Stick bit permissions, for directory
chmod 4775 XXX # set setuid permissions
chmod 2775 XXX # set Setgid permissions
chmod 1775 XXX # set stick bit permissions, for directory
4, note: Sometimes you set the S or T permission, you'll find that it's changed to s or T, because you don't have x (executable) permissions in that position, so the setting is not valid, you can give it x permission first, then give S or t permission.