Shulou(Shulou.com)06/02 Report--

Preface

You should be aware of the normal rwx permissions for files or directories in linux. The permissions of Linux are not very detailed. There are only three kinds of RWX.

R (Read, read): for files, you have permission to read the contents of files; for directories, you have permission to browse directories. W (Write, write): for files, it has the permission to add, modify and delete the contents of files; for directories, it has the permission to create, delete, modify and move files in the directory. X (eXecute, execute): for files, you have permission to execute files; for directories, the user has permission to enter directories.

1. Read-only access to the directory is not allowed to enter the directory using cd. You must have the permission to execute before you can enter the directory.

2. Only the execution permission can only enter the directory and cannot see the contents of the directory. If you want to see the file name and directory name under the directory, you need readable permission.

3. Whether a file can be deleted mainly depends on whether the directory in which the file is located has write permission to the user. If the directory does not have write permission to the user, then all files in the directory cannot be deleted, except the file owner.

4. If the w bit of the directory is not set, even if you have the w permission of a file in the directory, you cannot write the file.

Let's take a look at the permissions of the following two.

It's very strange that the permissions of the / tmp directory and passwd files are weird, and why do you have s and t permissions? You will understand after reading the following content.

1 SUID

When s appears on the x permission of the file owner, as we saw above, the permission of / usr/bin/passwd this file-rwsr-xr-x, it is called SET UID or SUID.SUID. What are the restrictions and functions of a file?

SUID permissions are valid only for binary executable files

The executor has x permission for the file

This permission is valid only during the execution of the file

The executor will have the permissions of the owner of the file

For example, ordinary users modify their own commands with passwd, in fact, the final change is the / etc/passwd file. This file is when the user manages the profile, and only root permissions can be changed.

Since it is the root user who has this permission, why can we change the password through the passwd command? this is due to the fact that passwd sets the suid permission bit.

At this time, ordinary users temporarily have root permissions by executing passwd commands, and indirectly modify / etc/passwd in order to change their own passwords.

2 SGID

When s appears on the x permission of the directory or the group to which the file belongs, it is called SET GID or SGID for short. What functions does SGID have for file and directory segments?

2.1 SGID pair Directory

If the user has the permissions of r and x for this directory, the user can enter this directory

The user's group under this directory will become the group of the directory.

If the user has the permission of w in this directory (you can create a new file), the new file created by the user has the same group as the group in this directory.

2.2 SGID to Files

SGID is valid for binary executable files

The program executor needs to have the permission of x for the document

During execution, the executor will get the support of the file group (used to change the permissions of the file group).

3 SBIT

When s appears on the x rights of other users in the directory, it is called Sticky Bit or SBIT for short. What are the restrictions and functions of SBIT?

Valid for directories only, not for files

When the user creates a file or directory under this directory (with permission), only he and root have the right to delete the newly created directory or file.

We know that the / tmp directory has this permission.

Now let's verify, first create a file test in the tmp file with the root account, then enter the directory with openstack (other accounts), delete the test file, and see what happens

We see that it is not possible to delete files like this. Because the / temp directory has SBIT permissions.

4 how to operate SUID, SBID, SBIT

Manipulating these flags is the same as the command for manipulating file permissions, which is chmod. There are two ways to operate

(1) permission for symbol type change

Chmod Utility testbin-- adds the setuid flag to the testbin file.

Chmod gems testdir-- adds the setgid logo to the testdir directory

Chmod testdir-- adds the sticky logo to the testdir directory

(2) change the file permission by the number type.

The octal system is adopted. General documents are marked by three sets of octal numbers, such as 666,777,644, etc. If you set these special flags, add a set of octal numbers to this set of numbers. Such as 4666, 2777, etc. The significance of this set of octal digits is as follows

Abc

A-setuid bit, if this bit is 1, it means to set setuid 4Murray-

B-setgid bit, if this bit is 1, it means to set setgid 2Murray-

C-sticky bit, if this bit is 1, it means to set sticky 1 Murray-

After setting these flags, you can use ls-l to view them. If there are these flags, they will be displayed on the original location of the execution flag. Such as

Rwsrw-r-- indicates that there is a setuid logo

Rwxrwsrw- indicates that there is a setgid logo

Rwxrw-rwt indicates that there is a sticky logo

So where is the original execution flag x? The system stipulates that if there is an x in that bit, these special signs are displayed as lowercase letters (s, s, t). Otherwise, display as uppercase letters (S, S, T)

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.