Suid/guid Simple Introduction to Linux systems

Source: Internet
Author: User

We have mentioned in the previous S U i d and g u i d. This privilege bit has become a tricky issue in recent years. Many system vendors do not allow this bit to be implemented, or even if it is set, it completely ignores its existence because it poses a security risk. So why do people make such a fuss?

s u i d means that if a user sets this permission on their own S H e l scripts, other users will have their owner's corresponding permissions when executing the script. Thus, if one of the root user's scripts sets such a permission, the other normal user also has the root user's permission during the execution of it. The same principle applies to g u i d, and the user who executes the corresponding script will have the permissions of the user in the user group to which the file belongs.

Why use this type of script? Here's a good example. I manage several large database systems, and I need to have system administration permissions to back them up. I wrote a few scripts and set their G u i d so that some of the users I specified would be able to do the work as long as they executed the script, without having to log on as a database administrator to avoid accidentally damaging the database server. By executing these scripts, they can complete database backups and other administrative tasks, but after these scripts run, they revert back to their permissions as normal users.

There are quite some u N I x commands that also set S u i d and g u i d. If you want to find these commands, you can go to the/b i n or/s b i n directory and execute the following command:
$ ls-l | grep ' ^...s '
The above command is used to find the s U i d file;
$ ls-l | grep ' ^...s. S
The above command is used to find the S u i d and g u i d.
Now we understand what s u i d, but how do I set it up? Here's a brief introduction to this question. If you want to set the s U i d, then set the corresponding permission bit before the one to 4, if you want to set G u i d, then the corresponding permission bit before the first one set to 2; If you want both to be set, then the corresponding permission bit before the one of the setting is 4+2.

Once this bit is set, an S will appear on the X position. Remember: At the same time that you set S u i d or g u i d, the corresponding execution permission bit must be set. For example, if you want to set G u i d, you must have execute permissions for the user group.

If you want to set S u i d for the file L o g i n, it currently has a permission of rwx rw-r--(741), you need to precede the C h m o d command with a 4, or chmod 4741, before the permission number, which will make the file's permissions change to R W Srw-r- -。
$ chmod 4741 logit

Example of setting Suid/guid

Here are a few examples:


Table 1-7 setting S u i d/g u i d

You can also use the symbolic way to set the s u i d/g u i d. If a file has this permission: rwx r-x r-x, then you can set its s u i d:
chmod u+s <filename>
The permissions for this file will then become: RWS r-x r-x
When looking for a file with S u i d, you may not see a file with such permission: RwS R-x R-x, where S is uppercase.
It indicates that the corresponding execution permission bit is not set, which is a useless s u i d setting and can ignore its existence.
Note that the C-H o-d command does not perform the necessary integrity checks to give any permissions to a useless file, but the chmod command does not examine what combination of permissions are set. Therefore, do not see a file that has execute permissions, it must be a program or script.

Suid/guid Simple Introduction to Linux systems

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.