Special permissions on Linux Systems Suid,sgid,sticky and additional Rights management tools FACL commands

Special permissions on Linux systems

Special privileges: SUID, SGID, STICKY

Security context:

1. The process runs as a user, and the process is the agent that initiates the user of this process, so all operations are done with this user's identity and permissions;

2. Permission Matching model:

(1) Determine whether the owner of the process is the owner of the document being accessed, or, if so, the owner's permission; otherwise enter the 2nd step;

(2) Determine whether the owner of the process belongs to the group of files visited; If so, the permissions of the group are applied; otherwise, the 3rd step is entered;

(3) Permission to apply other;

SUID:

By default: The user-initiated process, the owner of the process is its initiator, and therefore, it is running as the initiator;

suid function: When the user runs a program, if the program has SUID permissions, then the program runs as a process, the owner of the process is not the initiator, and the program files own owner;

To manage Suid permissions for a file:

chmod u+|-s FILE ...

Placement: Owner's execution permission bit

If the owner has execute permission, the display is lowercase s;

Otherwise, the display is in uppercase S;

Demo Description:

[[email protected] tmp]# \cp /bin/ls /tmp/ls# Copy ls command to/tmp directory [[email protected]  tmp]# ll /tmp/ls -rwxr-xr-x 1 root root 117024 Sep 27  11:06 /tmp/ls# Default owning group is EXECUTE permission [[Email protected] tmp]# chmod u+s /tmp/ls [[email  protected] tmp]# ll /tmp/ls-rwsr-xr-x 1 root root 117024 sep  27 11:06 /tmp/ls# has execute permission, the execution permission bit in the owning master is s, no execute permission is s[[email protected] tmp]# su -  svn[[email protected] ~]$ ls /root/ls: cannot open directory / root/: permission denied# switch to SVN user, use LS command to view/root directory, no permissions [[Email protected] ~]$ /tmp/ls  /root/   #用拥有SUID   Permissions commands have permission to view anaconda-ks.cfg   desktop[[email  protected] tmp]# chmod u-s /tmp/ls  #取消文件的SUID权限 [[email protected] tmp]#  su - svn[[email protected] ~]$ /tmp/ls /root//tmp/ls: cannot open directory /root/:  Permission denied[[email protected] ~]$ ll /tmp/ls -rwxr-xr-x 1  Root root 117024 sep 27 11:06 /tmp/ls

SGID:

Function: When the directory belongs to the group has the write permission, and has the Sgid permission, then all belongs to this directory the genus Group (in this directory's group is the additional group user), and in the group identity in this directory new file or the directory, the new file's group is not the user's basic group, but this directory belongs to the group;

To manage Sgid permissions for a file:

chmod g+|-s FILE ...

Placement: The execution permission bit for a group

If the group has EXECUTE permission, the display is lowercase s;

Otherwise, the display is in uppercase S;

Use Demo:

[[email protected] tmp]# ls -ld sgid/drwxr-xr-x 2 root root 4096  Sep 27 11:18 SGID/[[email protected] tmp]# chmod g+s SGID/    #对目录添加SGID权限 [[Email protected] tmp]# ls -ld sgid/drwxr-sr-x 2 root  root 4096 Sep 27 11:18 SGID/[[email protected] tmp]# chmod  g+w sgid/[[email protected] tmp]# ls -ld sgid/drwxrwsr-x 2 root  root 4096 sep 27 11:18 sgid/   #在所属组的执行位显示为s [[email protected] tmp ]# su - centos-bash-4.1$ id centosuid=495 (CentOS)  gid=491 (CentOS)  groups= 491 (CentOS), 0 (root) #centos的默认属组centos-bash-4.1$ cd /tmp/sgid/-bash-4.1$ touch  A.txt-bash-4.1$ mkdir centos-bash-4.1$ lltotal 4-rw-rw-r-- 1 centos root     0 sEp 27 11:20 a.txtdrwxrwsr-x 2 centos root 4096 sep 27 11:20  centos# the owning group of the file created by default is the owning group of the directory, not the user itself

Conclusion: 1. When you assign a sgid to a directory, the user who creates the file in its directory must be a member of its directory's genus Group.

2. When Sgid is in a directory, the owning group of the newly created file or directory within the directory automatically inherits the owning group of that directory

3. When creating a file in a directory with Sgid permissions, the group of directories must have write (W) permission to create a file on its directory.

