22.5.1) SetUID (referred to as suid) (Digital Rights 4000)
Function: Temporary execute the command with the owner's permission command. That is if the file has suid permissions, ordinary users to execute the file will be executed as belongs to the user's files. Mainly on command, or binary file to a binary file permissions for the owner to execute the file.
SetUID (abbreviated suid): s will write permissions on the implementation of the sovereignty belongs to the limit. If you have execute permissions on the sovereignty belongs to the limit, it will write s (lowercase s) in the case of sovereign authority on the implementation of the limit; there is no execute permissions on if the sovereignty belongs to the limit, it will limit the sovereignty of the genus write S (capital letters S) on the implementation of rights.
setUID (referred SUID) permissions:
mode 1: [root @ centos7 ~] # chmod u + s filename
mode 2: [centos7 the root @ ~] # the chmod 4755 filename [centos7 the root @ ~] # LL / usr / bin / passwd -rwsr-XR-the X-1 root root 27832 Jun 10 2014 / usr / bin / passwd. example 1: If this is a no execute permissions on the sovereignty of the limit, it will write permissions on the implementation of the sovereignty belongs to the limit a S (uppercase letters S). [root @ centos7 ~] # touch file02 # create the file file02 [root @ centos7 ~] # LL file02 # x execute permission can see no limit on sovereignty belongs to documents file02 of -rw-r -. r-- 1 root 0 Jul 2 15:53 file02 root [root @ centos7 ~] # chmod + U # S file02 given setUID (suid) authority [root @ centos7 ~] # LL file02 #setUID command will write permissions on the implementation of the sovereignty belongs to the limit a S (uppercase letter S) . -rwsr - r--. 1 the root Jul-2 15:53 file02 the root 0 example 2:
If you have execute permissions on the sovereignty belongs to the limit, it will write s (lowercase s) on the implementation of rights is a limit of sovereignty.
[root @ centos7 ~] # Touch file03 # create the file file03 [root @ centos7 ~] # chmod 744 file03 [root @ centos7 ~] # LL file03 # x execute permissions can see that there is a sovereign limit on file file03 of -rwxr --r--. the root the root. 1 0 2 15:59 Jul-file03 [centos7 the root @ ~] U + S file03 the chmod # # imparting setUID (suid) permissions [centos7 the root @ ~] # LL file03 #setUID command in the genus write S (lowercase s) on the implementation of the sovereignty rights limit of -rwsr - r-- 1 root root 0 Jul 2 15:59 file03. example 3: in the Linux system, each user can change their ordinary password, common user information is stored in / etc / passwd file, the user's password information stored in / etc / shadow file, that is, when ordinary users to change their passwords, modify the / etc / shadow file login password, but the average user file permissions to display these two documents are not written permission. So why ordinary users can change their own passwords and password changes, the write / etc / shadow file it?
The reason is that the average user may be able to modify the password, because the passwd command, which has special privileges, SetUID, that is, we see, on the permission bits execution rights owner is s, passwd file belongs to the user identity (ie as root) to perform, so you can change the password.
SetUID (referred to as suid) Summary: 1. allow ordinary users to executable binary files, temporary owner has permission to binary files; 2. If the setting for binary files do not have permission, then the suid permission display is S (capital S ); 3. special permission suid binary executable program is valid only for other file or directory is invalid.
Note: suid extremely dangerous, do not believe you can try to vim or rm command set suid, if vim or rm command to set setUID, then any file can be edited or deleted, the equivalent of root privileges.
22.5.3 setGID (referred sgid) (digital rights is 2000)
Function: multiple users share a group (as understood only). Mainly Authorization for a directory, shared directory.
If there is a group execute permissions on the permission bits will write s (lowercase) is a group execute permissions on the limit of sovereignty; if no execute permissions on the site is a set of permissions, it will limit the sovereignty belongs to the group write S (capital letters S) on the execute permissions.
[oldboyedu the root @ ~] # LL / bin / Write
. -rwxr SR-19624-X TTY On Oct 31 is the root. 1 2018 / bin / Write setGID permissions: [DB04 the root @ ~] # the chmod 2755 / tmp / Test / [root @ db04 ~] # chmod g + s / tmp / test / example. 1: [centos7 the root @ ~] # mkdir / tmp / test # Create / tmp / test directory [root @ centos7 ~] # ll / tmp / test / -d # Check / tmp / test directory, x is a group permission to execute permissions of drwxr-XR-x. 2 2 17:32 Jul-the root. 6 the root / tmp / test / [the root centos7 @ ~] Touch # / tmp / Test / root_file [centos7 the root @ ~] # LL / tmp / Test / root_file -rw-R & lt -. Jul-r--. 1 0 2 18:27 the root the root / tmp / Test / root_file [centos7 the root @ ~] # SU - linux01 # linux01 switch to the user at the root: [centos7 the root @ ~] # the chmod 777 / tmp / test / # to the directory / tmp / test modify permissions
[centos7 the root @ ~] -d # LL / tmp / Test /
drwxrwxrwx the root 2 2 18:27 Jul-23 is the root / tmp / Test /.
