Linux Basic Tutorial: Special Permissions SUID, SGID and SBIT

Preface

For file or directory permissions in Linux, you should all know the common rwx permissions. Linux permissions are not very detailed, there are only three types: RWX

• r (Read): For files, it has the permission to read the file contents; for directories, it has the permission to browse the directory.
• w (Write): For files, it has the permission to add, modify, and delete file contents; for directories, it has the permission to create, delete, modify, and move files within the directory.
• x (eXecute, execute): For files, the user has the permission to execute the file; for directories, the user has the permission to enter the directory.

1. Read-only access to a directory does not allow the use of cd to enter the directory. You must have execution permissions to enter.

2. Only execution permission can enter the directory, but cannot see the contents of the directory. To see the file names and directory names under the directory, read permission is required.

3. Whether a file can be deleted depends mainly on whether the directory where the file is located has write permission for the user. If the directory does not have write permission for the user, all files in the directory cannot be deleted, except for the file owner.

4. The w bit of the directory is not set. Even if you have the w permission for a file in the directory, you cannot write the file.

Let's first look at what the following two permissions are

It is very strange that the permissions of the /tmp directory and the passwd file are so strange. Why are there s and t permissions? You will understand after reading the following content.

1 SUID

When s appears in the x permission of the file owner, such as the permission of the file /usr/bin/passwd we saw above -rwsr-xr-x, it is called SET UID, abbreviated as SUID. What restrictions and functions does SUID have for a file?

SUID permissions are only valid for binary executable files

The executor has x permission on the file

This permission is only valid during the execution of this file

The executor will have the permissions of the file owner.

For example, when an ordinary user uses the passwd command to modify his own command, the file that is actually changed is the /etc/passwd file. This file is a user management configuration file and can only be modified by root permissions.

Since only the root user has this permission, why can we change the password through the passwd command? This is due to the fact that the suid permission bit is set for passwd.

At this time, ordinary users can temporarily obtain root privileges by executing the passwd command and indirectly modify /etc/passwd to gain permission to modify their own passwords.

2 SGID

When s appears in the x permission of the group to which a directory or file belongs, it is called SET GID, or SGID for short. What functions does SGID have for file and directory divisions?

2.1 SGID Directory

If the user has r and x permissions for this directory, the user can enter this directory

The user's group in this directory will become the directory's group

If the user has the w permission (can create new files) in this directory, the group of the new file created by the user will be the same as the group of this directory.

2.2 SGID Pair File

SGID is valid for binary executable files

The program executor must have x permission for the file.

The executor will get the support of the file group during the execution process (used to change the permissions of the file group)

3 SBIT

When s appears in the x permission of other users in the directory, it is called Sticky Bit, or SBIT for short. What are the limitations and functions of SBIT?

Only valid for directories, not files.

When a user creates a file or directory in this directory (with permission), only the user and root have the authority to delete the newly created directory or file.

We know that the /tmp directory has such permissions.

Now let's verify it. First, use the root account to create a file test in the tmp file, then use openstack (other accounts) to enter the directory, delete the test file, and see what happens.

We can see that the file cannot be deleted in this way. Because the /temp directory has SBIT permissions.

4 How to operate SUID, SBID, SBIT

The commands for manipulating these flags are the same as those for manipulating file permissions, which are both chmod. There are two ways to do this:

(1) Symbol type change permission

chmod u+s testbin-- add the setuid flag to the testbin file.

chmod g+s testdir-- add the setgid flag to the testdir directory

chmod o+t testdir-- add a sticky flag to the testdir directory

(2) Digital type changes file permissions

Use octal system. For general files, use three groups of octal numbers to set flags, such as 666, 777, 644, etc. If you set these special flags, add another group of octal numbers to this group of numbers. For example, 4666, 2777, etc. The meaning of the three octal numbers is as follows:

abc

a - setuid bit, if this bit is 1, it means setuid 4---

b - setgid bit, if this bit is 1, it means setgid 2---

c - sticky bit, if this bit is 1, it means setting sticky 1---

After setting these flags, you can use ls -l to view them. If these flags are present, they will be displayed in the original execution flag position. For example

rwsrw-r-- indicates a setuid flag

rwxrwsrw- indicates that there is a setgid flag

rwxrw-rwt indicates a sticky flag

So where did the original execution flag x go? The system stipulates that if there was an x ​​in that position, these special flags are displayed as lowercase letters (s, s, t). Otherwise, they are displayed as uppercase letters (S, S, T)

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support for 123WORDPRESS.COM.