Special permissions for files on Linux suid,sgid,sbit detailed

Source: Internet
Author: User
Tags chmod mkdir readable

Everyone knows file and directory permissions The most common are three. Readable (R). Writable (W) ... Executable (x) ... Their levels are 4, respectively. 2..1. We also sometimes find that some files belong to the owner with a flag bit of s on it. The group that contains the directory has an S flag bit. A lot of people don't understand why. Let's take a look at the following examples ...
#ls-L/USR/BIN/PASSWD
-rwsr-xr-x 1 root root 19876 June 2006/usr/bin/passwd
The X-Flag of the owner of this file is changed to S, which is called the set UID. Shorthand is suid. In fact, this file property does not have a special meaning. When this s flag appears on some scripts, it has meaning ... Let's say I have a foot name for sum.sh. The permissions for this script are as follows:
-rwsrwxr-x 1 root root 117 Feb 6 20:46 sum.sh
This script is owned and owned by Root. We can, of course, execute it as the user of root. We can also see that there is an S on the flag of its owner. Other people have permission to read and execute. If we now have a regular user named Redhat. Now switch to Redhat. Execute this script ... On the surface, we see that the execution is successful. In fact, we do it by using the identity of the root user. Rather than Redhat. This is the characteristic of suid ....
Under the Sgid, after looking at the above suid, it is easy to know that the so-called sgid is to add the symbol s to the GID x mark bit. Called set GID. Sgid. In this emphasis on suid we generally use in the document. Especially on some scripts ... Sgid used in the directory most ... Let's say I create a directory as root. Give him sgid privileges.
#mkdir A
#chmod 2757 A
#ls-L
DRWXR-SRWX 2 root root 4096 Feb 6 21:09 A
Because we give the A directory other people have the permissions are readable, writable, executable ... When we switch to a different terminal as the Redhat user's identity. Into the A directory, we create a directory B and a file C in this directory
[Redhat@station18 a]$ mkdir B
[Redhat@station18 a]$ Touch C
[Redhat@station18 a]$ Ls-l
Drwxrwsr-x 2 Redhat root 4096 Feb 6 21:20 b
-rw-rw-r--1 redhat Root 0 Feb 6 21:20 C
We can see that the group of directory B and file C belong to root ... When you set a directory of a A to sgid permissions, if someone else has read, execute, and write permissions, the group of any files and directories that others create in this directory is the group of a directory. But the owner or himself ... This will often be used to .... One thing you should be aware of ... Is what anyone creates in a directory. Others can erase ... This is the sbit we are going to talk about ....
Sbit full name sticky Bit. But it is only valid for the directory, but the file is invalid, its role is to prevent others to delete the information ... Let's say, for example, that ...
1. I use the root user login to create a directory named Test
[Root@station18 ~]# mkdir Test
[Root@station18 ~]# chmod o+w test/
[Root@station18 ~]# Ls-l
DRWXR-XRWX 2 root root 4096 Feb 6 21:30 test
2. We switch to Redhat user login to a terminal, create a directory A.
[Redhat@station18 test]$ mkdir A
3. We switch to xiaoming user login to a terminal, create a directory B ...
[Xiaoming@station18 test]$ mkdir B
[Xiaoming@station18 test]$ Ls-l
Drwxrwxr-x 2 Redhat redhat 4096 Feb 6 21:32 A
Drwxrwxr-x 2 xiaoming xiaoming 4096 Feb 6 21:31 b
We can enter the test directory as any user to find the directory of A and B can be deleted ... This is a mess ... How could you just delete someone else's catalogue ... Then we need to add the test directory to the Sbit permission ...
[Root@station18 ~]# chmod 1757 test/
[Root@station18 ~]# Ls-l
DRWXR-XRWT 4 root root 4096 Feb 6 21:42 test
We're logged into the test directory with another user, and he can't erase anyone else's data, and the system prompts rm:cannot remove directory ' A ': Operation not permitted. It means you have insufficient authority .... Oh... So that the others can not .... I have tested the success of ...
Let me say a few words about the suid SGID sbit permissions set ...
SUID is 4
Sgid is 2
Sbit is 1
I set some permissions on the file or directory you may not understand, the following I explain in detail ...
If we have a file named "a", there is a directory called Test. File its permissions are 644. The permission for test is 755
1. If we want to execute this command with the file plus suid permission
#chmod 4755 File
2. If we want to add Sgid to the test directory, execute this command.
#chmod 2755 test/
3. Execute this command if we want to add sbit permission to the test directory
#chmod 1755 test/
4. We can see that s and T are substituted for x ...
5. If you do not want test to have suid and Sgid privileges to execute this command
#chmod 7666 File
#ls-L
-RWSRWSRWT 1 Root 0 Feb 6 21:49 file
Here's S and T represent empty. Do not have the permissions that other people perform ... 7666 that is to say, users, groups, and others do not have X permissions except root. No one can modify this file ...
Here I use the number instead of the file to add some permissions .... We can use other methods, for example. We add suid permissions to file files
#chmod U=rwxs,o=rx File
Add Sgid permissions to the test directory and other read write execution permissions
#chmod G+s,o=wrx test/
Add Sbit permissions to the test directory and other read write execution permissions
#chmod O=RWXT test/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.