BKJIA exclusive Article] File Server is a very important part in the enterprise intranet development environment. In this case, the Samba server is highly flexible due to its permission control. Here, fuqin will provide some detailed descriptions. We have already introduced some basic techniques for changing users, listening to ports, and list control on the Samba server, this article will focus on how to use Suid, Sgid, and Sticky permissions on the Samba server.
Author profile: Yu hongchun blog), online name: fuqin liquor, English name: Andrew. yu is a senior Linux/Unix system administrator and project implementation engineer in a foreign company in Wuhan. He is a red hat RHCE lecturer and is good at Server Load balancer high availability and Small and Medium securities and Business website architecture, currently, we focus on website architecture research and network security.
Many people are wondering why we need to learn these three permissions? In actual work, we find that these special permissions make Linux's permissions understandable, especially samba, extremely difficult, but indeed necessary. This article attempts to give a simple explanation so that you can fully understand the role of these three permissions. Understanding them makes it easier to understand samba's permission control.
First, you must note that the samba permission consists of two aspects: first, the directory permission, and second, the samba configuration permission. The final permission definition is the minimum intersection of the two.
OK. Let's continue to understand these three permissions:
The permission flag is defined by three "bits:
Features of three Permissions
Sticky example:/tmp directory)
① Sticky can only be applied to directories and other people.
② Only root and file owners can delete the file.
③ Lower case indicates that execution can be performed, and upper case indicates that execution cannot be performed.
Suid example:/usr/bin/passwd directory)
① Suid can only be applied to binary files
② When suid is applied to a file, anyone who executes the Command temporarily has the permissions of the file owner.
③ Suid can only be applied to the owner of a file.
④ Lower case indicates that execution can be performed, and upper case indicates that execution cannot be performed
The Sgid application environment shares resources with a group of developers to ensure security)
① Sgid can be applied to files or directories.
② When the sgid is applied to a directory, anyone who establishes a sound file and directory owner in the directory belongs to the directory group
③ Apply to the owning group
④ When sgid is applied to a file, anyone who executes the file temporarily has the Group permission for the file
⑤ Lower case indicates executable, and upper case indicates reverse.
How to operate these labels
The operation mark is the same as the command for operating the File Permission. It is chmod. There are two ways to operate:
① Chmod u + s temp -- add the setuid flag to the temp file. (Setuid is only valid for files)
Chmod g + s tempdir -- add the setgid flag to the tempdir directory (setgid is valid for directories and files)
Chmod o + t temp -- add the sticky flag to the temp file (sticky is only valid for the file)
② Adopt the gossip mode. For general files, three Octal numbers are used to set the flag, such as 666,777,644. If these special signs are set, a group of Octal numbers, such as 4666 and 2777, are added to this group of numbers. The meanings of the three octal digits in this group are as follows,
Abc
A-setuid bit. If this bit is 1, setuid is set.
B-setgid. If this bit is 1, setgid is set.
C-sticky Bit. If this bit is 1, sticky is set.
I am used to using the first method, but many times the File Permission expression is executed using numbers. Therefore, we recommend that you be familiar with both methods.
After setting these flags, you can use ls-l to view them. If these labels are available, they are displayed at the original execution mark position. For example
Rwsrw-r -- indicates that the setuid flag exists.
Rwxrwsrw-indicates that the setgid flag exists.
Rwxrw-rwt indicates sticky flag
So where did the original execution mark x go? The system stipulates that, if there is x in this bit, these special signs will be displayed as lowercase letters (s, s, t ). Otherwise, uppercase letters (S, S, T) are displayed)
The numbers of these three permissions can be understood in this way. This is my understanding and reference for your reference only.
[root@server3 test]# 1 1 1[root@server3 test]# rws rws rwt[root@server3 test]#[root@server3 test]# SUID SGID Sticky
Therefore, we can conclude that
Chmod 4777 is set sid
Chmod 2777 is set gid
Chmod 1777 sets sticky.
At last, two common operations are introduced.
Common Operations
Find all dangerous directories. Set the directory to which everyone can read and write but not sticky)
find / -perm -0007 -type d
Find all files with suid configured
find / -perm -4000 -type f