Detailed explanation of the wonderful uses of SUID, SGID and SBIT in Linux

Preface

Linux's file permission management is simply amazing. Let's review the functions of SUID, SGID and SBIT and summarize them.

In fact, the functions of SUID and SGID are similar to those of sudo. When user A wants to execute an executable file that originally belongs to user B, if B's ​​file has the suid bit set, A will execute it as user B.

SUID is the abbreviation of Set UID, which means set user ID. It feels awkward, but I still think SUID is the most concise. It will appear in the execution bit of the file owner's permissions. When a file with this permission is executed, the caller will temporarily obtain the permissions of the file owner. For example, use the following command:

ls -l /usr/bin/passwd

We will get the following results:

-rwsr-xr-x 1 root root 42824 Sep 13 2012 /usr/bin/passwd

As you can see, the execution bit of the file owner is s instead of x, so the passwd program has SUID permissions. We know that when we modify the user password, we use the passwd command, and we know that under Linux, the user password is stored in the /etc/shadow file. First check the permissions of the /etc/shadow file:

ls -l /etc/shadow

The returned results are as follows:

-rw-r----- 1 root shadow 1138 Dec 13 20:00 /etc/shadow

From the above results, we know that only root can write data to the shadow file, and other users do not even have permission to view it. So how do we usually change our passwords? Yes, it is related to SUID. When we use the passwd command, we obtain the permissions of the owner of passwd, that is, root, and then we can write to the shadow file.

Using SUID must satisfy the following points:

1.SUID is only valid for binary files

2. The caller has execution rights to the file

3. During the execution process, the caller will temporarily obtain the owner permissions of the file

4. This permission is only valid during the execution of the program

In "Bird Brother's Linux Private Recipe", there is a picture that particularly expresses this meaning:

SGID is the abbreviation of Set GID. It appears on the execution bit of the group permissions to which the file belongs. It is valid for ordinary binary files and directories. When it acts on a normal file, similar to SUID, when executing the file, the user will obtain the permissions of the group to which the file belongs. When SGID is applied to directories, it becomes very important. When a user has write and execute permissions for a directory, the user can create files in the directory. If the directory is modified with SGID, the files created by the user in the directory belong to the group to which the directory belongs.

SBIT stands for Sticky Bit. It appears on the execution bit of other user permissions and can only be used to modify a directory. When a directory has SBIT permission, any user who can create files in this directory can only delete the files created by the user in this directory and root, but no other users can delete them. For example:

ls -ld /tmp

The following results can be obtained:

drwxrwxrwt 12 root root 12288 Dec 17 16:33 /tmp

You can see that the last digit is t, which means that the /tmp file is this type of file.

So, how to set the three permissions mentioned above? First, let's introduce some preliminary knowledge, using numbers to represent permissions:

4 means SUID
2 for SGID
1 for SBIT

If two or three permissions exist at the same time, the required result is obtained by adding the values ​​of the write permissions. It is 6 if SUID and SGID exist at the same time. Here is an example of the modification:

chmod 4777 test

To give the test file SUID permissions, you may have already figured it out. Just add these special permission values ​​before the normal file permissions.

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support for 123WORDPRESS.COM.