Special Permissions-suid,sgid,sticky Learning notes

Source: Internet
Author: User

SUID: When running a program, the owner of the corresponding process is the owner of the program file itself, not the initiator

chmod u+s filename (add SUID permission) chmod u-s filename (except SUID permissions)

If FILE itself has execute permission, then SUID is displayed as s; otherwise display S;

passwd command has SUID permissions by default

SGID: When running a program, the group of the corresponding process belongs to the group of the program file itself, not the initiator

(After the directory has Sgid permissions, when the directory is created, the group is the genus of the directory itself.)

chmod g+s filename (add SGID permission) chmod g-s filename (except SGID permissions)

Sticky: In a common directory, each user can create files, delete their own files, but cannot delete others ' files

chmod o+t dir (add Sticky permission) chmod o-t dir (remove Sticky permissions)

Permission represents Suid:4 sgid:2 Sticky:1

chmod 1755/tmp/test #test具有 755 permissions (1: With Sticky permissions)

chmod 3755/tmp/test #test具 has 755 permissions (2: With SGID privileges + 1: with Sticky permissions)

chmod 5755/tmp/test #test具有 755 permissions (4: With SUID rights + 1: With Sticky permissions)

suid: Instance test   allow a normal user to have View permissions that are not originally available for the specified file (User1 users can view/etc/shadow files)

[[email protected] ~]# useradd user1      #添加用户  user1[[email  protected] ~]# passwd user1[[email protected] ~]# ls -l /etc/ shadow   #查看  /etc/shadow  file,  permissions are 000 ,  so that no  root  users can view the----------.  1 root root 1053 7 Month    3 09:54 /etc/shadow[[email  protected] ~]# su - user1           #切换到  user1  user,  should be  /etc/[[email protected] ~]$ cat /etc/shadow     # user1 user   Do not have permission to view cat: /etc/shadow:  permissions are not enough [[email protected] ~]#  chmod u+s /bin/cat    #将  /bin/cat  Command Add  SUID  command, then  cat  The executor of the command is the owner of the file itself, not the initiator [[email protected] ~]# ls -l /bin/cat         #SUID命令添加成功 &nbsp (If  /bin/cat  itself has execute permission, add  SUID  command, show as  s  otherwise  s)-rwsr-xr-x. 1  Root root 48568 10 Month  15 2014 /bin/cat[[email protected] ~]$ cat  /etc/shadow   # user1  can view Bin:*:15980:0:99999:7:::d aemon:*:15980:0:99999:7:::


SGID: Instance test three users can create a file directory in the same directory, and modify the file contents of each other

[[email protected] ~]$ tail -5 /etc/passwd      # There are three users in the current system user1:x:500:500::/home/user1:/bin/bashhbase:x:501:501::/home/hbase:/bin/bashhadoop:x:502:502::/home/ hadoop:/bin/bash  [[email protected] tmp]# mkdir project           Create a new directory in the #在  /tmp  directory  /project[[email protected] tmp]#  groupadd developteam      #添加  developteam  User Group [[email protected]  tmp]# chown -R :d evelopteam /tmp/project       #将   The genus of the/tmp/project  directory is changed to  developteam[[email protected] tmp]# ls -ld  Projectdrwxr-xr-x. 2 root developteam 4096 7 Month    9 02:15  project[[email protected] tmp]# usermod -a -g developteam user1      #分别将三个用户的附加组改为  deVelopteam[[email protected] tmp]# usermod -a -g developteam hadoop[[email  protected] tmp]# usermod -a -g developteam hbase[[email protected]  project]# ls -ld      #查看  project  directory permissions, the group does not have write permission, Then add drwxr-xr-x. 2 root developteam 4096 7 month    9 02:15 . [[email protected] project]# chmod g+w /tmp/project   [[email  Protected] project]# ls -lddrwxrwxr-x. 2 root developteam 4096 7 Month    9 02:15 . [[email protected] project]# ll  Create a file ( a.* ) in the #分别用三个账号在  /tmp/project  directory No permissions to edit other people's files-rw-rw-r--.  1 hadoop hadoop 0 7 month    9 02:33  A.hadoop-rw-rw-r--.  1 hbase  hbase  0 7 Month    9 02:34  a.hbase-rW-rw-r--.  1 user1  user1  0 7 Month    9 02:33 a.user1[[ email protected] ~]# chmod g+s /tmp/project   #给  /tmp/project  Directory Additions  SGID  Permissions [[email protected] ~]# ls -ld /tmp/projectdrwxrwsr-x. 2  Root developteam 4096 7 month    9 02:34 /tmp/project[[email protected]  project]# ll  #添加  SGID  permissions, create a file in  /tmp/project  directory with three users   ( b.*  ) Total dosage  0-rw-rw-r--.  1 hadoop hadoop      0 7 month     9 02:33 a.hadoop-rw-rw-r--.  1 hbase  hbase        0 7 Moon    9 02:34 a.hbase-rw-rw-r--.  1 user1   user1       0 7 Month    9 02:33  A.user1-rw-rw-r--.  1 haDoop developteam 0 7 month    9 02:37 b.hadoop-rw-rw-r--.  1 hbase   developteam 0 7 month    9 02:37 b.hbase-rw-rw-r--.  1 user1   developteam 0 7 Month    9 02:37 b.user1

Three user-created files, belong to the group are Developteam, so you can edit each other delete the other file


Sticky: Instance test in the same directory, users can create files and modify each other, but cannot delete their files

[[email protected] project]# chmod o+t/tmp/project #给/tmp/project Add Sticky permissions (original execute right T, otherwise t) [[email protected] Pro ject]# ls-lddrwxrwsr-t. 2 root developteam 4096 July 9 02:42. [[email protected] project]$ rm-rf a.hbase #用 hadoop user to delete hbase user's files, delete failed (only delete own file directory) RM: Unable to delete "A.hbase": Operation not allowed

Finished ~ ~ ~

This article is from the "LULU" blog, make sure to keep this source http://aby028.blog.51cto.com/5371905/1814364

Special Permissions-suid,sgid,sticky Learning notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.