Sticky:

Function: For a group or global writable directory, all users in the group or all users on the system can create new files or delete all existing files in this directory, if you set sticky permissions for such directories, each user can create new files, and can only delete their own files;

To manage sticky permissions for a file:

chmod o+|-t FILE ...

Placements: Execution permission bits for other users

If other users have execute permission, the display is lowercase t;

Otherwise, the display is in uppercase T;

The/TMP and/VAR/TMP directories on the system have sticky permissions by default;

Another way to manage special permissions:

Suid sgid sticy octal permissions

0 0 0 0

0 0 1 1

0 1 0 2

0 1 1 3

1 0 0 4

1 0 1 5

1 1 0 6

1 1 1 7

The octal number is added to the left of the default three-bit octal digit, based on the octal method.

For example: chmod 1777 filename gives all permissions and gives sticky permission

Use Demo:

[[email protected] tmp]# mkdir sticky         #创建目录 [[email protected] tmp]# chmod 1777 sticky/   #给予目录所有的权限并且赋予sticky权限 [[Email  protected] tmp]# ls -ld sticky       drwxrwxrwt  2 root root 4096 Sep 27 14:12 STICKY  #目录拥有1777权限 [[email  Protected] tmp]# su - centos-bash-4.1$ cd /tmp/sticky/-bash-4.1$ touch  centos-bash-4.1$ mkdir centos.d-bash-4.1$ lltotal 4-rw-rw-r-- 1 centos  centos    0 sep 27 14:14 centosdrwxrwxr-x 2 centos  centos 4096 Sep 27 14:14 centos.d-bash-4.1$ exitlogout[[email  Protected] tmp]# cd sticky/[[email protected] sticky]# touch root[[email  protected] sticky]# mkdir root.d[[email protected] sticky]# lltotal 8-rw-rw-r-- 1 centos  centos    0 sep 27 14:14 centosdrwxrwxr-x 2 centos  Centos 4096 sep 27 14:14 centos.d-rw-r--r-- 1 root   root       0 Sep 27 14:15 rootdrwxr-xr-x 2 root    root   4096 sep 27 14:15 root.d# create files with the root user and the CentOS user respectively [email  protected] tmp]# su - centos-bash-4.1$ cd /tmp/sticky/-bash-4.1$ rm  -f rootrm: cannot remove  ' root ':  operation not permitted-bash-4.1$  rm -rf root.d/rm: cannot remove  ' ROOT.D ': operation not  permitted-bash-4.1$ rm -rf centos.d# switch to the CentOS directory, you can delete the files that you created, but you cannot delete other user-created files

Facl:file Access Control Lists

Additional weighting mechanisms for documents:

In addition to the original u,g,o, the other layer allows ordinary users to control the empowerment mechanism that empowers other users or groups;

Getfacl command:

Getfacl FILE ...

User:USERNAME:MODE

Group:GROUPNAME:MODE

Setfacl command:

Empower users to:

Setfacl-m U:username:mode FILE ...

[[email protected] tmp]# mkdir facl                      #创建目录  [[email protected] tmp] # ls -ld facl                     #查看权限drwxr-xr-x 2 root root 4096 sep 27  14:34 facl   [[email protected] tmp]# setfacl -m u:dts:7  FACL/       #赋予额外的权限   [[email protected] tmp]# su  - dts[email protected]:~$ cd /tmp/facl/                        #验证可以创建文件, with write access   -bash: cd: /tmp/facl/: permission denied[email protected]:~$ cd /tmp/facl/[ email protected]:/tmp/facl$ cat << eof > a.txt> time flies> eof[email  protected]:/tmp/facl$ cat a.txt time flies[email protected]:/tmp/facl$ ls - ld                       #查看实际的权限, only r-x permissions drwxrwxr-x+ 2 root root 4096 sep 27 14:40  ./

Weighting groups:

Setfacl-m G:groupname:mode FILE ...

Revoke the right to empower:

Setfacl-x u:username FILE ...

[Email protected] tmp]# setfacl-x U:dts facl/

Setfacl-x g:groupname FILE ...

This article is from the "Wang Liming" blog, make sure to keep this source http://afterdawn.blog.51cto.com/7503144/1856968

Special permissions on Linux Systems Suid,sgid,sticky and additional Rights management tools FACL commands