[Linux command] - 13 - how to set file special permissions

Posted by mcsleazycrisps on Sat, 19 Feb 2022 10:29:07 +0100

introduction

This article introduces three special permissions of Linux file system: suid, sgid and sticky.

Article catalogue

  • 0 × 1. How to view the default permissions of files created by the current user
  • 0 × 2. How to add suid permission to a file
  • 0 × 3. How to add sgid permission to a folder
  • 0 × 4. How to add sticky permission to a folder

0 × 1. How to view the default permissions of files created by the current user

When creating files and folders, Linux will assign a group of permissions by default. This permission is determined according to the umask value of the system. Please see the following example:

#View the umask value of ordinary users
qing@qingsword.com:~$ umask
22

#Use ordinary users to create a folder and file and view their properties
qing@qingsword.com:~$ touch qingfile
qing@qingsword.com:~$ mkdir qingdir
qing@qingsword.com:~$ ls -a
drwxr-xr-x qingdir/
-rw-r--r-- qingfile

#The default permission of the file is 666 minus the last three digits of the value viewed by umask
# 666-022 = 644 converted to permission is - rw-r--r--
#The default permission of the folder is equal to 777 minus the last three digits of the value viewed by umask
# 777-022 = 755 is converted to drwxr-xr-x

#The umask value determines the default permission assignment when the current user creates a file or folder. If you want to modify the umask value, enter the last three digits of the umask value after the command, as shown below
qing@qingsword.com:~$ umask 002
qing@qingsword.com:~$ umask
2

0 × 2. How to add suid permission to a file

First, briefly introduce the role of suid permission. When executing a file assigned suid permission, it will run with the permission of the user to which the file belongs. For better understanding, please see the following examples:

#Only the root user has read and write permission to save the shadow file of password in Linux system
qing@qingsword.com:~$ ls -l /etc/shadow
-rw-r----- 1 root shadow /etc/shadow

#In that case, how do ordinary users change their passwords by using the passwd command?
#By checking the permission "- rwsr-xr-x" of the passwd file, it is found that the file is assigned suid permission. In this way, when ordinary users use this file to change their password, the file will run with the permission of the user root to which the file belongs, and the root user can modify / etc/shadow
qing@qingsword.com:~$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root /usr/bin/passwd

To add suid permission to a file:

#Method 1
qing@qingsword.com:~$ sudo chmod u+s qingfile
qing@qingsword.com:~$ ls -l
drwxr-xr-x 2 qing qing qingdir
-rwSr--r-- 1 qing qing qingfile

#Method 2: thousands of bits 4 represent suid permission, and the following 744 corresponds to ugo
qing@qingsword.com:~$ sudo chmod 4744 qingfile
qing@qingsword.com:~$ ls -l
drwxr-xr-x 2 qing qing qingdir
-rwsr--r-- 1 qing qing qingfile

#In the above example, if the corresponding permission is 4644, the s in the permission bit will be written as "- rwSr--r --", which indicates that there is no X permission in the s bit. If the s bit has x permission, the s will be lowercase

0 × 3. How to add sgid permission to a folder

Sgid permission is used for folders. When sgid permission is set for a folder, all newly created files in this folder, no matter which user created them, are automatically assigned to the group of the parent folder with sgid permission set. See the following example:

#Create a new test group testgroup, and adjust the group of qingdir permission to testgroup
qing@qingsword.com:~$ sudo groupadd testgroup
qing@qingsword.com:~$ sudo chgrp testgroup qingdir

#Add sgid permission to qingdir
qing@qingsword.com:~$ sudo chmod g+s qingdir
qing@qingsword.com:~$ ls -l
drwxr-sr-x 2 qing testgroup qingdir

#Enter qingdir to create a new file and folder*/
qing@qingsword.com:~$ cd qingdir/
qing@qingsword.com:~$ touch subtestfile
qing@qingsword.com:~$ mkdir subdir

#New folders and files are automatically assigned to the testgroup group
qing@qingsword.com:~$ ls -l
drwxr-sr-x 2 qing testgroup subdir
-rw-r--r-- 1 qing testgroup subtestfile

#Method 2: thousand bit 2 represents sgid permission, and 755 corresponds to ugo
qing@qingsword.com:~$ chmod 2755 qingdir

0 × 4. How to add sticky permission to a folder

If a user has rwx permission on a directory, it means that the user has full control over the directory. He can delete all files and folders in the directory. If the directory is set with Sticky Bit permission (SBIT permission for short), the user with rwx permission on the directory is in the directory, Users can only create and delete their own files and folders.

Suppose there are two users bob and steven. They are assigned to the ceo group. Now a testdir folder belongs to the ceo group. The members of the ceo group have rwx permission to this folder and use sticky permission to control this folder, so that bob and steven can only view the files created by others in this directory while they have full control over the files created by themselves, However, it cannot be modified or deleted. Please see the following example:

#Create ceo group
qing@qingsword.com:~$ sudo groupadd ceo

#Create bob and steven and assign them to the ceo group
qing@qingsword.com:~$ sudo useradd -g ceo bob
qing@qingsword.com:~$ sudo useradd -g ceo steven

#Configure passwords for bob and steven respectively
qing@qingsword.com:~$ sudo passwd bob
qing@qingsword.com:~$ sudo passwd steven

#Create the testdir folder and change its group to ceo. Add rwx permission to this group. Now the members of the ceo group have full control over this directory
qing@qingsword.com:~$ sudo mkdir testdir
qing@qingsword.com:~$ sudo chgrp ceo testdir/
qing@qingsword.com:~$ sudo chmod g+rwx testdir/

#Add sticky permission to testdir directory (note that sticky permission is added to others)
qing@qingsword.com:~$ sudo chmod o+t testdir/

#View the permissions of the current testdir directory
qing@qingsword.com:~$ ls -ld testdir/
drwxrwxr-t 2 root ceo testdir/

#Switch to the user bob, switch to the testdir directory (assuming the testdir directory path is / home/qing/testdir), and touch a file
qing@qingsword.com:~$ su - bob
bob@qingsword.com:~$ cd /home/qing/testdir
bob@qingsword.com:~$ touch bobfile

#Exit bob, log in with steven, switch to the testdir folder, and try to delete the file created by bob*/
bob@qingsword.com:~$ exit
qing@qingsword.com:~$ su - steven
steven@qingsword.com:~$ cd /home/qing/testdir
steven@qingsword.com:~$ ls
bobfile
steven@qingsword.com:~$ rm -rf bobfile
rm: Cannot delete"bobfile": Operation not allowed
#At this time, steven only has the permission to view the contents of the files or folders created by bob, but cannot delete or modify them

#Exit steven, delete the sticky permission of testdir with root permission, and test again to delete the file created by bob with steven. It is successful
steven@qingsword.com:~$ exit
qing@qingsword.com:~$ sudo chmod o-t testdir/
qing@qingsword.com:~$ su - steven
steven@qingsword.com:~$ cd /home/qing/testdir
steven@qingsword.com:~$ ls
bobfile
steven@qingsword.com:~$ rm -rf bobfile

#Method 2: thousand 1 represents sticky authority, and 775 corresponds to ugo
qing@qingsword.com:~$ sudo chmod 1775 testdir/

Topics: Linux Operation & Maintenance Ubuntu