Special permissions for files, SUID, SGID, STICKY

Security context

When a process accesses a file, the matching permission mechanism is as follows

When a process accesses a file, it first checks whether the owner of the process has access to the file, or, if any, accesses it as the owner, otherwise uses the group's identity and applies other user rights if there is no permission.

SUID: typically used for executable files

Any user who executes an executable file that owns Suid no longer takes its own identity as the owner of the process, but instead takes the owner of the file as the owner of the process.

Suid is represented as s or s on the primary execution permission bit of the file
The file belongs to the master permission bit with execute permission to show s RWS------

The file owner permission bit does not have execute permission to represent s RwS------

How to set a file with Suid permissions

chmod u+s FILE ....

Or

chmod 4775 FILE: \ \ This method, you need to add the original permissions.

SGID: Generally used for catalogs

A directory with Sgid permissions that the user creates in this directory will no longer be the base group to which the user belongs, but the base group to which the directory belongs.

Sgid is represented as s or s on the file group execution permission bit
File group permission bit with Execute permission is represented as s---RWS---
The file group permission bit does not have execute permission to represent s---rwS---

How to set a directory with Sgid permissions

chmod g+s DirName ...

Or

chmod 2775 DirName ... \ \ This method requires the original permission.

sticky bit: sticky

For public writable directories, users can create files that can delete their own files, but cannot delete other users ' files

Sticky represents the execution of T or T on the permission bit for other users of the file:
Other user privilege bits have execute permission to show the t------RWT
Other user privilege bits have execute permission to show the t------rwT

How to set a directory with sticky

chmod o+t DirName ...

Or

chmod 1775 DirName ... \ \ This method requires the original permission.

Practice:

1, copy the Cat command to the/tmp directory, ordinary users can use the/tmp/cat command to view all files that the root user has permission to view;

# cp ' which cat '/tmp# chmod u+s/tmp/cat # ls-l-rwsr-xr-x 1 root root 48568 Apr 2 19:53 Cat

In general, run/tmp/cat to view the/etc/passwd file (this file can only be accessed by the root user)

$/tmp/cat/etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologin

2. New/tmp/test directory:
OpenStack and Docker users are required to have write access to them, and the group of files created in the catalog are cloud groups;
Requires that each user cannot delete others ' files, but can edit;

Create the user you want

# groupadd cloud# useradd-g Cloud openstack# useradd-g cloud docke# ID dockeruid=1006 (docker) gid=1007 (Docker) groups=10 (Docker), 1005 (cloud) # ID openstackuid=1007 (OpenStack) gid=1008 (OpenStack) groups=1008 (OpenStack), 1005 (Cloud)

Create the desired directory

# mkdir/tmp/test# chmod 775/tmp/test

Change the appropriate permissions

# chown:cloud/tmp/test/# chmod g+s/tmp/test# chmod o+t/tmp/test# ls-ld/tmp/testdrwxrwsr-t 2 root cloud 4096 APR 2 2 0:02/tmp/test

Create a file in/tmp/test as OpenStack

$ whoami openstack$ touch/tmp/test/openstack.txt$ ls-l/tmp/test/openstack.txt-rw-rw-r--1 openstack Cloud 0 APR 2 20: Openstack.txt

Create a file in/tmp/test as Docker

$ whoamidocker$ touch/tmp/test/docker.txt$ ls-l/tmp/test-rw-rw-r--1 Docker Cloud 0 APR 2 20:20 docker.txt-rw-rw-r- -1 OpenStack Cloud 0 APR 2 20:18 openstack.txt

Test permissions

$ rm/tmp/test/openstack.txt rm:cannot Remove '/tmp/test/openstack.txt ': Operation not permitted$ echo "test" >>/t mp/test/openstack.txt$ Cat/tmp/test/openstack.txttest

Test results can be seen, can only modify the other party's files can not be deleted

This article is from "Rookie Diary" blog, please make sure to keep this source http://zkxfoo.blog.51cto.com/1605971/1751943

Special permissions for files, SUID, SGID, STICKY