The representation method and parsing of file permissions under Unix
SUID is the set User ID, SGID is the meaning of the set Group ID.
You can use the Ls-l command to see permissions for files under UNIX. The format of the notation obtained with the LS command is similar:-rwxr-xr-x. The following is a parse of what the format means. A total of 10 digits are represented in this way:
9 8 7 6 5 4 3 2 1 0
-R W x r-x r-x
The 9th bit represents the file type, which can be P, D, L, S, C, B, and-:
P represents a named pipe file
D Represents a catalog file
L represents a symbolic connection file
-Represents a normal file
s represents the socket file
c indicates character device files
b represents a block device file
第8-6位, 5-3-bit, 2-0-bit are the permissions of the file owner, the permissions of the same group of users, and the permissions of other users in the form of rwx:
R is readable and can read the contents of a file
W indicates writable, can modify the contents of the file
X means executable, you can run this program
A location with no permissions-represents
Example:
Ls-l myfile Display as:
-rwxr-x---1 foo staff 7734 APR 17:07 myfile
Indicates that the file myfile is a normal file, the owner of the file is Foo user, and the Foo user belongs to the Staff group, the file has only 1 hard connections, the length is 7,734 bytes, last modified April 5 17:07.
Owner Foo has read and write permission to the file, and the members of the staff group have access to the file, and other users do not have permissions on the file.
If a file is set to a suid or sgid bit, it is displayed separately on the executable bit of the owner or the permissions of the same group of users. For example:
1.-rwsr-xr-x indicates that the executable bit in Suid and owner permissions is set
2,-rwsr--r--means that the suid is set, but the executable bit in owner permission is not set
3,-rwxr-sr-x represents the Sgid and the same group of user rights executable bit is set
4,-rw-r-sr--means that the sgid is set, but the same group of user rights executable bit is not the community
In fact, in the implementation of UNIX, file permissions are represented by 12 bits, if the value at that location is
1, which means that you have the appropriate permissions:
11 10 9 8 7 6 5 4 3 2 1-0
S G T R W x r W x r W x
The 11th digit is the suid bit, the 10th bit is the Sgid bit, the 9th bit is sticky bit, and the 第8-0位 corresponds to the three group rwx bit above.
11 10 9 8 7 6 5 4 3 2 1-0
The value of the above-rwsr-xr-x is: 1 0 0 1 1 1 1 0 1 1 0 1
The value of-rw-r-sr--is: 0 1 0 1 1 0 1 0 0 1 0 0
The orders to add suid and suid to the documents are as follows:
chmod u+s filename set suid bit
chmod u-s filename Remove suid settings
chmod g+s filename Set sgid bit
chmod g-s filename Remove sgid settings
Alternatively, the chmod command uses octal to represent the setting of the method. If you understand the previous 12-bit permission notation is also very simple.
A detailed analysis of SUID and Sgid
Since Suid and sgid work when executing a program (where the program's executable bit is set), and the executable bit makes sense only for normal files and directory files, it makes little sense to set the suid and sgid bits of other kinds of files.
First of all, the suid of ordinary documents and the role of Sgid. Example:
If the normal file myfile belongs to the Foo user, is executable, now does not set the SUID bit, the LS command appears as follows:
-rwxr-xr-x 1 foo Staff 7734 APR 17:07 myfile Any user can execute this program. What is the kernel of UNIX based on to determine the access of a process to resources? is the (valid) ID of the running user for this process, including the user ID and the group ID. The user can use the ID command to find the user ID and group ID of their own or other users.
In addition to the general User ID and group ID, there are two IDs called effective, which are valid IDs, and the four IDs above are represented as: Uid,gid,euid,egid. The kernel is primarily based on Euid and Egid to determine the process access to resources.
This article URL address: http://www.bianceng.cn/OS/Linux/201410/45419.htm
If a process has no suid or sgid bit, then Euid=uid Egid=gid, respectively, is the UID and GID of the user running the program. For example, Kevin User's UID and GID are respectively 204 and 202,foo users of the UID and GID for 200,201,kevin running myfile program formation process euid=uid=204,egid=gid= 202, the kernel based on these values to determine the process of resource access restrictions, in fact, Kevin User access to resources, and Foo does not matter.
If a program is set to Suid, then Euid and Egid become the UID and GID of the owner of the program being run, for example, Kevin User runs myfile,euid=200,egid=201,uid=204,gid= 202, this process has the resource access rights of its owner Foo.
The role of SUID is this: to allow users who do not have the appropriate permissions to run the program, you can access the resources he does not have access to. PASSWD is a very clear example.
The SUID priority is higher than sgid, and when an executable program sets the suid, Sgid automatically becomes the corresponding egid.
An example is discussed below:
The UNIX system has a/DEV/KMEM device file, a character device file that stores the data that the core program accesses, including the user's password. So this file does not read and write to the average user, and the permissions are set to: Cr--r-----1 Root System 2, 1 May 1998 Kmem
But PS and other programs to read this file, and PS permissions are set as follows:
-r-xr-sr-x 1 Bin system 59346 APR 1998 PS
This is a set of Sgid program, and PS user is bin, not root, so can not set Suid to access Kmem, but we note that bin and root belong to the system group, and PS set Sgid, the general user to perform PS, You get the permissions of the system group user, and the permissions of the same group of files Kmem are readable, so it's okay for the normal user to perform PS. But some people say, why not set the PS program as root user program, and then set suid bit, not also OK? This can really solve the problem, but in practice why not do it? Because the risk of sgid is much smaller than suid, so for the sake of system security, we should try to use sgid instead of suid procedure, if possible. Here's how the Sgid affects the directory. SUID has no effect on the directory. If a directory has a sgid bit set, if any user has permission to write to the directory, the group of files that he creates in this directory will automatically be converted to the group of owners of the directory, and the file owner is the same, or the user who created the file.