Special permissions for GNULinux-setuid, setgid, and stickbit
/********************************************************************* * Author : Samson * Date : 01/06/2015 * Test platform: * 3.13.0-24-generic * GNU bash, 4.3.11(1)-release * *******************************************************************/
The File Permission mechanism is a major feature of Linux systems. For beginners of Linux, this is a basic permission for readable (r), writable (w), and executable (x. A file has ten permissions, which are divided into three groups. The first one is a group, indicating the file type:
-: Indicates a general file.
D: indicates the directory file.
L: indicates the link file.
B: block Device
C: character device
P: indicates the MPs queue.
S: Socket
However, Linux has three special permissions: setuid, setgid, and stick bit.
If it is an executable file, the file generally only has the permission of the user who calls the file, while setuid and setgid can change this setting.
Setuid: set to grant the file owner permissions during execution. the typical file is/usr/bin/passwd. if a common user executes the file, the file can obtain the root permission during execution, so that the user's password can be changed.
Setgid: this permission is only valid for the directory. After the directory is set to this bit, any files created in this directory have the same group as the directory.
Sticky bit: This bit can be understood as a non-delete bit. whether a file can be deleted by a user depends on whether the file group has the write permission on the user. if you do not have the write permission, all files in this directory cannot be deleted or new files cannot be added. if you want to add a file but cannot delete the file at the same time, you can use the sticky bit for the file. after this bit is set, the file cannot be deleted even if the user has the write permission on the directory.
The following describes how to operate these labels:
The operation marks are the same as the operation File Permission command, and are all chmod. There are two methods to operate,
1)
Chmod u + s temp -- add the setuid flag to the temp file. (setuid is only valid for the file)
Chmod g + s tempdir -- add the setgid flag to the tempdir directory (setgid is only valid for the Directory)
Chmod o + t temp -- add the sticky flag to the temp file (sticky is only valid for the file)
2) Adopt the octal mode. for general files, use three Octal numbers to set the flag, such as 666,777,644. if these special characters are set, a group of Octal numbers is added to this group of numbers. such as 4666,277 7. this group contains three octal digits.
The meaning is as follows,
Abc
A-setuid bit. If this bit is 1, it indicates setting setuid 4xxx
B-setgid bit. If this bit is 1, it indicates setting setgid 2xxx
C-sticky bit. If this bit is 1, sticky 1xxx is set.
After these flags are set, you can use ls-l to view them. If these flags exist, they will be displayed in the original execution flags. For example:
Rwsrw-r -- indicates that the setuid flag exists.
Rwxrwsrw-indicates that the setgid flag exists.
Rwxrw-rwt indicates sticky flag
How to Set special permissions for files:
Chmod u + s xxx # Set the setuid permission
Chmod g + s xxx # Set setgid permission
Chmod o + t xxx # Set the stick bit permission for the Directory
Chmod 4775 xxx # Set the setuid permission
Chmod 2775 xxx # Set the setgid permission
Chmod 1775 xxx # Set the stick bit permission for the Directory
So where did the original execution mark x go? The system stipulates that, if there is x in this bit, these special signs will be displayed as lowercase letters (s, s, t ). otherwise, uppercase letters (S, S, T) are displayed)