In linux01 The:
[linux01 The centos7 @ ~] $ Touch / tmp / Test / linux01_file # linux01_file created in the directory / tmp / the Test
[linux01 centos7 @ ~] $ LL / tmp / the Test / linux01_file # linux01_file is a set of permissions to perform the x permission -rw-rw-r--. 1 linux01 linux01 0 Jul 2 18:35 / tmp / test / linux01_file at the root: [centos7 the root @ ~] # the chmod + G S / tmp / Test / # imparting setGID (sgid) permissions [centos7 the root @ ~] -d # LL / tmp / Test / #setGID write command S (lowercase s) on the execution permission is a group permission bits drwxrwsrwx. 2 2 18:35 Jul-43 is the root the root / tmp / Test / SetGID the (abbreviated SGID) summarizes 1. user group permission bits for modify, belongs to the same set of directories or files created by the user and owning group of the directory. 2. When a directory is set sgid, the new file is not in that directory is created by default owning group of the file
3. sgid may share a directory such that a plurality of users among all files easy.
22.5.4 sbit sticky bit (Digital Rights 1000)
Function: sticky bit, even if the directory has w permission, but in addition to root, other users can only delete their own files, move.
[root@oldboyedu ~]# ll -d /tmp/ drwxrwxrwt. 8 root root 105 Jul 2 10:15 /tmp/
If you have execute permissions to other users on the permission bits will write t (lowercase letters) on the implementation of permissions to other users permission bits; if it does not execute permissions to other users permission bits, will be executed in another user's permission bits write T (capital letters) on the right.
License:
[DB04 the root @ ~] # the chmod 1755 / opt
[DB04 the root @ ~] # the chmod + T O / opt Sticky (the SI TI KI) viscosity, currently only valid directory, the following effect: Ordinary users of the w and x have the directory privileges that ordinary users can have write permissions in this directory, without sticky bit, so the average user has w permission, you can delete all the files in this directory, including other user-created files. But once been given a sticky bit, you can delete all files except root, ordinary users even if there w permission can only delete files you've created, but can not delete other files created by the user. Systems that exist in the / tmp directory is a classic sticky bit directory, who have write permissions, so security costs problem, often first-hand Trojan springboard.
22.6Linux property rights
chattr Overview: override r, w, x, suid, authority over sgid.
22.6.1 lsattr
Function: to view special permissions.
[root@centos7 ~]# lsattr /etc/passwd
---------------- /etc/passwd
22.6.2 chattr
Function: set special permissions, chattr command to change file attributes.
-i # locked files can not be edited, can not be modified, can not be deleted, can not move, you can do
-a # can only append files, not edit, delete can not, can not move, you can do
Example:
(1) prevention system command chattr a critical file is modified.
i + the chattr / etc / fstab (2) so that a file can only be entered, and additional content can not be deleted, some log files suitable for this operation chattr + a /data1/user_act.log
22.7 Linux process mask umask
22.7.1 What is the umask
When we log into the system, create a file there is always a default permissions, such as: directory default permissions: 755 files by default permissions: 644 Well, this privilege is how come it? Tell you the truth, this is the umask to do, umask sets the default permissions user-created files.
How 22.7.2 umask is to change the permissions of the new file
The default umask is 022, then when we create a directory, under normal circumstances directory permissions should be 777, but umask represents the value to be subtracted, so the new directory file permissions should be 777-022 = 755. As for file permissions and so too: 666-022 = 644
22.7.3 umask related to the configuration file
umaskRelated to the relevant documents/etc/bashrc /etc/profile ~/.bashrc ~/.bash_profile
Example 1: Contents: 0777-0022 0755 = 0777-0023 = 0754 [centos7 the root @ ~] # # Set a umask umask 0023 0023 [centos7 the root @ ~] # # Create a directory mkdir zls4 zls4 [centos7 the root @ ~] # stat zls4 # umask value zls4 view of File: 'zls4' Size:. 6 Blocks: the IO Block 0: 4096 Directory Device: 803H / 2051d Inode: 50,696,782 Links: 2 Access: (0754 / drwxr-XR,) Uid: ( 0 / the root) Gid: (0 / the root) the Context: unconfined_u: object_r: admin_home_t: S0 file: 0666-0022 = 0644 [centos7 the root @ ~] # #umask value back to the umask 0022 0022 [centos7 the root @ ~] # touch oldboy1 # create a file oldboy1
[root @ centos7 ~] # ll oldboy1 # view the file oldboy1 umask value
. -rw-r - r-- 1 root root 0 Jul 2 20:28 oldboy1 Example 2: [centos7 the root @ ~] # 24 # umask set umask of 0024 [root @ centos7 ~] # mkdir zls5 # create a directory zls5 [root @ centos7 ~] # Touch oldboy2 # create a file oldboy2 # 0777-0024 = 0753 directory umask [root @ centos7 ~] # LL -d zls5 drwxr-X-WX. 2 the root Jul-2 20:34 zls5 the root. 6 # 0666-0024 = 0642 file the umask [centos7 the root @ ~] # LL oldboy2 -rw-R & lt --- w to. the root the root. 1 0 Jul 2 20:34 oldboy2 example 3: the umask = 0023 (last digit is an odd number) Contents: 0777-0023 = 0754 file: 0666-0023 = 064 (1 + 3, and finally a need to add a 3) example 4:
umask = 0051 (the last second, the last digit is odd)
Catalog: 0777-0051 = 0726
file: 0666-0051 = 06 (1 + 1, 1 need to add the penultimate position 1) (5+ 1, the last 3 required plus 1)