| |
Linux, in addition to file permissions to read, write, execute, there are special privileges and adventure bit forced bits
Linux permissions of files in the following (in Linux is a file directory):
Force / Adventure | User | Group | Other
===========================================
sst rwx rwx rwx
Here to explain the force bit and bit adventure
Forced bit: setuid and setgid, mainly used for file and directory
Adventure bit: sticky, only the directory, most of the shared directory
setuid (using a u s in place of the x) can only be set on the file
Role of file:
By default, the user executes a command, it will be the identity of the user to run the process. Are based on the user's permission to perform when the owner of the latter document set SUID, all users execute the file. That allows users to perform on this file does not have permission to execute this file.
setgid (using a g s in place of the x) only on the Directory Settings
Role of directory:
By default, user-created file folder belonging to the group the user is currently located, but after setting SGID, expressed in this directory, files created anyone, will belong to the group directory belongs to, but users still belongs to the user creates.
(Using a t o x-position) sticky can only be set on a directory
Role of directory:
By default, if a directory has permissions on w and x o, then anyone can create and delete files in this directory. Once the adventure bit on a directory, then in this directory, only the file owner, the directory owner and the system administrator can delete files. Other users can not.
NOTE: The above settings directly in the document is not useful bit of adventure, adventure bit to create the directory above
Forced bits and adventure-bit expression:
Forcing Bit Bit and adventure add execute permissions on the position, forcing the use of S and s bits to represent the adventure using T and t bits to represent. If the location Uehara has execute permission, then forced bits and adventure-bit representation of the lowercase letters. Otherwise, in uppercase letters. which is:
S: This bit indicates no x bits s: indicates that the bit x bit
T: This bit indicates no x bits t: x indicates that the bit position
Ps: If forced bits S to uppercase, then the corresponding execute permission bit has not been set, it is a useless suid settings can ignore its existence.
Setting force bit and bit adventure
1: The +, - to set the force bit and bit adventure
set uid: # chmod u + s filename
# Chmod u-s filename of the file unforced bit
set gid: # chmod g + s filename
sticky: # chmod o + t dir
2: Force bit and bit adventurous, performed on three digital literacy to be specified by the digital setting
4 (set uid) 2 (set gid) 1 (sticky)
# Chmod 4 --- set the setuid files
# Chmod 2 --- set the setgid directory
# Chmod 1 --- sticky directory settings
# Chmod 6 --- directory / file settings GUID, UID
Note: chmod command does not make the necessary integrity checks can give any privileges to certain useless files, but does not have permission to set the combination to do inspections. Therefore, a file has execute permission does not necessarily program or script.
SUID example:
By default, all users can use the ping command, but the file viewer will find where the ping command, users and groups this document belongs to belong to root, and normally only the root user can execute the command, but in fact will find all users can use this command. Because the location where the file permissions ping command has a s x
# Ping -c 4 www.linuxidc.com
If you remove the suid will find that other users can not use a change command
# Chmod u-s / bin / ping
# Su - linuxidc
$ Ping -c 4 www.linuxidc.com
ping: icmp open socket: Operation not permitted
The above example, the mandatory bit instruction files, allowing users to perform the instruction to the identity of the owner or owning group instruction files running processes. Also it shows that if a command is not s ordinary users can not use the privilege
SGID example:
A team to develop a project, all the project files are stored in a directory, this directory is set SGID, allows all users of the new files are in the same group. Then set permissions on the directory, so that everyone can see the file to other users created.
STICKY example:
As a team to develop a project to set up a directory on a sticky bit, all team members can create files in this directory, but only delete files that you created (except the root), which under directory user to open the file protection.
other:
Find suid files
# Ls -l | grep '^ ... s'
Find suid and guid document
# Ls -l | grep '^ ... s..s' |
|
|
|