Special permissions in Linux

Linux introduces three special permissions: suid, sgid, and sticky, which can control files more conveniently, effectively and securely.
When adding suid special permission to a directory or file, if the owner of the original directory or file has x (execute) permission, a lowercase s will be used to replace x; if the original file or directory does not have x (execute) permissions, an uppercase S will be used instead of the x.
Similarly, sgid and suid are the same. If the original directory or file's group has x (execute) permission, a lowercase s will be used to replace x; if the original file or directory does not have x (execute) permission, uppercase will be used. S instead of X.
Similarly, if sticky permission is added to a file or directory, if other users of the original file or directory have x (executable) permission, use lowercase t instead of x; if the original file or directory does not have x permission, use uppercase T replaces x permissions. The following example illustrates.
Special permissions can be modified in the form of chmod characters or numbers. The following example is implemented numerically.
# -rw-r--r-- 1 root root 0 Nov 6 07:40 test1 ugo has no permission to execute
# chmod 7644 test1 The original permission is 644, and special permissions are added
# -rwSr-Sr-T 1 root root 0 Nov 6 07:43 test1 The owner, group, and other users' execution permissions become S, S, T.

# -rwxr-xr-x 1 root root 0 Nov 6 07:43 test2 ugo has execution permissions
# chmod 7755 test2 The original permission is 655, and special permissions are added.
# -rwsr-sr-t 1 root root 0 Nov 6 07:49 test2 The owner, group, and other users' execution permissions become s, s, t.

The effect of special permissions on executable files:
suid special permissions are available Execute the file with the permissions of the owner of the file to run the file, not with the permissions of the executor.
The sgid special permission is to run the file with the permissions of the executable's group. The following example shows:
ls -l /bin/ping
-rwsr-xr-x 1 root root 35832 Apr 24 2009 /bin/ping
It can be seen that the ping command has the special privilege of suid. ping can test whether the network is connected. Switch to the yaoyao user, and ping it to see that the network is indeed connected.
[yaoyao@localhost test2]# ping www.baidu.com -c4
PING www.linuxidc.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121: icmp_seq=1 ttl=47 time=10.0 ms
64 bytes from 61.135.169.121: icmp_seq=2 ttl=46 time=14.3 ms
64 bytes from 61.135.169.121: icmp_seq=3 ttl=46 time=17.7 ms
64 bytes from 61.135.169.121: icmp_seq=4 ttl=46 time= 23.9 ms

--- www.linuxidc.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 10.090/16.539/23.938/5.067 ms
Switch to root user with The chmod command removes the suid permission of the ping command, and then switches to the yaoyao user to test whether it can be pinged.
# chmod us /bin/ping
# ls -l /bin/ping
# -rwxr-xr-x 1 root root 35832 Apr 24 2009 /bin/ping
$ $ ping www.baidu.com
ping: icmp open socket: Operation not permitted
This time, I can't ping it. It can be seen that the special permission of suid is to run the file with the permission of the owner of the executable file, not the permission of the executor to run the command.

The effect of special permissions on directories:
If sticky special permissions are set on a directory, only the owner and user of the file can delete the files in the directory, regardless of the write permissions of the group and other users.
If you set sgid special permissions on a directory, as long as you are members of the same group, you can view, create, and delete files in this directory.
Often sticky and suid permissions are set on directories to facilitate management. That is, members of the same group can view and write each file in this directory, but cannot delete it. as follows:
First create two users xiaoyao and linuxidc for testing, and then create a house directory. Create a love group, so xiaoyao and linuxidc fall in love... Add the lovers xiaoyao and linuxidc to the love group, set the group of the house directory to love, and then set the two special permissions of sgid and sticky to the house directory.

#
useradd xiaoyao # useradd linuxidc
# mkdir house
# groupadd love

Add xiaoyao and linuxidc to the love group.
# usermod -G
love xiaoyao # usermod -G love linuxidc

#id xiaoyao;id linuxidc
uid=503(xiaoyao) gid=504(xiaoyao) groups=504(xiaoyao),506(love) context=root:system_r:unco nfined_t: SystemLow-SystemHigh
uid=504(linuxidc) gid=505(linuxidc) groups=505(linuxidc),506(love) context=root:system_r:unconfined_t:SystemLow-SystemHigh You can see that both users xiaoyao and linuxidc are in the love group .

Change the house directory group to the love group
# chown :love house
# ls -l
drwxr-xr-x 2 root love 4096 Nov 6 09:34 house

Add sgid and sticky special permissions, and the group has write permission (users in the group can create files, otherwise they cannot).
# chmod 3775 house
drwxr-sr-t 2 root love 4096 Nov 6 09:34 house

switch to user linuxidc, and create a file xiaoming, write a sentence "I love you" $ echo "I love you xiaoyao." > switch to
linuxidc

Go to the user xiaoyao, create a file xiaoyao, and write "Me too."
$ echo "Me too" > xiaoyao

Check the contents of the house directory, you can find that the created files belong to the group love.
ls -l
-rw-rw-r-- 1 linuxidc love 19 Nov 6 09:40 linuxidc
-rw-rw-r-- 1 xiaoyao love 6 Nov 6

09:41 xiaoyao user xiaoyao tries to delete linuxidc in the house directory. When prompted that it is not allowed, but it can be written, this is sharing information.
[xiaoyao@localhost house]$ rm linuxidc
rm: cannot remove `linuxidc': Operation not permitted
$ echo "Baby." >>

Me too.
Baby.