Home >Operation and Maintenance >Linux Operation and Maintenance >Special permissions for files under Linux system

Special permissions for files under Linux system

齐天大圣
齐天大圣Original
2020-09-13 16:05:341729browse

Do you feel that Linux file permissions are too complicated, including users, groups, file permissions, default permissions, hidden attributes, ACL, and now there is a special permission. I feel sorry for my hair for three seconds~.

Let’s take a look at a file

ls /usr/bin/passwd  -l
-rwsr-xr-x. 1 root root 27832 Jun 10  2014 /usr/bin/passwd

I didn’t find it, why did a strange thing appear? This s appears above the x of the file owner, and is called Set UID, or SUID for short. If it appears above the x of the group it belongs to, it means SGID. If it is above someone else's x, it means Sticky.

The following is a table to explain the use of each special permission:

##File DirectorySUID This user will inherit owner permissions for this program No meaning SGIDThis user will inherit the group permissions of this programAll files created by users in this directory will automatically inherit the user group of this directory StickySenselessEach user in the directory can only delete, move or rename their own files or directories

Below, we Explain the use of SUID through the file /usr/bin/passwd.


We know that under Linux, each user can change his or her own password, and root can change the passwords of all users. Have you ever thought about why ordinary users can also change their passwords? Isn't the password stored in the /etc/shadow file? This file does not have write permission for ordinary users.

# ls -l /etc/shadow
---------- 1 root root 969 Sep 10 09:37 /etc/shadow

This is the purpose of SUID. Ordinary users can change their passwords through the passwd command. During execution, the user will temporarily have the permissions of the owner of the file, i.e. root, so ordinary users can change their passwords. If the special permissions of the file are SGID, then the permissions of the group to which the file belongs will be possessed during execution.

In addition to acting on files, SGID can also act on directories. Note that its functions are completely different for files and directories. We use a scenario to explain the role of SGID for directories.

Below, we simulate a scenario: the company now needs to develop a project, the prototype drawing has been given, and it needs to be handed over to the design department for design. Now create a directory project1_ps. All personnel in the design department have rwx permissions on files in this directory.

We know that in Linux, when you create a new file or directory, the owner is yourself and the group it belongs to is the group you belong to. In this way, when designer a creates a new file, other users have other people's permissions on this file, which does not meet our requirements. Therefore, we need SGID to complete the requirements.

# groupadd design  #创建design用户组
# useradd -G design --no-create-home dgn1 # 创建用户
# useradd -G design --no-create-home dgn2 # 创建用户
# id dgn1
uid=1003(dgn1) gid=1004(dgn1) 组=1004(dgn1),1003(design)
# id dgn2
uid=1004(dgn2) gid=1005(dgn2) 组=1005(dgn2),1003(design)
 
# mkdir design # 工作目录
# chgrp design design/
# chmod 2770 design/  <== 如果是SUID则是4770
# ll -d design/
drwxrws--- 2 root design 4096 5月   5 19:06 design/
 
# su dgn1
$ umask
0022
$ umask 0002
$ touch design/1.ps
$ ls design -l
总用量 0
-rw-rw-r-- 1 dgn1 design 0 5月   5 19:31 1.ps  <=== 新创建的文件默认组为design了

Finally, let’s take a look at Sticky. This is very easy to understand. Each user in the directory can only delete, move or rename his own files or directories. In fact, the /tmp directory uses this special permission.

# ll /tmp -d
drwxrwxrwt. 9 root root 868352 Sep 13 08:24 /tmp

The above is the detailed content of Special permissions for files under Linux system. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn