samba permissions consists of two aspects: First, permission to the directory itself, and second, configure the permissions of samba. The final authority is defined as the smallest intersection of both.
Three permission:
- A file has an owner, who indicates that the file is created.
- At the same time, the file number and a group representing the group that the file belongs to the general group owner of the file belongs to.
- If it is an executable file, when executed, usually the file with only the user has permission to call the file.
Permission flags defined by three "bits" are:
- setuid: Set the file with the permissions of the file owner during the implementation phase. For example, / usr / bin / passwd, if the average user execute the file, in the implementation process, the file can get root privileges, so you can change the user's password.
- setgid: This permission is only valid for the directory. After the directory is set to this bit, any user-created files in this directory has a directory and group belongs to the same group.
- sticky bit: This bit can be interpreted as anti-delete bit. If a user deletes a file can be, depending on whether the group the file belongs to the user has write permissions. If you do not write permission, then this is not all the files in the directory can be deleted, but can not add new files. If you want users to be able to add the file but can not delete a file, you can use the sticky bit for bit file. After this bit is set, even if the user has write access to the directory you can not delete the file.
It features three rights
Sticky (example: / tmp directory)
①sticky can only be applied on the directory, and is applied to other people.
② only the owner and root files to delete the file.
③ lowercase representation can be implemented, capital could not be executed
Suid (example: / usr / bin / passwd directory)
①suid can only be applied in a binary file
② When a file is applied suid, then any person at the time of execution of the order he would have temporary permission to the file owner
③suid can only be applied on the owner of the file
④ lowercase representation can be implemented, capital could not be executed
Sgid (application shared resource environment for a group of developers to ensure safety)
①sgid can be used in both documents can also be applied on the directory
② When sgid application on the directory, anyone establish a sound in that directory owners of files and directories belonging to the directory belongs to group
③ have application in the group
④sgid应用在文件上时,任何人在执行该文件时,临时拥有该文件所属组权限
⑤小写表示可执行,大写反之。
如何操作这些标志
操作这些标志与操作文件权限的命令是一样的, 都是 chmod。有两种方法来操作:
① chmod u+s temp -- 为temp文件加上setuid标志。 (setuid 只对文件有效)
chmod g+s tempdir -- 为tempdir目录加上setgid标志 (setgid 对目录和文件有效)
chmod o+t temp -- 为temp文件加上sticky标志 (sticky只对文件有效)
② 采用八进制方式。对一般文件通过三组八进制数字来置标志,如 666,777,644等。如果设置这些特殊标志,则在这组数字之外外加一组八进制数字,如4666,2777等。这一组八进制数字三位的意义如下,
abc
a - setuid位。如果该位为1,则表示设置setuid
b - setgid位。如果该位为1,则表示设置setgid
c - sticky位。如果该位为1,则表示设置sticky
我习惯用第一种方法来做,但许多时候文件的权限表示都是用数字为执行;所以,建议两种方法都要掌握熟悉。
设置完这些标志后, 可以用 ls -l 来查看。 如果有这些标志,则会在原来的执行标志位置上显示。 如
rwsrw-r-- 表示有setuid标志
rwxrwsrw- 表示有setgid标志
rwxrw-rwt 表示有sticky标志
那么原来的执行标志x到哪里去了呢?系统是这样规定的,如果本来在该位上有x,则这些特殊标志显示为小写字母 (s, s, t)。否则, 显示为大写字母 (S, S, T)
所以,可以得出
chmod 4777是设sid
chmod 2777是设置gid
chmod 1777是设sticky
最后,介绍两个常用操作。
常用操作
找出所有危险的目录(设置目录所有人可读写却没有设置sticky位的目录)
find / -perm -0007 -type d
找出所有设置了suid的文件
find / -perm -4000 -type f