特殊权限
Special permissions make up a fourth access level in addition to user, group, and other. Special permissions allow for additional privileges over the standard permission sets (as the name suggests). There is a special permission option for each access level discussed previously. Let's take a look at each one individually, beginning with Set UID.
除了 user, group 和 other 这三级权限,特殊权限组成了文件系统第四层访问控制。它允许在常规权限集合的基础上设定附加特权。在之前讨论的每一层都有一个特殊权限选项。下面从 Set UID 开始对每个选项逐一说明。
user + s (pecial)
Commonly noted as SUID, the special permission for the user access level has a single function: A file with SUID always executes as the user who owns the file, regardless of the user passing the command. If the file owner doesn't have execute permissions, then use an uppercase S here.
通常标识为 SUID,在用户访问层的特殊权限具有一个单一功能:一个具有SUID的文件在调起时,总是以文件所有者的身份运行,而不是发起这个命令的用户。如果文件所有者没有执行权限,则会用大写的 S 表示,否则是用小写 s。
Now, to see this in a practical light, let's look at the /usr/bin/passwd command. This command, by default, has the SUID permission set:
在实际场景中使用的例子,可以查看 /usr/bin/passwd 这个命令文件。默认情况,这个命令是设置了 SUID 特殊权限的:
[tcarrigan@server ~]$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 33544 Dec 13 2019 /usr/bin/passwd
Note the s where x would usually indicate execute permissions for the user.
为什么这个命令要进行这样的权限设置?我们希望用户可以修改自己的密码,但是密码都保存在 /etc/shadow,而这个文件是 644 权限,用户是 root,组是 shadow,所以用户是没有办法直接修改这个文件的。/usr/bin/passwd 这个命令其他用户可以执行,通过 SUID 设置的特殊权限,程序实际是以文件所有者 root 运行的,所以就可以修改 /etc/shadow 文件了。
上面可以看到这个设置很方便但是也引入了一定危险,即其他用户可以以 root 方式运行程序,如果程序使用不合理就可以引入漏洞,可以参考《计算机安全导论》。
group + s (pecial)
Commonly noted as SGID, this special permission has a couple of functions:
- If set on a file, it allows the file to be executed as the group that owns the file (similar to SUID)
- If set on a directory, any files created in the directory will have their group ownership set to that of the directory owner
[tcarrigan@server ~]$ ls -l
total 0
drwxrws---. 2 tcarrigan tcarrigan 69 Apr 7 11:31 my_articles
This permission set is noted by a lowercase s where the x would normally indicate execute privileges for the group. It is also especially useful for directories that are often used in collaborative efforts between members of a group. Any member of the group can access any new file. This applies to the execution of files, as well. SGID is very powerful when utilized properly.
As noted previously for SUID, if the owning group does not have execute permissions, then an uppercase S is used.
other + t (sticky)
The last special permission has been dubbed the "sticky bit." This permission does not affect individual files. However, at the directory level, it restricts file deletion. Only the owner (and root) of a file can remove the file within that directory. A common example of this is the /tmp directory:
[tcarrigan@server ~]$ ls -ld /tmp/
drwxrwxrwt. 15 root root 4096 Sep 22 15:28 /tmp/
The permission set is noted by the lowercase t, where the x would normally indicate the execute privilege.
Setting special permissions
To set special permissions on a file or directory, you can utilize either of the two methods outlined for standard permissions above: Symbolic or numerical.
Let's assume that we want to set SGID on the directory community_content.
To do this using the symbolic method, we do the following:
[tcarrigan@server ~]$ chmod g+s community_content/
Using the numerical method, we need to pass a fourth, preceding digit in our chmod command. The digit used is calculated similarly to the standard permission digits:
- Start at 0
- SUID = 4
- SGID = 2
- Sticky = 1
- The syntax is:
[tcarrigan@server ~]$ chmod X### file | directory
Where X is the special permissions digit.
Here is the command to set SGID on community_content using the numerical method:
[tcarrigan@server ~]$ chmod 2770 community_content/
[tcarrigan@server ~]$ ls -ld community_content/
drwxrws---. 2 tcarrigan tcarrigan 113 Apr 7 11:32 community_content/
Reference
- https://learning.lpi.org/en/learning-materials/010-160/5/5.3/5.3_01/
- https://www.redhat.com/sysadmin/suid-sgid-sticky-bit