May 23, 2021 That's what Linux should learn
In a complex and variable production environment, simply setting up rwx permissions for files does not meet our security and flexibility needs, so we have special permission bits for SUID, SGID, and SBIT. T his is a special feature that sets file permissions and can be used in the same way as general permissions to compensate for features that general permissions cannot. The functions and usage of these three special permission bits are explained below.
SUID is a special permission to set up a binary program that allows the executor of the binary to temporarily have the owner's permissions (valid only for binary programs that have execution rights). F or example, all users can perform the passwd command to modify their user password, which is saved in the /etc/shadow file. A closer look at the file reveals that its default permission is 000, which means that all users, except the root administrator, do not have permission to view or edit the file. H owever, when using the passwd command, if you add a SUID special permission bit, the average user can temporarily obtain the identity of the program owner, the changed password information is written to the shadow file. T his is very much like the ancient costume drama we saw in the holding of Shang Fang sword of the Minister, he is holding the Shangfang sword represents the authority of the emperor, so that corrupt officials can be punished, but this does not mean that he permanently became emperor. So this is just a conditional, temporary, special permission authorization method.
When you look at the passwd command properties, you see that the owner's permissions change from rwx to rws, where x changes to s means that the file is given SUID permissions. A nother reader will be curious, so what if the original permission is rw-? If there is no x-execution permission on the original permission bit, it becomes capital S when given special permissions.
[root@linuxprobe ~]# ls -l /etc/shadow ----------. 1 root root 1004 Jan 3 06:23 /etc/shadow [root@linuxprobe ~]# ls -l /bin/passwd -rwsr-xr-x. 1 root root 27832 Jan 29 2017 /bin/passwd
SGIDs implement two main functions:
Have the performer temporarily have the permissions of the group (set up the binary program with execution permissions);
Files created in a directory automatically inherit the user group for that directory (only the directory can be set).
The first feature of SGID is designed with SUID in reference, the difference being that the user executing the program no longer gets temporary permissions from the file owner, but from the group to which the file belongs. For example, in earlier Linux systems, /dev/kmem was a character device file used to store data to be accessed by kernel programs with permissions such as:
cr--r----- 1 root system 2, 1 Feb 11 2017 kmem
Do you see the problem? A ll users do not have permission to read the file except root administrators or members of the system group. S ince we normally need to see the process status of the system, in order to be able to obtain the status information of the process, we can add the SGID special permission bit to the ps command file used to view the state of the system process. View the property information for the ps command file:
-r-xr-sr-x 1 bin system 59346 Feb 11 2017 ps
This way, because the ps command is added to the SGID special permission bit, when the user executes the command, the system user group is temporarily granted permissions so that the device file can be read smoothly.
As mentioned earlier, each file has its own owner and group, and when a file is created or transferred, it automatically belongs to the user who performed the operation (that is, the user is the owner of the file). I f you now need to set up a shared directory within a department so that everyone in the department can read the contents of the directory, you can set up a special SGID permission bit on that directory after you create a department-shared directory. I n this way, any files created by any person in the department belong to the group to which the directory belongs, rather than to their own base user group. At this point, we're using the second feature of SGID, which is that files created in a directory automatically inherit the user group for that directory (only the directory can be set).
[root@linuxprobe ~]# cd /tmp [root@linuxprobe tmp]# mkdir testdir [root@linuxprobe tmp]# ls -ald testdir/ drwxr-xr-x. 2 root root 6 Feb 11 11:50 testdir/ [root@linuxprobe tmp]# chmod -Rf 777 testdir/ [root@linuxprobe tmp]# chmod -Rf g+s testdir/ [root@linuxprobe tmp]# ls -ald testdir/ drwxrwsrwx. 2 root root 6 Feb 11 11:50 testdir/ After using the above command to set up 777 permissions for the directory (ensuring that normal users can write files to it) and set a special SGID permission bit for the directory, you can switch to a normal user and then try to create a file in the directory and see if the newly created file inherits the group name of the directory in which the newly created file is located:
[root@linuxprobe tmp]# su - linuxprobe Last login: Wed Feb 11 11:49:16 CST 2017 on pts/0 [linuxprobe@linuxprobe ~]$ cd /tmp/testdir/ [linuxprobe@linuxprobe testdir]$ echo "linuxprobe.com" > test [linuxprobe@linuxprobe testdir]$ ls -al test -rw-rw-r--. 1 linuxprobe root 15 Feb 11 11:50 test In addition to the two features mentioned above for SGID, let's cover two more commands related to the content of this section: chmod and chown.
