Special privileges: SUID SGID STICKY
Security context for Linux:
1. The process runs as a user, and the process is the agent that initiates the user, so all operations are performed as this user's identity and permissions.
2. Permissions matching model:
1) Determine whether the owner of the process is the owner of the file being accessed. If it is, the application is the master permission, otherwise the 2nd step is entered.
2) Determine whether the owner of the process belongs to the group of files being accessed. If it is, then the permissions of the group are applied, otherwise the 3rd step is entered.
3) Apply other's permissions.
SUID:
By default, a user-initiated process, the owner of the process, is its initiator, so it runs as the initiator.
suid function: When the user runs a program, if the program has SUID permissions, then when the program runs, the owner of the process is not the initiator, but the program files own owner.
To manage Suid permissions for a file:
chmod u+|-s FILE
Placement: Owner's execution permission bit
If the owner has execute permission, the display is lowercase s,
Otherwise, it is shown in uppercase S.
[Email protected] ~]# Cp/bin/cat/tmp/jackfile1 #将cat命令拷贝为jackfile1
[[email protected] ~]# Mv/bin/cat/bin/cat.txt #把cat路径重新编辑 So the system cannot find the cat command
[Email protected] tmp]# chmod u+s jackfile1 #增加jackfile1特殊权限suid
[email protected] tmp]# ll Jackfile1 #查看jackfile1的属主属组和权限
-rwsr-xr-x. 1 Jack Jack 48568 1 19:11 jackfile1
[[email protected] jack]$ ll 2.txt #jack用户新建2. txt file, JACK5 user has no permissions on this file
-RW-RW----. 1 Jack Jack 1 19:25 2.txt
[Email protected] jack]$/tmp/jackfile1 2.txt #使用jack5用户查看jack用户所建的2. txt file
Agjjfjskdfjlsdfjlsfjsldjgljgljlajgljhljlkdahljfsdjk
Experimental conclusion: The above test, the jackfile1 into the cat command use, when Jackfile1 has s permission, other users use the Jackfile1 command, it is quite the owner of the Jackfile1, so any file built by Jack, Access is available to other users.
SGID:
function: When the directory belongs to the group has the write permission, and has the Sgid permission, then all belongs to this directory the genus Group, and in the genus Group's identity in this directory new file or the directory, the new file's group is not the user's basic group, but this directory belongs to the group.
To manage Sgid permissions for a file:
chmod g+|-s FILE
Placement: The execution permission bit for a group
If the group has EXECUTE permission, it is displayed as lowercase s
Otherwise, the display is in uppercase S
[Email protected] jack]$ ll-d #设定文件目录jack有SGID权限
Drwxrwsr-x. 2 Jack Jack 4096 1 19:25.
[email protected] jack]$ ID jack3 #设定jack组为jack3的附加组
uid=4019 (JACK3) gid=4019 (JACK3) groups=4019 (JACK3), 4023 (Jack)
[[email protected] jack]$ Touch 5.txt #使用jack3用户新建5. txt file
[[email protected] jack]$ ll #查看5. txt file belongs to the group that is Jack, not the primary group Jack3
-rw-rw-r--. 1 jack3 Jack 0 1 19:39 5.txt
Experimental conclusion:
1. Requires JACK3 user to have Jack's additional group.
2. With the addition of Sgid permissions, the user-created group of files is Jack, which means that any member of the Jack Group can read and write to the 5.txt file.
STICKY:
function: For a group or global writable directory, all users in the group or all users on the system can create new files in this directory or delete all existing files, if you set sticky permissions for such directories, each user can create new files and only delete their own files.
To manage sticky permissions for a file:
chmod o+|-t FILE
Placement: Execution limit for other users
If other users have execute permissions, they appear as lowercase t
Otherwise, the display is in uppercase T
The/TMP and/VAR/TMP directories on the system have sticky permissions by default
[Email protected] jack]$ ll-d #设置jack目录拥有sticky权限, watch T
DRWXRWXRWT. 2 Jack Jack 4096 1 20:04.
[email protected] ~]$ ID jack4 #用户jack4为普通用户, nothing to do with Jack.
uid=4020 (JACK4) gid=4023 (Jack) groups=4023 (Jack)
[[email protected] jack]$ Touch 4.txt #jack4用户在jack目录里建文件4. txt
[[Email protected] jack]$ rm 4.txt #使用另一jack3账户对jack4所建文件4. txt for deletion, failed
Rm:remove write-protected Regular empty file ' 4.txt '? Y
Rm:cannot remove ' 4.txt ': Operation not permitted
Experimental conclusion:
1. The user has the T permission directory built files, other users can only modify each other to view, cannot delete other people's files, can only delete their own files.
2. The user who establishes the T permission directory has permission to delete any files in that directory.
This article is from the "zebra930" blog, make sure to keep this source http://zebra930.blog.51cto.com/11736340/1833172
Special permissions on Linux systems Suid,sgid,sticky