Linux 8 special permissions
View the permissions of the passwd command file
First check the location of the passwd command file through which
# which passwd
我们发现所在位置是:
/usr/bin/passwd
Pay attention to distinguish the passwd file under /etc/passwd, here is the configuration file
View detailed information through ll /user/bin/passwd
-rwsr- xr- X.1 root root 27832 1月 30 2014 /usr/bin/passwd
Found that this file was allocatedsuid permission, In this way, when ordinary users use this file to change the password, the file will run with the permissions of the user root to which the file belongs, and the root user can modify /etc/shadow
suid permissions:
user1 user in ownHome directory([ user1@localhost~]) create files file1 and file2
Use letters and numbers to add suid permissions to the two files respectively
First create new files file1, file2
$ touch file1
$ touch file2
View file details
-rw-rw-r--. 1 userl userl 0 xxxxxx file1
-rw-rW-r--. 1 userl userl 0 xxxxxx file2
Add suid permissions
$ chmod u+S file1
$ chmod u+4664 file2
View file details
-rwSrW-r--. 1 user1 user1 0 xxxxxx file1
-rwSrW-r--. 1 user1 user1 0 xxxxxx file2
sgid permissions
The user1 user creates a folder test in his home directory
Switch to super user, create a new test group testgroup, adjust the group belonging to the test directory to testgroup
Add sgid to test
Switch to normal user user1, enter test, create a new file subfile and folder subtest, and check the groups they belong to
First create a new test folder in user1's home directory
# su user1
$ mkdir test
View the details as:
drwxrwxr- x. 2 user1 user1 6 xxxxxx test
Switch to the super user root and create a new testgroup
$ exit
# groupadd testgroup
Adjust the group belonging to the test directory to testgroup
# cd /home/user1/
# chown : testgroup test 或 chgrp testgroup test
drwxrwxr- x. 2 user1 testgroup 4096 xxxxxx test
chown : Change group
Add sgid permission to test
# chmod g+s test
drwxrwxsr- x. 2 user1 testgroup 4096 xxxxxx test
Switch to normal user user1, enter test, create a new file subfile and folder subtest, and check the groups they belong to
# su user1
$ cd test
$ touch subfile
$ mkdir subtest
$ ll
-rw-rw-r--. 1 user1 testgroup 0 xxxxxx subfile
drwxrwsr-x. 2 user1 testgroup 4096 xxxxxx subtest
sticky permissions
Suppose we have two users nash and bob, they are assigned to the net group, we have a testdir folder belonging to the net group, the members of the net group have read and write permissions to this folder, we need to use sticky permissions to this file Folder control, so that nash and bob can only view files created by each other, but cannot modify or delete
1. Create net group and bob, nash users, and assign users to net group
2. Create the testdir folder and change its group to net, add read and write permissions to this group
3. Without sticky permission, test whether nash and bob can view, modify and delete files created by each other
4. Add sticky permissions to the testdir directory, and then test whether nash and bob can view, modify and delete files created by each other
First create a new net group
# groupadd net
bob and nash users, and assign users to the net group
# useradd -G net bob
# useradd -G net nash
Create the testdir folder and change its group to net, add read and write permissions to this group
# cd /home
# mkdir testdir
drwxr- xr-x. 2 root root 4096 xxxxxx testdir
# chown : net testdir
drwxr- xr-x. 2 root net 4096 xxxxxx testdir
# chomod g+w testdir
drwxrwxr- x.2 root net 4096 xxxxxx testdir
Without sticky permission, test whether nash and bob can view, modify and delete files created by each other
# su bob
$ cd testdir
$ touch bobfile
$ exit
# su nash
# cd testdir
# rm -f bobfile
It can be found that it can be deleted normally
Add sticky permissions to the testdir directory, and then test whether nash and bob can view, modify and delete files created by each other
# chmod o+t testdir
#ll
drwxrwxr- t. 2 root net 4096 xxxxxx testdir
# su bob
$ cd testdir
$ touch bobfile
$ exit
# su nash
# cd testdir
# rm -f bobfile
rm: 无法删除"bobfile":不允许的操作