SUID: When running a program, the owner of the corresponding process is the owner of the program file itself, not the initiator
chmod u+s filename (add SUID permission) chmod u-s filename (except SUID permissions)
If FILE itself has execute permission, then SUID is displayed as s; otherwise display S;
passwd command has SUID permissions by default
SGID: When running a program, the group of the corresponding process belongs to the group of the program file itself, not the initiator
(After the directory has Sgid permissions, when the directory is created, the group is the genus of the directory itself.)
chmod g+s filename (add SGID permission) chmod g-s filename (except SGID permissions)
Sticky: In a common directory, each user can create files, delete their own files, but cannot delete others ' files
chmod o+t dir (add Sticky permission) chmod o-t dir (remove Sticky permissions)
Permission represents Suid:4 sgid:2 Sticky:1
chmod 1755/tmp/test #test具有 755 permissions (1: With Sticky permissions)
chmod 3755/tmp/test #test具 has 755 permissions (2: With SGID privileges + 1: with Sticky permissions)
chmod 5755/tmp/test #test具有 755 permissions (4: With SUID rights + 1: With Sticky permissions)
suid: Instance test allow a normal user to have View permissions that are not originally available for the specified file (User1 users can view/etc/shadow files)
[[email protected] ~]# useradd user1 #添加用户 user1[[email protected] ~]# passwd user1[[email protected] ~]# ls -l /etc/ shadow #查看 /etc/shadow file, permissions are 000 , so that no root users can view the----------. 1 root root 1053 7 Month 3 09:54 /etc/shadow[[email protected] ~]# su - user1 #切换到 user1 user, should be /etc/[[email protected] ~]$ cat /etc/shadow # user1 user Do not have permission to view cat: /etc/shadow: permissions are not enough [[email protected] ~]# chmod u+s /bin/cat #将 /bin/cat Command Add SUID command, then cat The executor of the command is the owner of the file itself, not the initiator [[email protected] ~]# ls -l /bin/cat #SUID命令添加成功   (If /bin/cat itself has execute permission, add SUID command, show as s otherwise s)-rwsr-xr-x. 1 Root root 48568 10 Month 15 2014 /bin/cat[[email protected] ~]$ cat /etc/shadow # user1 can view Bin:*:15980:0:99999:7:::d aemon:*:15980:0:99999:7:::
SGID: Instance test three users can create a file directory in the same directory, and modify the file contents of each other
[[email protected] ~]$ tail -5 /etc/passwd # There are three users in the current system user1:x:500:500::/home/user1:/bin/bashhbase:x:501:501::/home/hbase:/bin/bashhadoop:x:502:502::/home/ hadoop:/bin/bash [[email protected] tmp]# mkdir project Create a new directory in the #在 /tmp directory /project[[email protected] tmp]# groupadd developteam #添加 developteam User Group [[email protected] tmp]# chown -R :d evelopteam /tmp/project #将 The genus of the/tmp/project directory is changed to developteam[[email protected] tmp]# ls -ld Projectdrwxr-xr-x. 2 root developteam 4096 7 Month 9 02:15 project[[email protected] tmp]# usermod -a -g developteam user1 #分别将三个用户的附加组改为 deVelopteam[[email protected] tmp]# usermod -a -g developteam hadoop[[email protected] tmp]# usermod -a -g developteam hbase[[email protected] project]# ls -ld #查看 project directory permissions, the group does not have write permission, Then add drwxr-xr-x. 2 root developteam 4096 7 month 9 02:15 . [[email protected] project]# chmod g+w /tmp/project [[email Protected] project]# ls -lddrwxrwxr-x. 2 root developteam 4096 7 Month 9 02:15 . [[email protected] project]# ll Create a file ( a.* ) in the #分别用三个账号在 /tmp/project directory No permissions to edit other people's files-rw-rw-r--. 1 hadoop hadoop 0 7 month 9 02:33 A.hadoop-rw-rw-r--. 1 hbase hbase 0 7 Month 9 02:34 a.hbase-rW-rw-r--. 1 user1 user1 0 7 Month 9 02:33 a.user1[[ email protected] ~]# chmod g+s /tmp/project #给 /tmp/project Directory Additions SGID Permissions [[email protected] ~]# ls -ld /tmp/projectdrwxrwsr-x. 2 Root developteam 4096 7 month 9 02:34 /tmp/project[[email protected] project]# ll #添加 SGID permissions, create a file in /tmp/project directory with three users ( b.* ) Total dosage 0-rw-rw-r--. 1 hadoop hadoop 0 7 month 9 02:33 a.hadoop-rw-rw-r--. 1 hbase hbase 0 7 Moon 9 02:34 a.hbase-rw-rw-r--. 1 user1 user1 0 7 Month 9 02:33 A.user1-rw-rw-r--. 1 haDoop developteam 0 7 month 9 02:37 b.hadoop-rw-rw-r--. 1 hbase developteam 0 7 month 9 02:37 b.hbase-rw-rw-r--. 1 user1 developteam 0 7 Month 9 02:37 b.user1
Three user-created files, belong to the group are Developteam, so you can edit each other delete the other file
Sticky: Instance test in the same directory, users can create files and modify each other, but cannot delete their files
[[email protected] project]# chmod o+t/tmp/project #给/tmp/project Add Sticky permissions (original execute right T, otherwise t) [[email protected] Pro ject]# ls-lddrwxrwsr-t. 2 root developteam 4096 July 9 02:42. [[email protected] project]$ rm-rf a.hbase #用 hadoop user to delete hbase user's files, delete failed (only delete own file directory) RM: Unable to delete "A.hbase": Operation not allowed
Finished ~ ~ ~
This article is from the "LULU" blog, make sure to keep this source http://aby028.blog.51cto.com/5371905/1814364
Special Permissions-suid,sgid,sticky Learning notes