Shulou(Shulou.com)06/02 Report--

In linux, there is a concept of security context. Whether a process (a running program) can access a file depends on what permissions the user who initiated the process has on the file being manipulated.

a. If the initiator of the process is the owner of the file being accessed, access it with the permissions of the file owner

b. Otherwise, if the initiator of the process is a user belonging to the group of the file being accessed, access it with the permissions of the file belonging to the group

c. Otherwise, access the file to another user

In addition to this permission, there are three special permissions.

SUID: when the SUID setting is set to a program file, when the process (program) accesses the file on the system, it accesses the file as the owner of the program, not as the user who executes the program.

SGID: when the subordinate group of a directory has write permission to the directory and the SGID setting is set, when these users belonging to the group create files in this directory, the subordinate group of the created file will become the subordinate group of the directory by default, rather than the basic group of the user who created the file.

SBIT: when SBIT is set to a directory, users can only delete files created by themselves in that directory, but not files created by other users, even if the user has write permission to the directory.

Action:

1. SUID: chmod Utility

2. SGID: chmod gathers

3. SBIT: chmod ostent

Experiment:

1. SUID experiment

Copy / bin/cat to the / test directory and set the / test/bin program to SUID. Let a normal person use this program to view the / etc/shadow file. Then view the file with the / bin/cat that comes with the system.

# copy / bin/cat to the / test directory

[root@liuqing test] # cp / bin/cat / test/

[root@liuqing test] # ll / test

Total dosage 60

-rwxr-xr-x. 1 root root 54080 November 21 17:04 cat

# set the / test/cat file to SUID. The main group of the file is root.

[root@liuqing test] # chmod Utility / test/cat

[root@liuqing test] # ll

Total dosage 60

-rwsr-xr-x. 1 root root 54080 November 21 17:04 cat

-rw-r-. 1 lyf lyf 14 November 21 16:15 file1.txt

# switch to normal user liuqing

[root@liuqing test] # su-liuqing

Last login: 16:05:54 on April 21, November on CST 2019pts/1

[liuqing@liuqing ~] $

# ordinary user liuqing, you can view / etc/shadow using / test/cat

[liuqing@liuqing ~] $/ test/cat / etc/shadow

Root:$6$ gdIxmcOy$JSDVjR0tSdQfVTDrukonWIfRLdDIut63ZYiucsTmj8TPJ0Sq/wZduJhWgSUidlHeW6pmISq.B7Vx4OlGX1P1p1:18185:0:99999:7:::

# ordinary users use the / bin/cat that comes with the system and cannot view / etc/shadow

[liuqing@liuqing ~] $ll / bin/cat

-rwxr-xr-x. 1 root root 54080 August 20 14:25 / bin/cat

[liuqing@liuqing ~] $cat / etc/shadow

Cat: / etc/shadow: insufficient permissions

2. SGID experiment

There are two users on the system, gentoo and fedora, whose additional group is mygrp. Now SGID is set to the / test directory. When we use these two users to create a file in the / test directory, the subordinate group of the file will automatically become mygrp.

# check whether gentoo and fedora exist

[root@liuqing test] # id gentoo

Uid=4007 (gentoo) gid=4007 (gentoo) group = 4007 (gentoo), 5000 (magedu)

[root@liuqing test] # id fedora

Uid=4008 (fedora) gid=4008 (fedora) group = 4008 (fedora), 5000 (magedu)

# create a group mygrp

[root@liuqing test] # groupadd mygrp

# add user gentoo and fedora to the additional group mygrp

[root@liuqing test] # usermod-a-G mygrp gentoo

[root@liuqing test] # usermod-a-G mygrp fedora

[root@liuqing test] # id gentoo

Uid=4007 (gentoo) gid=4007 (gentoo) group = 4007 (gentoo), 5000 (magedu), 5003 (mygrp)

[root@liuqing test] # id fedora

Uid=4008 (fedora) gid=4008 (fedora) group = 4008 (fedora), 5000 (magedu), 5003 (mygrp)

# modify the subordinate group of / test to mygrp, modify the permission of the subordinate group to rwx, and set the SGID of / test

[root@liuqing /] # chown: mygrp / test

[root@liuqing /] # chmod Grouw / test

[root@liuqing /] # chmod gears / test

[root@liuqing /] # ls-ld / test

Drwxrwsr-x. 2 root mygrp 34 November 21 17:23 / test

# switching users to gentoo

[root@liuqing /] # su-gentoo

Last login: 17:22:21 on April 21, November on CST 2019pts/0

[gentoo@liuqing ~] $

# gentoo user creates a gentoo.txt file in the / test directory to view the file attributes. The file belongs to a group of mygrp

[gentoo@liuqing ~] $touch / test/gentoo.txt

[gentoo@liuqing ~] $ll / test

Total dosage 60

-rw-rw-r--. 1 gentoo mygrp 0 November 21 17:25 gentoo.txt

3. SBIT experiment

The subordinate group of the / test directory is mygrp. SGID is set to this directory, and the mygrp group has rwx permission to the directory. In this directory, the file created by the user whose additional group is mygrp is mygrp. In this case, the user whose additional group is mygrp can create, modify and delete files in the directory. In this way, these users can also delete the files created by other users. In order not to allow others to delete the files created by a certain user, they can stick,stick the directory. Only the user and the administrator can delete the files created by the user in this directory.

# set stick to the directory, check the permissions, and find that there is a t in the permission bit of o

[root@liuqing test] # chmod ostent / test

[root@liuqing test] # ls-ld / test

Drwxrwsr-t. 2 root mygrp 52 November 21 17:25 / test

# switch to fedora user and create a fedora.txt

[root@liuqing test] # su-fedora

[fedora@liuqing ~] $touch / test/fedora.txt

[fedora@liuqing ~] $echo "How are you?" > > / test/fedora.txt

# View the files in the directory. For gentoo.txt, its permission is to belong to the group with rw.

[fedora@liuqing ~] $ll / test

-rwsr-xr-x. 1 root root 54080 November 21 17:04 cat

-rw-rw-r--. 1 fedora mygrp 13 November 22 08:45 fedora.txt

-rw-rw-r--. 1 gentoo mygrp 0 November 21 17:25 gentoo.txt

# fedora users can edit the file gentoo.txt

[fedora@liuqing ~] $echo "New line" > > / test/gentoo.txt

[fedora@liuqing ~] $

[fedora@liuqing ~] $

[fedora@liuqing ~] $cat / test/gentoo.txt

New line

# due to the SBIT setting, fedora users cannot delete the gentoo.txt file because it was not created by fedora.

[fedora@liuqing ~] $rm / test/gentoo.txt

Rm: cannot delete "/ test/gentoo.txt": disallowed operation

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.