Today, I will study the issue of suid and sgid. This is the time when the written test is awkward, and a bitter tears~
1. The representation and resolution of file permissions under Linux
SUID is the Set User ID, and SGID is the Set Group ID. Under linux you can use the ls -l command to see the permissions of the file. The format of the notation obtained with the ls command is similar to this: -rwxr-xr-x. There are ten such representations:
9 8 7 6 5 4 3 2 1 0 - rwxr - xr - x
The 9th bit indicates the file type, which can be p, d, l, s, c, b, and -, the 8th, 6th, 5th, and 2-0th bits respectively indicate the permissions of the file owner, the permissions of the same group of users, and the permissions of other users, in the form of rwx: Br>
r means readable, can read the contents of the file w means writable, can modify the content of the file x means executable, can run this program - means there is no corresponding permissionif a file is set The SUID or SGID bits are represented on the executable bits of the owner or the rights of the same group of users. For example (note the case):
1, -rwsr-xr-x means that the executable bit in SUID and owner privilege is set 2. -rwSr--r-- means SUID is set, but the owner The executable bit in the permission is not set. 3, -rwxr-sr-x indicates that the SGID and the executable bits in the same group of user rights are set. 4, -rw-r-Sr-- indicates that the SGID is set, but the same group of user rights The executable bit is not setIn fact, in the UNIX implementation, the file permission is represented by 12 binary digits. If the value at this position is 1, it means that there is a corresponding permission:
11 10 9 8 7 6 5 4 3 2 1 0 SGT rwxrwxrwx
The 11th bit is the SUID bit, the 10th bit is the SGID bit, the 9th bit is the sticky bit, and the 8th bit corresponds to the above three sets of rwx bits. . For example:
-rwsr-xr-x has the following values: 1 0 0 1 1 1 1 0 1 1 0 1 The value of -rw-r-Sr-- is: 0 1 0 1 1 0 1 0 0 1 0 0
The command to add SUID and SUID to the file is as follows:
chmod u+s filename Set SUID bit chmod us filename Remove SUID set chmod g+s filename Set SGID bit chmod gs Filename Remove SGID settingAnother method is to set the chmod command in octal representation. If you understand the previous 12-bit permission notation is also very simple. Such as:
chmod 4xxx filename Set SUID bitSecond, SUID and SGID detailed resolution
Since SUID and SGID are in the execution program (program executable bit is set) Function, and the executable bit is only meaningful for ordinary files and directory files, so setting the SUID and SGID bits of other kinds of files does not make much sense.
1, ordinary file
If the ordinary file myfile belongs to the foo user, it is executable. Now there is no SUID bit, the ls command is displayed as follows:
-rwxr -xr-x 1 foo staff 7734 Apr 05 17:07 myfile //Any user can execute this program.
The UNIX kernel is based on what to determine a process access to resources? Is the (valid) ID of the running user of this process, including the user id and groupid. Users can use the id command to find the user id and group id of their own or other users. In addition to the general user id and group id, there are two ids called effective, which are valid ids. The four ids above are: uid, gid, euid, egid. The kernel mainly determines the access rights of the process to resources according to euid and egid.
If a process does not have a SUID or SGID bit, then euid=uid egid=gid, which is the uid and gid of the user running the program. If the uid and gid of the kevin user are 204 and 202 respectively, the uid and gid of the foo user are 200, 201, and the process of the process formed by the kevin running myfile program is euid=uid=204, egid=gid=202, and the kernel judges according to these values. The limitation of the process access to resources is actually the permission of kevin users to access resources, and it has nothing to do with foo.
If a program sets the SUID, euid and egid become the uid and gid of the owner of the running program, for example kevin user runs myfile, euid=200, egid=201, uid=204, gid =202, then the process has resource access to its owner foo.
The role of SUID is like this: When a user who does not have the appropriate permissions runs the program, he can access resources that he does not have access to. Passwd is a very clear example. The SUID has a higher priority than the SGID. When an executable program sets the SUID, the SGID automatically becomes the corresponding egid.
The following discusses an example:
The UNIX system has a /dev/kmem device file, which is a character device file that stores the data to be accessed by the core program, including the user's password. Therefore, this file cannot be read or written by ordinary users. The permission is set to:
cr--r----- 1 root system 2, 1 May 25 1998 kmem
but ps and other programs To read this file, the ps permissions are set as follows:
-r-xr-sr-x 1 bin system 59346 Apr 05 1998 ps
This is a program that sets the SGID, and The user of ps is bin, not root, so you can't set SUID to access kmem, but everyone notices that both bin and root belong to system group, and ps sets SGID. For general users to execute ps, they will get the permissions of system group users. The permissions of the same group of users of the file kmem are readable, so the average user can execute ps without any problem.
But some people say why not set the ps program as the root user's program, and then set the SUID bit, isn't it OK? This can solve the problem, but why not do it in practice? Because the risk of SGID is much smaller than SUID, for system security reasons, SGID should be used instead of SUID program, if possible.
2, directory file
SUID has no effect on the directory. If a directory has the SGID bit set, then if any user has write access to the directory, the group of files created in this directory will automatically be converted to the group of the owner of the directory, and the file owner remains unchanged. , or belong to the user who created this file.
Three, use the find command to find SUID and SGID files
find -perm +4000 -type fFind all common files with SUID of 1
find -perm +2000 -type fFind all common files with SGID of 1
System availability can be greatly improved by hardware redundancy or software. Hardware redundancy
For systems on the Internet, it is important to be clear about the situation: the network is not se
In RHEL/CentOS, it is very convenient to use the setup configuration tool to configure many key conf
Computer Store News: According to the latest report from a German technology website, Valves Steam B
How to modify the network card after Linux virtual machine migration
Introduction to APMD parameters and usage in Linux
Solve the chrome setting font in Linux is invalid
The correct way to restore EXT3 Superblock(bad superblock)
4 useful tips for the Linux mkdir, tar, and kill commands
How to create a file command in the Linux operating system
Talking about the clock debugging in the driver development
The operating system's ally: Linux will dominate the rivers and lakes
Snmp call script and independent log configuration
Poll&&epoll implementation analysis (a) - poll implementation
How to retrieve lost system language bar in Windows XP
Fetion can not log in the problem solution
Windows 7 64-bit system encounters security issues can cause reboot
Win8.1 system U disk installation tutorial
Windows 7 system to print webpage graphics with IE9
Share the method of clearing the username and password of the memory sharing login
Eight strokes to quickly reduce the shutdown time
Win10 Build 15014 preview version of the Spectrum problem solution