setuid and setgid are set uid ID upon execution and set group ID upon execution of the abbreviations. We usually abbreviated to them again suid and sgid. They control file access permission flags (flag), which allow a user to an executable file owner or owner group permissions to run the executable file.
Description: This paper demonstrates the environment is ubuntu 16.04.
SOUTH
In Linux, all account passwords recorded in the / etc / shadow this file, and only root can read and write into this file:
If another ordinary account tester need to change your password, you will access the / etc / shadow file. But obviously only root to access / etc / shadow file, which is exactly how to do it? In fact, tester users can change the password in the / etc / shadow file this is through SUID functionality. Let's take a look at the permissions information passwd file as follows:
Figure permission information on the red box of strange, owner information for rws instead of rwx. When the x s appear in the file owner's permission, or is called SETUID BITS SETUID, the following features:
- SUID binary executable permissions only valid
- If the executor for the binary executable file has permission to x, the executor will have the rights of the owner of the file
- This process rights only in the implementation of the binary executable file effective
Here we look at how users use tester SUID permission to complete the password changes:
- the user has permission to execute tester / usr / bin / passwd this program, the program can be performed passwd
- The owner of the passwd program to root
- Process tester user executes passwd program will temporarily gain root privileges
- Thus tester during the execution of the user program can be modified passwd / etc / shadow file
However, if executed by a tester to read the user command cat / etc / shadow file is indeed not work:
The reason is clear, tester does not read the user / permissions / shadow file etc, while the cat program has not been set SUID. We can understand these two cases by the following figure:
If you want any user to read through the cat command to the / etc / shadow file is also very easy to set it SUID permissions on it:
$ sudo chmod 4755 /bin/cat
Now cat already has SUID permissions, give it a try, is not ready to cat / etc contents / shadow of the. Because it is very unsafe, so we go through the following command to remove the cat out of SUID permissions:
$ sudo chmod 755 /bin/cat
SGID
When s logo appears on the x-privileged user group called SGID. SGID SUID characteristics and the same, we have to demonstrate its usage by / usr / bin / mlocate program. mlocate program /var/lib/mlocate/mlocate.db for rapid file search by querying the database file. Permissions mlocate procedure shown below:
Obviously, it was set SGID permissions. The following is a database file permissions /var/lib/mlocate/mlocate.db information: Obviously, it was set SGID permissions. The following is a database file permissions /var/lib/mlocate/mlocate.db information:
Mlocate ordinary users execute commands tester, tester will get execute permissions for user groups mlocate, and because the user has read access to the group mlocate mlocate.db, so the tester can read mlocate.db. During program execution as shown below:
In addition to the binaries, SGID can also be used in the directory. When a directory is set SGID permissions, it has the following features:
- If the user has this directory r and x permissions, the user can enter the directory
- In the group of active users in the user into the user group in this directory is the directory
- If the user has permission to w in this directory, the user sets a new file created by the user and user group the same directory
Let's look at an example, create testdir directory, the directory permissions are set as follows:
At this point directory testdir the owner is nick, group belongs tester.
Create a file named nickfile of:
File permissions looks nothing special. Then set the SGID permission to testdir catalog:
$ sudo chmod 2775 testdir
Then create a file nickfile2:
The new set of files belongs tester!
To summarize, when applied to the general SGID files, and similar SUID, when the file is executed, the user will get the file permissions belongs. When SGID act on the directory, the meaning is very important. When the user has write and execute permissions for a directory, the user can create files in the directory, if the directory is modified with SGID, the files that the user created in this directory belong to the group belongs to this directory.
SBIT
In fact, the relationship between SBIT with SUID and SGID is not significant.
SBIT is the restricted deletion flag or sticky bit short.
SBIT currently only valid directory for owners of non-stop file delete files. More common example is the / tmp directory:
T last authority information indicating that the directory is set SBIT authority. SBIT role of directories is: When a user creates a new file or directory in the directory, and root themselves only have the power to delete.
Set SUID, SGID, SBIT rights
Digitally set permissions
SUID, SGID, SBIT rights corresponding figures are as follows:
SUID->4 SGID->2 SBIT->1
So if you want to set permissions for a file permissions SUID file "-rwxr-xr-x", it is necessary in front of the original 755 plus 4, that is, 4755:
$ chmod 4755 filename
Similarly, 1 and 2 can be used to set and SBIT SGID permissions. After setting would use each s, s, t instead of the file permissions value for x.
In fact, the S and T may also occur. S x and t is an alternative to this authority, but, if it does not have the authority to x, add SUID, SGID, after SBIT rights will be displayed as uppercase S or capital T. For example, we add SUID, SGID, SBIT permissions to a file permissions to 666:
Execute chmod 7666 nickfile, because 666 represents "-rw-rw-rw", did not x permission, so I finally became a "-rwSrwSrwT".
Change permissions symbol type
In addition to using the digital rights to modify, you can also use symbols:
$ Chmod u + s testfile # plus SUID permissions for the file testfile. $ Chmod g + s testdir # testdir directory to add SGID permission. $ Chmod o + t testdir # plus SBIT permission to testdir directory.
to sum up
SUID, SGID, SBIT authority is to realize special functions and design, which aims to make up for some usage scenarios ugo rights can not be achieved.
Reference:
chmod man Page
setuid-Wikipedia
linux in the SUID, SGID and SBIT wonderful use of
linux special permissions SUID, SGID, SBIT