Shulou(Shulou.com)06/01 Report--

This article mainly explains "what are the special permissions of CentOS system". The explanation content in this article is simple and clear, easy to learn and understand. Please follow the ideas of Xiaobian to study and learn "what are the special permissions of CentOS system" together.

1. What are special privileges?

We know that the permissions are r,w,x. In fact, apart from these three, there were also special privileges. For example:

[root@localhost ~]# ls -l /usr/bin/passwd

-rwsr-xr-x 1 root root 22960 Jul 17 2006 /usr/bin/passwd

You can find permission bits, with an s. There are three types of special permissions:

SUID

SGID

STICKY

2. About Suid

We know that Linux has the concept of a process security model, such as Tom executing passwd to change passwords:

First, notice that passwd's permissions are:

[hadoop@localhost ~]$ ls -l `which passwd`

-rwsr-xr-x 1 root root 22960 Jul 17 2006 /usr/bin/passwd

Second, notice that Tom is not root and does not belong to the root group.

Let's not worry about special privileges. Obviously, Tom can only run passwd as other(r-x). Tom can initiate a process called passwd that wants to change his password.

Third, the user Tom finishes executing passwd to modify the password, which is actually saved to/etc/shadow. Let's take a look at the permissions of the/etc/shadow file.

[hadoop@localhost ~]$ ls -l /etc/shadow

-r-------- 1 root root 2713 Jun 13 16:34 /etc/shadow

[hadoop@localhost ~]$

The password modification process belonging to Tom should modify the/etc/shadow file, but according to the permissions of/etc/shadow above, no one can modify it except root! In other words, according to the process security model, ordinary users cannot change passwords at all! But in fact, it can be modified. The reason lies in that special permission s.

That is, suid means that when a program is running, the owner of the corresponding process is the owner of the program file itself, not the initiator. That is to say, ordinary users to execute passwd to modify the password, in fact, is to initiate a process, the owner of this process is root user, then it is obvious that you can modify the shadow file.

3. About SGID

According to suid, sgid means that when running a program, the group of the corresponding process is the group of the program file itself, not the basic group of the initiator. Examples can be analyzed:

First: root creates a project directory

[root@localhost /]#

[root@localhost /]# ls -ld /project/cma

drwxrwxr-x 2 root develop 4096 Jun 14 22:14 /project/cma

Second: Project team members java01, java02,... Both belong to the develop group (their additional group), which means they have rwx permissions on/project/cma.

[java02@localhost cma]$ ls -l

total 8

-rw-rw-r-- 1 java01 java01 0 Jun 14 22:24 01.java

-rw-rw-r-- 1 java02 java02 0 Jun 14 22:25 02.java

Above, you can see that they can create files in/project/cma. According to the previous theory: "Whoever creates a file belongs to who, and the group belongs to his basic group." There is no problem with the above. But how do we want these project team members to edit each other's files?

Third: Since the project group member java02 does not belong to the private group of java01, it is obvious that java02 only has r--permission on java 01.java and cannot be edited. At this point we can use sgid to change the default behavior ~

[root@localhost cma]# pwd

/project/cma

[root@localhost cma]# chmod -R g+s /project/cma

[root@localhost cma]# ls -ld

drwxrwsr-x 2 root develop 4096 Jun 14 22:25 .

[root@localhost cma]#

Note that the special permission bit s appears, but sometimes S may be displayed. [If it is s, it means that this permission bit used to have x permission]

Fourth: After using sgid, our project team members can edit other members 'files in this directory.

[java02@localhost cma]$ ls -l

total 16

-rw-rwSr-- 1 java01 java01 0 Jun 14 22:24 01.java

-rw-rw-r-- 1 java01 develop 0 Jun 14 22:33 01.txt

-rw-rwSr-- 1 java02 java02 0 Jun 14 22:25 02.java

-rw-rw-r-- 1 java02 develop 0 Jun 14 22:33 02.txt

[java02@localhost cma]$

This means that using SGID can help us achieve this goal:

The generic group of files created under a directory is not the base group of users, but the generic group of directories.

4. About sticky

At this point, members of our project team can edit files under/project/cma with each other, but with one requirement: we want users to delete only their own files, not others. This is where sticky is used.

[root@localhost cma]# chmod -R o+t /project/cma

[java01@localhost cma]$ id

uid=5016(java01) gid=5016(java01) groups=5016(java01),5018(develop) context=root:system_r:unconfined_t:SystemLow-SystemHigh

[java01@localhost cma]$ rm 02.txt

rm: cannot remove `02.txt': Operation not permitted

5. Series connection

Remember umask, umask is actually a XYZW, a four-digit number, where X stands for suid/sgid/striky.

Chmod xyzw file, in fact, the same.

000 nothing

001 only striky

010 only sgid

100 only suid

......

Thank you for reading, the above is "CentOS system special permissions what" content, after the study of this article, I believe we have a deeper understanding of CentOS system special permissions what this problem, the specific use of the situation also needs to be verified by practice. Here is, Xiaobian will push more articles related to knowledge points for everyone, welcome to pay attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.