Network security Series 40 setting set bit permissions in Linux

Although the flexibility of permission settings is increased through ACLs, there are only three types of permissions that can be set on Linux systems, and in some special cases, this may not be sufficient. As a result, several special additional permissions are provided in the Linux system to provide additional control over the file or directory, including set-bit permissions (SUID, SGID), and sticky-bit permissions (Sticky bit). This article describes the set bit permissions.

Set bit permissions are used to set the executable program file or directory, where suid represents adding set bit permissions to the owner user, and sgid means adding set bit permissions to the users in the owning group. When an executable is set to Suid, Sgid permissions, any user who executes the file will get the permissions corresponding to the file owner, the owning group.

The permission character of the set bit permission is "s", and the Set bit permission is also implemented by the chmod command, which can be used to set SUID, Sgid permissions using the "U+s" and "g+s" permission modes respectively.

When you set suid, Sgid permissions, and use the LS command to view the properties of a file, the "X" in the corresponding location becomes s, indicating that the file will be executed with the identity of the owner or group that owns the system. Note that if the file has an X permission in its original location, its permission character is lowercase s after the command is executed, and if the file does not have X permission in its place, then the set permission will be displayed as uppercase characters s.

( 1 ) Settings SUID

Example: View the property information for the program file that corresponds to the passwd command.

[Email protected] ~]# ll/usr/bin/passwd -rwsr-xr-x. 1 root root 30768 February 2012/usr/bin/passwd

The permissions for the/usr/bin/passwd file are "Rwsr-xr-x", set-bit permissions in the first set, which are set for the owner user, and thus called Suid. This will automatically be executed as the root user of the file owner when the other user executes the passwd command.

Suid can only be set for executable files and is not valid for directories.

Because SUID permissions will change the user identity, which brings a certain security risks to the system, it is generally not recommended that we go to set suid, but there are many in the system by default has set the SUID permissions of the executable file, we can understand its purpose.

Executable files that are common in the system that have the SUID permissions set include:

[Email protected] ~]# ll/bin/su -rwsr-xr-x. 1 root root 34904 April 2012/bin/su [Email protected] ~]# ll/bin/mount -rwsr-xr-x. 1 root root 76056 April 6 2012/bin/mount [Email protected] ~]# ll/bin/ping -rwsr-xr-x. 1 root root 40760 March 2011/bin/ping

Example: Removing the/bin/ping suid permission:

[Email protected] ~]# chmod u-s/bin/ping [Email protected] ~]# ll/bin/ping -rwxr-xr-x 1 root root 37312 2009-04-24/bin/ping

( 2 ) Settings SGID

If set-bit permissions are assigned to the second set of permission bits corresponding to the owning group, then it is called Sgid.

Sgid can be set for an executable file or set for a directory, but the meaning of the expression is different:

• File: If you set sgid for a file, regardless of who the user is, he executes the program as a member of the group that the file belongs to.

• Directory: If you set sgid for a directory, the owning group of files or subdirectories that are created within that directory will automatically become the owning group for this directory.

In general, Sgid is typically used for permission settings for a directory.

For example, the owner of the set/home/test directory is student, the owning group is users, the permission is 770, the owner of the file created under that directory by default, and the owning group are the creators, as shown below.

[Email protected] ~]# ll-d/home/test DRWXRWX---. 2 Student users 4096 December 2 21:46/home/test [Email protected] ~]# touch/home/test/file1 [Email protected] ~]# ll/home/test Total dosage 0 -rw-r--r--. 1 root root 0 December 2 21:47 file1

When you set Sgid permissions for the/home/test directory, and then create the files in the directory, the group that belongs to the file is automatically set to the group users who belong to the directory, as shown below.

[Email protected] ~]# chmod g+s/home/test [Email protected] ~]# ll-d/home/test Drwxrws---. 2 Student users 4096 December 2 21:47/home/test [Email protected] ~]# touch/home/test/file2 [Email protected] ~]# ll/home/test Total dosage 0 -rw-r--r--. 1 root root 0 December 2 21:47 file1 -rw-r--r--. 1 root users 0 December 2 21:50 file2

SUID permissions are widely used in collaborative work in production environments. When SUID permissions are set for a directory, all files created by the user in that directory will belong to the same user group, so that members of the group automatically have the appropriate permissions on the file to facilitate file modification and exchange of information between members of the same group.

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security Series 40 setting set bit permissions in Linux