Special permissions for Linux file systems

Date: August 30, 2015

The security context of the process

(1), whether the user can start an executable program file as a process, depending on whether the user has execute permissions on the program file

(2), after the program is started as a process, the owner of this process is the current user, that is, the initiator of the process, the group to which the process belongs, the base group for the initiator

(3), process-owned access rights, depending on the owner's access rights

(a) The owner of the process, the owner of the document, and the application file is the Master permission

(b) The owner of the process, which belongs to the group of files, applies the permissions of the group of files

(c) Otherwise apply other permissions

SUID:

Displayed in the file owner 's execution permission bit, s indicates that the owner has X permission, S is the owner of the original no X permission

Function: For an executable file, any user running this program as a process, its owner is no longer the initiator of the process, but the program files own owner, this mechanism is SUID

Permission settings:

chmod u+s FILE ...

chmod u-s FILE ...

For example: The user needs to change the password, enter the passwd command, then run the/usr/bin/passwd file, the owner of the file, belong to the group is root, other users only execute permissions.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/7F/wKiom1XlCamznw_RAAICtk3tFwQ940.jpg "/>

While running the command to modify the password it will update the/etc/passwd and/etc/shadow files, and these two files only the root user conditionout modification limit.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/7C/wKioL1XlC8mgdOu6AACG35QuoqE455.jpg "/>

Therefore, the SUID permission of the/usr/bin/passwd file will allow the program to run with root privileges, then it can be modified as root.

/ETC/PASSWD,/etc/shadow these two files.

SGID:

Execution Permission bits displayed in the file group

By default, when a user creates a file, the group is the base group to which the user belongs;

Once a directory has been set with Sgid permissions, users with write access to this directory create files in this directory that belong to the group of that directory.

Permission settings:

chmod g+s FILE ...

chmod g-s FILE ...

For example: A group of people who need to work together in a directory can set sgid permissions for the directory. The group of files created in this directory is the genus of the directory, and the group is added as the user's additional group, and the group is assigned the appropriate permissions. In this directory, everyone can work together.

In a common directory, assign rwx permissions to the genus group of the directory, so that users who are members of the group can create files within that directory, and the files or directories created are open and modifiable. In order to prevent users from misoperation, restrict the user can only delete the files that they created, this is the special permission Sticky function.

Sticky:

Displays the execution permission bit for other users , the lowercase letter T

For a public directory, this permission is used to restrict each user from deleting only the files that they create

Permission settings:

chmod o+t FILE ...

chmod o-t FILE ...

Binary number representation of special permissions

SUID , SGID, STICKY

000	0	no
< P style= "Margin-bottom:0;text-align:center;" >001	1	sticky
< P style= "Margin-bottom:0;text-align:center;" >010	2	sgid
< P style= "Margin-bottom:0;text-align:center;" >011	3	sgid sticky
< P style= "Margin-bottom:0;text-align:center;" >100	4	suid
< P style= "Margin-bottom:0;text-align:center;" >101	5	suid sticky
< P style= "Margin-bottom:0;text-align:center;" >110	6	suid sgid
111	7	SUID +SGID+STICKY

Special permissions can also be set with the file's normal permissions:

chmod 4777 FILE

chmod 2755 DIR

chmod 3755 DIR

Instance:

// in /home pub directory, set the suid and sticky permissions

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/7C/wKioL1XlDFiw7Cn7AADbX7OsQpU780.jpg "title=" 1.png " alt= "Wkiol1xldfiw7cn7aadbx7osqpu780.jpg"/>

Special permissions for Linux file systems