0xff001 suid\sgid\sticky ; s\s\t ; 4\2\1 special bits
001. Description
-
suid and sgid have temporary elevated privileges when targeting file programs
-
When sgid is for a directory, the directory has the feature of inheriting the group
-
sticky is set for the directory, only the root and the owner can delete the content in the directory
002. Example 1-4
-
Example 1 suid Ordinary users use suid to escalate privileges through binary files, and the cat binary program process obtains root privileges to view files
Example 1: suid ordinary user escalates privileges through suid <for files>
to increase suid privileges on process files (binary, executable)
[root@tianyun ~]# chmod u+s /usr/bin/cat
[alice@tianyun ~] $ cat /root/file1.txt
-
Example 2 suid passwd process root running with u+s privileges
It can be seen that the permissions of the file modified by passwd only allow the root user to modify it. Although other users can call the passwd command, they cannot modify the file /etc/shadow, so how to store the password? This is the role of UID, don't you have the right to modify the /etc/shadow file? I (the program owner) give it to you. That is to say, at this time, other users have temporarily obtained the authority of the root user by calling the passwd command. At this time, to modify /etc/shadow is to use the authority of the root user to modify it.
Ordinary users can change the password:
alice /usr/bin/passwd /etc/shadow
[alice@tianyun ~]$ ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 Feb 17 2012 /usr/bin /passwd
[alice@tianyun ~]$ passwd
Change the password of user alice.
Change the STRESS password for alice.
(Current) UNIX password:
[root@tianyun ~]# ps aux |grep passwd
root 3674 0.0 0.0 165764 1884 pts/1 S+ 14:34 0:00 passwd
-
Example 3 SGID
Example 3: sgid new file inheritance directory belongs to group <for directory>
[root@tianyun ~]# mkdir /home/hr
[root@tianyun ~]# groupadd hr
[root@tianyun ~]# chgrp hr /home/hr/
[ root@tianyun ~]# chmod g+s /home/hr
[root@tianyun ~]# ll -d /home/hr/
drwxr-sr-x. 2 root hr 4096 Dec 5 16:03 /home/hr
/
[root@tianyun ~]# touch /home/hr/file9
[root@tianyun ~]# ll /home/hr/
-rw-r--r--. 1 root hr 0 Dec 5 16:03 file9
-
Example 4 sticky
Example 4: sticky users can only delete their own files <for directory>
[root@tianyun ~]# mkdir /home/dir1
[root@tianyun ~]# chmod 777 /home/dir1
test: user1 creates a file in /home/dir1 , user2 tries to delete!
[
root@tianyun ~]# chmod o+t /home/dir1
[root@tianyun ~]# ll -d /home/dir1
rwxrwxrwt 2 root root 4096 09-02 02:26 /home/dir1
Who can delete:
root The owner of the
file's owner
directory
-
Summarize
1. Character addition permission
chmod u+s file#set suid, for file rights escalation, such as /usr/bin/passwd file
chmod g+s dir#set sgid, for files and directories, inherit permissions
chmod o+t dir#set sticky for directories, delete permissions,2. Digital addition permission
chmod 4777 file#set suid
chmod 2770 dir#set sgid
chmod 1770 dir#set sticky
0xff002 Set special permissions
001, chattr description
-
Often used to lock a file and refuse to modify it.
002, lsatter to view the special attributes of the file
[root@localhost ~]# lsattr
---------------- ./1.txt
---------------- ./vr
003, plus different attributes
[root@localhost ~]# chattr +a 1.txt //Only append, cannot delete, cannot rename, cannot move,
[root@localhost ~]# lsattr
-----a------- --- ./1.txt
[root@localhost ~]# chattr +i 1.txt //Cannot change, rename, delete
[root@localhost ~]# touch 1.txt 2.txt
touch: cannot create "1.txt": insufficient permissions
[root@localhost ~]# chattr +A 1.txt //Cannot access change time
[root@localhost ~]# lsattr
----ia-A-------- ./1.txt
还原属性
[root@tianyun ~]# chattr -a 1.txt
[root@tianyun ~]# chattr -i 1.txt
[root@tianyun ~]# chattr -A 1.txt
Other attributes---not very important, just understand---
chattr -c When the attribute is started, the file will be automatically compressed on the disk
-d The dump command cannot be used to back up the file
-D When the D attribute of the folder is set, the change will be in Sync is saved on disk
-e it indicates that the file is changed using a mapping extension of blocks on disk
-j When this property is set, the file's properties are first saved in the journal and then written to the file
-s When this property is set, the change or changes are saved to disk synchronously
-R recursively modifies attributes of folders and subfolders
-V chattr command outputs redundant information about version information
-f ignores most error messages
0xff003 Process mask mask umask
001. Description
shell ======umask======> new file or directory permissions (vim, touch) vsftpd =======umask======> new file or directory permissions samba == =====umask======> New file or directory permissions useradd =======umask======> User HOME
002, the default umask mask 0022
[root@localhost ~]# umask
0022
[root@localhost ~]# touch 1.txt
[root@localhost ~]# mkdir dir
[root@localhost ~]# ll
总用量 0
-rw-r--r--. 1 root root 0 4月 30 11:21 1.txt
drwxr-xr-x. 2 root root 6 4月 30 11:21 dir
003. Modify the shell umask value (temporary)
[root@localhost ~]# umask 000//Modify the current environment variable of umask
[root@localhost ~]# mkdir dir1
[root@localhost ~]# touch 4.txt
[root@localhost ~]# ll
total usage 0
-rw- rw-rw-.1 root root 0 Apr 30 11:29 4.txt
drwxrwxrwx.2 root root 6 Apr 30 11:29 dir1
004. Modify shell umask (permanent)
[root@tianyun ~]# vim /etc/profile
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
[root@tianyun ~]# source /etc/profile // Immediately take effect in the current shell
005. Determine the permissions of the new user's HOME directory through umask
Determine the permissions of the new user's HOME directory through umask
[root@tianyun ~]# vim /etc/login.defs
UMASK 077
[root@tianyun ~]# useradd gougou
[root@tianyun ~]# ll -d /home/gougou/
drwx ------. 4 gougou gougou 4096 March 11 19:50 /home/gougou/
[
root@tianyun ~]# vim /etc/login.defs
UMASK 000
[root@tianyun ~]# useradd yangyang
[root @tianyun ~]# ll -d /home/yangyang/
drwxrwxrwx. 4 yangyang yangyang 4096 March 11 19:53 /home/yangyang/
006. For example, the vsftpd process /etc/vsftpd/vsftpd.conf [Understand]
/etc/vsftpd/vsftpd.conf 【了解】
[root@tianyun ~]# yum -y install vsftpd
[root@tianyun ~]# man vsftpd.conf
anon_umask
local_umask