Special Linux permissions: SUID, SGID, SBIT

Special Linux permissions: SUID, SGID, SBITSUID: only valid for the binary program performer requires the x permission for the program. during the process of running the program, the performer has the permissions of the program owner. for example: A common user executes the passwd command. First, check the absolute path of the passwd command: view the passwd command... special Linux permissions: SUID, SGID, SBIT

SUID:
Valid only for binary programs
The performer must have x permissions on the program.
During the program running, the executor has the permissions of the program owner.
For example:
A common user executes the passwd command.
First, check the absolute path of the passwd command:
 
View passwd command permissions:
 
The owner of passwd is root, and the column in which the owner permission is supposed to be x shows s. This indicates that this command has SUID permission.
At the same time, it is found that the common user does not have the w permission, so it is reasonable to say that the common user cannot execute this command, because this command modifies the password and must write files.
Further analysis, in fact, the passwd command will operate the/etc/shadow file, because the password is put here, view the password file permissions:
 
It is found that the permission is 000 (note: the root user has rw permission on all files and rwx permission on all directories ), this means that normal users cannot read or write this file independently.
However, because the passwd command has the SUID permission, when a common user executes this command, after the system generates the corresponding process, this process has the root permission of the owner of the/usr/bin/passwd file.
 
Press CTRL + Z to enter the password and press enter.
View the process tree:
 
We can find that the passwd permission is not pstar but root!

SGID:
For files:
SGID is useful for binary programs
The program must have the x permission to execute.
During execution, the performer will obtain the permission to change the user group of the program (equivalent to the user group temporarily added to the program)
For example:
Common users use the locate command. (View the image directly)
 
If the user group permission is found, the s displayed at the position of x is displayed, indicating that this command has the SGID permission. Normal users only have the x permission but do not have the rw permission.
The locate command actually accesses the/var/lib/mlocate. db file.
 
This file has no permissions for common users. Therefore, in theory, normal users cannot execute the locate command.
However, because the locate command has the SGID permission, when you run the locate generation process, this process will get the user group permission of the locate command, which is equivalent to pstar, which is temporarily added to the user group slocate.
So I have the r permission on the mlocate. db file and can access it!
For directories:
You have the rx permission to access this directory.
After the user enters this directory, the valid user group will become the user group of this directory
If you have w permissions in this directory, the user-created file user group is the same as the user group in this directory.
For example:
If a team wants to work together in a linux directory to create a project, each team member must have the rwx permission on all files in the directory.
So we first create a user group, and then create several accounts. the user groups of each account are added to the user group we just created.
Create a working directory and set the permission to 770. add the user group of the directory to the user group created in the previous step.
So far, what problems do we have to think about?
Account A creates A new file. The owner and user group of the new file are both! It is important that other users cannot access this file!
Therefore, we need to add the SGID permission to this directory. the file user group created by any user will be the user group of this directory. Everything is OK!

SBIT:
Valid only for directories
When a user has wx permission on a directory, only the user and root can delete the files or directories created in the directory.

How to set and view SUID/SGID/SBIT permissions:
SUID is 4 SGID is 2 SBIT is 1
Chmod 4755 filename
The first 7 represents the three special commands, and the second 755 represents normal permissions. The above Command adds the file filename to the SUID permission.
The common ls command is used to view special permissions:
SUID will display s where the user permission is supposed to be x
SGID will display s where the user group permission is supposed to be x
SBIT displays t where other user permissions are supposed to be x.
If you want to search for all files with special permissions in the system:
Locate/-perm + 7000