SUID authority (command)
-rw s r-xr-x, this s is SUID
When a file with execute permission is set with SUID permission, the user will execute as the file owner when executing the command to operate the file
Features:
只有可以执行的二进制程序才能设定SUID权限
命令执行者要对该程序拥有x(执行)权限,在x的基础上才可以有s
命令执行者在执行该程序时获得该程序文件属主的身份(在执行程序的过程中灵魂附体为文件的属主)
SUID authority is only valid during the execution of the program, which means that the identity change is only valid during the execution of the program (with a balaclava, disguise)
Examples:
[root@xxx /]# :ll /etc/passwd
-rw-r--r--. 1 root root 1727 Apr 21 22:59 /etc/passwd
You have new mail in /var/spool/mail/root
[root@xxx /]# :ll /etc/shadow
----------. 1 root root 1594 Apr 21 23:02 /etc/shadow
[root@xxx /]# :ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd
When an ordinary user executes a command with SUID authority, the executor of the command will be temporarily changed to the owner of the command, then our ordinary user can change the password. If the SUID authority of / usr / bin / passwd is cancelled, then Ordinary users cannot change the password
普通用户带上假发,伪装成root,操作命令
SGID permissions (files and directories)
-rwx–s–x
When an ordinary user creates a new file in a directory with SGID authority, the effective group of the user will be temporarily changed to the group to which the directory belongs, and a new file will be created in this capacity
- For files
Features:
命令执行者要对该程序拥有x(执行)权限
命令执行在执行程序的时候,组身份升级为该程序文件的属组
SGID权限同样只在该程序执行过程中有效,也就是说组身份改变只在程序执行过程中有效
example:
[root@xxx /0202]# ll /var/lib/mlocate/mlocate.db
-rw-r----- 1 root slocate 832486 11月 19 12:38 /var/lib/mlocate/mlocate.db
[root@xxx /0202]# ll /usr/bin/locate
-rwx--s--x. 1 root slocate 40520 4月 11 2018 /usr/bin/locate
We can see that our mlocate.db file belongs to the locate group, the locate command is also the locate group, and has special SGID permissions; ordinary users will borrow the locate group when using the locate command to become a member of the locate group to perform operations mlocate.db file
- For directories
Features:
普通用户必须对此目录拥有r和x权限,才能进入此目录
普通用户在此目录中的有效组会变成此目录的属组
普通用户对此目录拥有w权限时,新建的文件的默认属组是这个目录的属组
Examples:
[root@xxx /0202]# :setfacl -m u:laow:rwx /0202
-rw-------. 1 root root 7 Mar 30 10:02 rsync.passwd
切换用户
[laow@xxx /0202]$ :mkdir 2
[laow@xxx /0202]$ :ll
total 4
drwxr-xr-x. 2 laow old 6 Apr 22 07:02 2
/
[root@xxx /0202]# :chmod g+s /0202
切换用户
[laow@xxx /0202]$ :mkdir 3
[laow@xxx /0202]$ :ll
total 4
drwxr-sr-x. 2 laow root 6 Apr 22 07:06 3
When there is no SGID permission, the group permissions of the subdirectories created by our ordinary users are the effective permissions of the ordinary users. After having the SGID permissions, the subdirectories are created. Ordinary users will borrow the effective group of the superior directory and use this identity to create sub Directory, so the group to which the subdirectory belongs is the effective group of the parent directory
Personal understanding of initial group, effective group, additional group:
When creating a new user (laow), without specifying a group, then the initial group and effective group of the user are created by default a group with the same user name (laow).
When creating a new user (laow), the (old) group is specified, then the initial group and effective group of the user are both old, and old is also an additional group of laow.
A user can belong to multiple additional groups at the same time, and an additional group can also have multiple users.
The default group is the effective group and the default is the initial group.
