"Linux Learning 014" Special permissions

I. Special privileges

In fact, there are four groups of permission bits, a total of 12, and the use of the umask command to view the anti-mask corresponding to the 12-bit, where the first three bits is the special mask corresponding bits.

Three special privileges are: SUID, SGID, Sbit

Second, SUID

After the program file has this permission, when running a program, the owner of the corresponding process is the owner of the program file itself, and is no longer the initiator.

chmod u+s FILENAME    : Add suid permissions to the file chmod u-s             : suid permission to speak file is canceled

Illustrate the role of SUID permissions:

The passwd command file itself has SUID permissions:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7A/D3/wKioL1a7KvyS9WxzAAAyAJ1HnMI184.png "title=" Screenshot from 2016-02-10 20-16-54.png "alt=" Wkiol1a7kvys9wxzaaayaj1hnmi184.png "/>

The normal user and the administrator user can use this command to change the password, so-called change password actually only modifies the contents of the/etc/shadow file, to view the permissions of the/etc/shadow file:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7A/D3/wKiom1a7K0GhrdagAAAhMz1fd0k734.png "title=" Screenshot from 2016-02-10 20-20-54.png "alt=" Wkiom1a7k0ghrdagaaahmz1fd0k734.png "/>

You can see that only the administrator has permission to modify the contents of the file, the normal user does not have permission to modify the contents of the file, then the ordinary user how to use the passwd command to modify the configuration file?

It is because the/usr/bin/passwd file has suid permissions to enable ordinary users to modify the/etc/passwd file, when the passwd command runs, the owner of the corresponding process is not the initiator, but the owner of the/USR/BIN/PASSWD, that is, root, and The owner of the/etc/shadow file is also root, and has write permissions, so the process of passwd command can have permission to modify/etc/shadow files, so that ordinary users can successfully modify the/etc/shadow file.

Third, SGID

When the program file has this permission, when running a program, the array of the corresponding process is the group of the program file itself, not the base group to which the initiator belongs.

chmod g+s filename    : Add sgid permissions to the file chmod g-s filename    : Cancels the Sgid permission for the file

In fact, Sgid permissions are most often added to the directory, and when the permission is added to the directory, the group of files created by all users in that directory will no longer be the initiator, but the genus of the directory.

[Email protected]:/tmp/test# chmod g+s. [Email protected]:/tmp/test# chmod o+w. [Email protected]:/tmp/test# lldrwxr-srwx  2 root root 4096  February 20:36./DRWXRWXRWT root 4096  February 10 20 : 35.. /[email protected]:/tmp/test# Touch a.root[email protected]:/tmp/test# su user1[email protected]:/tmp/test$ touch B.user1[email protected]:/tmp/test$ exitexit[email protected]:/tmp/test# su user2[email protected]:/tmp/test$ touch A.user2[email protected]:/tmp/test$ exitexit[email protected]:/tmp/test# lltotal 8drwxr-srwx  2 root  root 4096  February 20:39/drwxrwxrwt root  root 4096  February 10 20:35. /-rw-r--r--  1 root  root    0  February 20:36 a.root-rw-rw-r--  1 user1 root    0  February 10 20:38 a.user1-rw-rw-r--  1 user2 root    0  February 20:39 a.user2[email protected]:/tmp/test#

It can be seen that the group of three files created by three users is the group root of the directory, the advantage is that if all the user's group is the same, then only modify the permissions of the group will be able to batch modify all users access to the directory and subdirectories, which is more useful in the actual project development.

Iv. Sbit

When a public directory has this permission, each user can create and delete their own files in that directory, but they cannot delete others ' files.

chmod o+t filename    : Add sbit permissions to the directory chmod o-t FILENAME    : Delete the Sbit permission for the directory

In fact, the function is very common, such as the/tmp directory has sbit permissions, so that all users can add and delete their own files in the directory, but can not delete other people's files.

1. First create the/tmp/test directory with the root user and give the Write permission

[Email protected]:/tmp# mkdir test[email protected]:/tmp# chmod o+w./test/

2. Switch users and create files individually

[Email protected]:/tmp/test# su user1[email protected]:/tmp/test$ touch a.user1[email protected]:/tmp/test$ exitexit[ Email protected]:/tmp/test# su user2[email protected]:/tmp/test$ touch a.user2[email protected]:/tmp/test$ exitexit[ Email protected]:/tmp/test# lltotal 8drwxr-xrwx  2 root  root  4096  February 20:59./DRWXRWXRWT Root  Root  4096  February 10 20:59.. /-rw-rw-r--  1 user1 user1    0  February 20:59 a.user1-rw-rw-r--  1 user2 user2    0  February 20:59 a.user2

3. Try using User1 to delete files created by User2

[Email protected]:/tmp/test# su user1[email protected]:/tmp/test$ rm a.user2rm:remove write-protected Regular Empty file ' A.user2 '? Y[email protected]:/tmp/test$ Lsa.user1[email protected]:/tmp/test$

The results are found to be deleted, but if the directory is not the same after adding Sbit permissions, User1 will not be able to delete user2 files:

[Email protected]:/tmp/test# chmod o+t/tmp/test/[email protected]:/tmp/test# lltotal 8drwxr-xrwt 2 root root 4096 February 20:59./DRWXRWXRWT root 4096 February 10 21:06. /-rw-rw-r--1 user1 user1 0 February 20:59 a.user1[email protected]:/tmp/test# rm *[email protected]:/tmp/test# lltotal 8DRWXR-XRWT 2 root root 4096 February 21:06/drwxrwxrwt root root 4096 February 10 21:06. /[email protected]:/tmp/test# su user1[email protected]:/tmp/test$ touch a.user1[email protected]:/tmp/test$ exitexit[ Email protected]:/tmp/test# su user2[email protected]:/tmp/test$ touch a.user2[email protected]:/tmp/test$ exitexit[ Email protected]:/tmp/test# su user1[email protected]:/tmp/test$ rm a.usera.user1 a.user2 [email protected]:/tmp/test$ R M a.user2rm:remove write-protected Regular empty file ' A.user2 '? Yrm:cannot remove ' a.user2 ': Operation not permitted[email protected]:/tmp/test$

This article is from the "stolen A Plum blog" blog, please be sure to keep this source http://kdyzm.blog.51cto.com/8316029/1741479

"Linux Learning 014" Special permissions