Original works, allow reprint, please be sure to use hyperlinks in the form of the original source of the article, author information and this statement. Otherwise, the legal liability will be investigated. http://soysauce93.blog.51cto.com/7589461/1715583
First, SUID
定义:运行某程序时,相应进程的属主是程序文件自身的属主,而不是启动者
赋予SUID位方法:
chmod
u+s FILE
撤销SUID位方法:
chmod
u-s FILE
注:如果FILE本身原来就有执行权限,则SUID显示为s;否则显示S
[[email protected] ~]# ll 'which Tail` -rwxr-xr-x.1Root root57560Nov A -/usr/bin/Tail# Default no suid bit [[email protected]~]#su-User1 # Switch to user1 user [[email protected]~]$Tail-1/etc/Shadow # At this time the genus of the tail process are User1Tail: Cannot open '/etc/shadow'For Reading:permission denied[[Email protected] ~]$ Exitlogout[[email protected]~]#chmodu+s/usr/bin/Tail# give tail command suid bit [[email protected]~]# ll/usr/bin/Tail-rwsr-xr-x.1Root root57560Nov A -/usr/bin/Tail[[Email protected]~]#su-User1[[email protected]~]$Tail-1/etc/Shadow # At this time the genus of the tail process are rootuser2:!!:16760:0:99999:7:::
The process is detailed:
When the tail command does not have a suid bit, the User1 user initiates the tail process, at which point tail the owner of the process is User1, the group is the basic group where the User1 user resides, and when the tail process accesses the/etc/shadow file, The main user1 of the tail process is neither the owner of the/etc/shadow file nor the genus of the shadow file, so the shadow file is accessed with the permission of others, because the other person does not have any permissions, so it is not readable and will prompt permission to refuse When the tail command has the SUID bit, when any user initiates the tail process, the owner of the tail process becomes the owner of the tail file itself, the group becomes the basic group of the tail file itself, and when the/etc/shadow file is accessed again, The owner of the tail process happens to be the owner of the shadow file, so it is accessed using the owner's permission.
Second, SGID
定义:运行某程序时,相应进程的属组是程序文件自身的属组,而不是启动者所属的基本组
赋予SGID位方法:
chmod
g+s FILE
撤销SGID位方法:
chmod
g-s FILE
注:如果FILE本身原来就有执行权限,则SUID显示为s;否则显示S
对一个目录赋予SGID权限位时,任何用户在这个目录下创建文件时,文件的属组是这个目录的属组,而不是用户的基本组
Example: User1,user2,user3 all belong to the develop group and need to edit the files created by other users in the develop group under the/tmp/project directory, and Sgid is needed at this time.
[email protected] tmp]# groupadd develop[[email protected] tmp]# usermod-A-G Develop User1 # Add User1, User2, User3 to Develop Group [[email protected] tmp]# Usermod-A-G Develop user2[[email protected] tmp]# usermod-A-G Develop user3[[email protected] tmp]#IDUser1 # At this point you can see that User1 has an additional group Developuid= -(user1) gid= -(user1)groups= -(User1),503(Develop) [[email protected] tmp]#Chown:D Evelop project/[email protected] tmp]# lltotal820-rw-r--r--1Root root832104Sep - A: Wunginx-1.8.0.Tar. GZDRWXRWXR-X2Root Develop4096Nov + -: -Project[[email protected] tmp]#su-User1 # Switch to user1 user [[email protected]~]$ cd/tmp/project/[email protected] project]$TouchA[[email protected] project]$ lltotal0-rw-rw-r--1User1 user10Nov + -: tothe genus of a # A is user1[[email protected] project]$ exitlogout[[email protected] tmp]#su-user2 # Switch user to User2[[email protected]~]$ cd/tmp/project/[email protected] project]$Echo "Hello">>A # Add a line of hello to a file-bash:a: Permission denied # Other user does not have write permission [[email protected] project]$ exit # exit, switch to root user Logou T[[email protected] tmp]#chmodg+s/tmp/project/# Add Sgid[[email protected] to the project directory tmp]# ll-d/tmp/project/DRWXRWSR-X2Root Develop4096Nov + -: to/tmp/project/# Now the project directory base group has changed to develop group [[email protected] tmp]#su-User1 # re-switch to user1 user [[email protected]~]$Touch/tmp/project/B # Create a new file B[[email protected]~]$ ll/tmp/project/b-rw-rw-r--1User1 Develop0Nov + -: the/tmp/project/B # B's Basic group is develop group [[email protected]~]$ exitlogout[[email protected] tmp]#su-User2 # Switch to another user within the develop group User2[[email protected]~]$Echo "Hello">>/tmp/project/B # write string to B file Hello[[email protected]~]$Cat/tmp/project/Bhello # Write success, at this time the develop group users can feel free to other users inNewly created files in the/tmp/project directory
Third, Sticky
定义:运行某程序时,相应进程的属组是程序文件自身的属组,而不是启动者所属的基本组
赋予SGID位方法:
chmod
g+s FILE
撤销SGID位方法:
chmod
g-s FILE
注:如果FILE本身原来就有执行权限,则SUID显示为s;否则显示S
对一个目录赋予SGID权限位时,任何用户在这个目录下创建文件时,文件的属组是这个目录的属组,而不是用户的基本组
Example: User1,user2,user3 all belong to the develop group and need to edit the files created by other users in the develop group under the/tmp/project directory, and Sgid is needed at this time.