The chmod command is a very useful command that can be used to set permissions for a file or directory in the format "chmod (parameters) permissions file or directory name". I f you want to set permissions for a file to be readable and executable by its owner, readable and writeable to the group to which it belongs, and no permissions for others, the corresponding character method is represented as rwxrw----, its corresponding numeric method is represented as 760. Through the previous basic learning and current practice, you can now feel the convenience of using digital methods to set file permissions.
[root@linuxprobe ~]# ls -al test -rw-rw-r--. 1 linuxprobe root 15 Feb 11 11:50 test [root@linuxprobe ~]# chmod 760 test [root@linuxprobe ~]# ls -l test -rwxrw----. 1 linuxprobe root 15 Feb 11 11:50 test In addition to setting permissions for a file or directory, you can also set the owner and group of a file or directory, where the command used is chown, which is formatted as "chown (parameter) owner: group file or directory name".
Chmod and chown commands are the most common commands used to modify file properties and permissions, and they also have a special commonality: capitalization parameters-R are required to operate on the directory to represent recursive operations, i.e. the overall operation of all files in the directory.
[root@linuxprobe ~]# ls -l test -rwxrw----. 1 linuxprobe root 15 Feb 11 11:50 test [root@linuxprobe ~]# chown root:bin test [root@linuxprobe ~]# ls -l test -rwxrw----. 1 root bin 15 Feb 11 11:50 test
Now, many teachers in college require students to upload assignments to a specific shared directory on the server, but there are always a few "spoilers" who like to delete other students' assignments, and then set the SBIT special permission bit (also known as the sticky bit of the special permission bit). T he SBIT special permission bit ensures that users can only delete their own files, not other users' files. In other words, when SBIT sticky bit permissions are set on a directory, the files in that directory can only be deleted by their owners.
It was initially not known which non-senior technician translated Sticky Bit directly into "sticky bits", which Mr. Liu suggested was called a "protective bit", which was both a good memory and an immediate way to understand its role. / tmp in rhEL 7 system as a directory of shared files, by default has set the SBIT special permission bit, so unless you are the owner of the directory, you can't delete the files in it. https://www.linuxprobe.com/chapter-05.html
Unlike the SUID and SGID permission display methods described earlier, when the directory is set to an SBIT special permission bit, the x execution permissions in the other permissions portion of the file are replaced with t or T, the x execution permissions are written as t, and the original x execution permissions are written as T.
[root@linuxprobe tmp]# su - linuxprobe Last login: Wed Feb 11 12:41:20 CST 2017 on pts/0 [linuxprobe@linuxprobe tmp]$ ls -ald /tmp drwxrwxrwt. 1 7 root root 4096 Feb 11 13:03 /tmp [linuxprobe@linuxprobe ~]$ cd /tmp [linuxprobe@linuxprobe tmp]$ ls -ald drwxrwxrwt. 1 7 root root 4096 Feb 11 13:03 . [ linuxprobe@linuxprobe tmp]$ echo "Welcome to linuxprobe.com" > test [linuxprobe@linuxprobe tmp]$ chmod 777 test [linuxprobe@linuxprobe tmp]$ ls -al test -rwxrwxrwx. 1 linuxprobe linuxprobe 10 Feb 11 12:59 test In fact, whether a file can be deleted does not depend on its own permissions, but rather on whether its directory has write permissions (the principle is described in the next chapter). T o avoid many readers being unsurrested right now, the above command gives this test file the maximum 777 permission (rwxrwxrwx). We switch to another normal user, and then try to delete the file created by this other person, and we'll find that even if the read, write, and execute permissions are all on, the file can't be deleted because of the SBIT special permission bit:
(root@linuxprobe tmp) s su - blackshield Last login: Wed Feb 11 12:41:29 CST 2017 on pts/1 s blackshield@linuxprobe s$ $ cd /tmp (blackshield@linuxprobe tmp)$ rm -f test rm: remove 'test': Operation not branded Of course, if you want to set SBIT special permission bits for other directories, use the chmod command. The corresponding parameter o-t represents setting SBIT sticky bit permissions:
[blackshield@linuxprobe tmp]$ exit Logout [root@linuxprobe tmp]# cd ~ [root@linuxprobe ~]# mkdir linux [root@linuxprobe ~]# chmod -R o+t linux/ [root@linuxprobe ~]# ls -ld linux/ drwxr-xr-t. 2 root root 6 Feb 11 19:34 linux/