Special permissions issues under Linux.

Source: Internet
Author: User


Special permissions on Linux systems

Special privileges: SUID, SGID, STICKY


▇suid:

By default: The user-initiated process, the owner of the process is its initiator, and therefore, it is running as the initiator;

For example, log on to the Linux operating system as Hadoop. Run the LS command. Then the owner of the LS process is Hadoop. However, the owner and owner of the LS program file is still root. Hadoop can do this because other users of the program file/bin/ls have execute permissions. Hadoop applies the permissions of other. So the owner of the file and the owner of the process is not a thing. Once the program file is executed by a user. After running as a process, the owner of the process is the user who initiated the process. But Suid is different.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/84/26/wKioL1eHEffSa9BfAABOtf93MNI320.png "title=" $HZYS] u2@w9b3_) {[W ' _$po.png ' alt= ' wkiol1eheffsa9bfaabotf93mni320.png '/>

suid function : When the user runs a program, if the program has SUID permissions, then the program runs as a process, the owner of the process is not the initiator, but the program files own owner;

Example:

Default condition:

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650) this.width =650, "src=" Http://s5.51cto.com/wyfs02/M01/84/26/wKiom1eHDaaTqK7JAAD-d0-h050087.png "title=" Gf[biduiz7w9r1guai_ C2uu.png "alt=" Wkiom1ehdaatqk7jaad-d0-h050087.png "/>

After adding suid:

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650) this.width=650 , "src=" Http://s3.51cto.com/wyfs02/M02/84/26/wKiom1eHEjPQTUBOAAEs8vNUd4A082.png "title=" 5X7) PY5) [Q}oh_ Vxifctc5g.png "alt=" Wkiom1ehejpqtuboaaes8vnud4a082.png "/>

To manage Suid permissions for a file:

chmod u+|-s FILE ...

Typical suid use: passwd in order to allow root accidental user can change the password, and the password to protect the/etc/shadow. passwd This program is carefully designed, ordinary users can not add parameters, only the root user.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

Placement: Owner's execution permission bit

If the owner has execute permission, the display is lowercase s;

Otherwise, the display is in uppercase S;

Note: assigning suid permissions to a file is a very risky operation, such as: If/bin/cat is given suid permissions, then the owner of the cat process is root when the generic user launches the Cat command. Well, you know. Cat "Hazard Code" > "a key File". So passwd can not take parameters after the. There are many hackers who use passwd's suid privileges to sabotage.

SGID:

Function: When the directory belongs to the group has the write permission, and has the Sgid permission, then all belongs to this directory the genus Group, and in the group identity in this directory the new file or the directory, the new file's group is not the user's basic group, but this directory belongs to the group;

To manage Sgid permissions for a file:

chmod g+|-s FILE ...

Example:

Add two users

~] #useradd Fedora

~] #useradd CentOS

To add a group:

~] #groupadd MYGRP

Add an additional group to these two users mygrp

~] #usermod-G mygrp Fedora

~] #usermod-G mygrp CentOS

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650) this.width=650 ; "Src=" Http://s2.51cto.com/wyfs02/M02/84/26/wKiom1eHD2HTu9lZAAIsCRyPjzw768.png "title=" sphi4io8ylmd2@waf% Bwcn7.png "alt=" Wkiom1ehd2htu9lzaaiscrypjzw768.png "/>650" this.width=650; "src="/e/u261/themes/default/images/ Spacer.gif "border=" 0 "style=" background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat Center;border : 1px solid #ddd; "alt=" Spacer.gif "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650) this.width=650 ; "Src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" border:1px solid rgb (221,221,221); background-position:50% 50%;background-repeat:no-repeat; "alt=" Spacer.gif "/>650" this.width=650; "src=" http:// S1.51cto.com/wyfs02/m01/84/26/wkiol1ehd6pzb8xqaafkpt1wkse989.png "title=" TUA04) 9t3v$bex6~tj)%VWB.png "alt=" Wkiol1ehd6pzb8xqaafkpt1wkse989.png "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/> If/var/tmp/test Without Sgid permissions the files created by Fedora under/var/tmp/test can only be modified by Fedora itself and can be read by other users.

If/var/tmp/test has Sgid permissions then the files created by Fedora under/var/tmp/test can also be modified by the cengtos that belong to the MYGRP group, which is readable by other users.

sgid function : When the directory belongs to the group has the write permission, and has the Sgid permission, then all belongs to this directory the genus Group, and in the genus group identity in this directory new file or the directory, the new file's group is not the user's basic group, but this directory belongs to the group;

Placement : the execution permission bit for a group

If the group has EXECUTE permission, the display is lowercase s;

Otherwise, the display is in uppercase S;


Sticky:

sticky function : For a group or global writable directory, all users in the group or all users on the system can create new files or delete all existing files in this directory, and if you set sticky permissions for such directories, each user can create new files. And can only delete their own files;

To manage sticky permissions for a file:

chmod o+|-t FILE ...

Placements: Execution permission bits for other users

If other users have execute permission, the display is lowercase t;

Otherwise, the display is in uppercase T;

The/TMP and/VAR/TMP directories on the system have sticky permissions by default;

Small topic:

Another way to manage special permissions:

Suid sgid sticy octal permissions

0 0 0 0

0 0 1 1

0 1 0 2

0 1 1 3

1 0 0 4

1 0 1 5

1 1 0 6

1 1 1 7

The octal number is added to the left of the default three-bit octal digit, based on the octal method.

Example: chmod 1777


Facl:file access Control lists a list of file accesses.

Facl is an additional empowerment mechanism for files: In addition to the original u,g,o, the other layer allows ordinary users to control the empowerment of the user or group assigned to another (not the other) user;

Getfacl command:

Getfacl FILE ...

User:USERNAME:MODE

Group:GROUPNAME:MODE

Setfacl command:

Empower users to:

Setfacl-m U:username:mode FILE ...

Weighting groups:

Setfacl-m G:groupname:mode FILE ...

Revoke the right to empower:

Setfacl-x u:username FILE ...

Setfacl-x g:groupname FILE ...

Example:

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/> By default:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/84/26/wKiom1eHEPvjPp36AAFEFZ6tkmU712.png "title=" yq{( R0k]l@yikrx~pqxu8bu.png "alt=" Wkiom1ehepvjpp36aafefz6tkmu712.png "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/> After additional permissions:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/84/26/wKiom1eHEYLAeZkNAACxVFslaXw289.png "title=") j{ Oy@l (O8 (Ioz)]{@1_btx.png "alt=" Wkiom1eheylaezknaacxvfslaxw289.png "/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "border=" 0 "style=" Background:url ("/e/u261/ Lang/zh-cn/images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>


Special permissions issues under Linux.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.