[email protected] tmp]# groupadd develop[[email protected] tmp]# usermod-A-G Develop User1 # Add User1, User2, User3 to Develop Group [[email protected] tmp]# Usermod-A-G Develop user2[[email protected] tmp]# usermod-A-G Develop user3[[email protected] tmp]#IDUser1 # At this point you can see that User1 has an additional group Developuid= -(user1) gid= -(user1)groups= -(User1),503(Develop) [[email protected] tmp]#Chown:D Evelop project/[email protected] tmp]# lltotal820-rw-r--r--1Root root832104Sep - A: Wunginx-1.8.0.Tar. GZDRWXRWXR-X2Root Develop4096Nov + -: -Project[[email protected] tmp]#su-User1 # Switch to user1 user [[email protected]~]$ cd/tmp/project/[email protected] project]$TouchA[[email protected] project]$ lltotal0-rw-rw-r--1User1 user10Nov + -: tothe genus of a # A is user1[[email protected] project]$ exitlogout[[email protected] tmp]#su-user2 # Switch user to User2[[email protected]~]$ cd/tmp/project/[email protected] project]$Echo "Hello">>A # Add a line of hello to a file-bash:a: Permission denied # Other user does not have write permission [[email protected] project]$ exit # exit, switch to root user Logou T[[email protected] tmp]#chmodg+s/tmp/project/# Add Sgid[[email protected] to the project directory tmp]# ll-d/tmp/project/DRWXRWSR-X2Root Develop4096Nov + -: to/tmp/project/# Now the project directory base group has changed to develop group [[email protected] tmp]#su-User1 # re-switch to user1 user [[email protected]~]$Touch/tmp/project/B # Create a new file B[[email protected]~]$ ll/tmp/project/b-rw-rw-r--1User1 Develop0Nov + -: the/tmp/project/B # B's Basic group is develop group [[email protected]~]$ exitlogout[[email protected] tmp]#su-User2 # Switch to another user within the develop group User2[[email protected]~]$Echo "Hello">>/tmp/project/B # write string to B file Hello[[email protected]~]$Cat/tmp/project/Bhello # Write success, at this time the develop group users can feel free to other users inNewly created files in the/tmp/project directory
Third, Sticky
定义:在一个公共目录,每个都可以创建文件,删除自己的文件,但不能删除别人的文件
赋予Sticky位方法:
chmod
o+t DIR
撤销Sticky位方法:
chmod
o-t DIR
注:如果FILE本身原来就有执行权限,则SUID显示为s;否则显示S
对一个目录赋予Sticky位时,用户只能删除在该目录下自己创建的文件,并不能删除其他用户的文件。
[email protected] project]$ lltotal4-rw-rw-r--1User1 Develop0Nov + -: toa-rw-rw-r--1User1 Develop6Nov + -: +B[[email protected] project]$RM-RF B # has been removed successfully [[email protected] project]$TouchC[[email protected] project]$ lltotal0-rw-rw-r--1User1 Develop0Nov + -: toa-rw-rw-r--1User2 Develop0Nov + -: -c [[email protected] project]$ exitlogout[[email protected] tmp]#chmodo+t/tmp/project/# Add sticky permission bit to project directory [[email protected] tmp]#su-User1[[email protected]~]$RM-rf/tmp/project/C # Delete user2 user-created file, prompt not allowedRM: Cannot remove '/tmp/project/c': Operation not permitted[Email protected] ~]$RM-rf/tmp/project/a # can delete files created by yourself and cannot delete other users ' files
Suid, SGID, Sticky of "turn" special permission control