SUID:当一个设置了SUID位的可执行文件被执行时,该文件以所有者的身份运行,也就是说无论谁来执行这个文件,它都拥有文件所有者的特权,可以任意使用该文件拥有者能使用的全部系统资源.如果所有者是root,那么执行人就有超级用户的特权了.
SGID:当一个设置了SGID位的可执行文件被执行时,该文件将具有所属组的特权,任意存取整个组所能使用的系统资源;若一个目录设置了SGID,则所有被复制到这个目录下的文件,其所属的组都会被重设为和这个目录一样,除非在复制文件时加上-p选项,才能保留原来所属的群组设置.还可以使用符号方式来设置SUID/GUID.
SUID和SGID占据了ls -l清单中x位相同的空间,如果开始设置了可执行权限x位,则其相应的位置用小写的s表示;如果没有设置可执行权限x位,则其相应的位置表示为大写的S.设置和除去SUID与SGID很直接,设置SUID位和去除SUID位分别使用如下命令.
chmod u+s [filename] #设置[filename]的SUID位
chmod u-s [filename] #设置[filename]的SUID位
同样设置和去除SGID的命令分别为:
chmod g+s [filename] #设置[filename]的GUID位
chmod g-s [filename] #设置[filename]的GUID位
下面一个例子讲解如何设置SUID位.
[root@host test]# ll
total 16
-rw-r–r– 1 root root 0 Feb 16 17:35 11
drwxr-xr-x 2 root root 4096 Feb 16 17:35 dir11
drwxr-xr-x 2 root root 4096 Feb 16 17:35 dir22
drwxr-xr-x 4 root root 4096 Mar 3 18:08 test
-rwxr–r– 1 root root 804 Mar 6 00:19 test.py
[root@host test]# chmod u+s test.py
[root@host test]# ll
total 16
-rw-r–r– 1 root root 0 Feb 16 17:35 11
drwxr-xr-x 2 root root 4096 Feb 16 17:35 dir11
drwxr-xr-x 2 root root 4096 Feb 16 17:35 dir22
drwxr-xr-x 4 root root 4096 Mar 3 18:08 test
-rwsr–r– 1 root root 804 Mar 6 00:19 test.py
[root@host test]# chmod u-x test.py
[root@host test]# ll
total 16
-rw-r–r– 1 root root 0 Feb 16 17:35 11
drwxr-xr-x 2 root root 4096 Feb 16 17:35 dir11
drwxr-xr-x 2 root root 4096 Feb 16 17:35 dir22
drwxr-xr-x 4 root root 4096 Mar 3 18:08 test
-rwSr–r– 1 root root 804 Mar 6 00:19 test.py
SUID的程序往往伴随着一定的安全问题.有时一个SUID程序与一个系统程序(或库函数)之间的交互作用会产生连程序的编制者也不知道的安全漏洞.一个典型的例子就是/usr/lib/preserve程序,它被vim和ex编辑器使用,当用户在写出对文件的改变前被意外地系统终端时,它可以自动制作一个正被编辑的文件副本.这个保存的preserve程序将改变写在一个专门的目录内的临时文件中,然后利用/bin/mail程序发送给用户一个”文件已经被存”的通知.
—-摘抄<LINUX SHELL 编程从入门到精通> VER2 P31
This is probably one of my most irksome things that people mess up all the time. The SUID/GUID bit and the sticky-bit are 2 completely different things.
background
excerpt
The letters rwxXst select file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t).
SUID/GUID
What the above man page is trying to say is that the position that the x bit takes in the rwxrwxrwx for the user octal (1st group of rwx) and the group octal (2nd group of rwx) can take an additional state where the x becomes an s. When this occurs this file when executed (if it’s a program and not just a shell script) will run with the permissions of the owner or the group of the file.
So if the file is owned by root and the SUID bit is turned on, the program will run as root. Even if you execute it as a regular user. The same thing applies to the GUID bit.
excerpt
SETUID AND SETGID BITS
chmod clears the set-group-ID bit of a regular file if the file’s group ID does not match the user’s effective group ID or one of the user’s supplementary group IDs, unless the user has appropriate privileges. Additional restrictions may cause the set-user-ID and set-group-ID bits of MODE or RFILE to be ignored. This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior. chmod preserves a directory’s set-user-ID and set-group-ID bits unless you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode.
SUID/GUID examples
no suid/guid – just the bits rwxr-xr-x are set.
$ ls -lt b.pl -rwxr-xr-x 1 root root 179 Jan 9 01:01 b.pl
suid & user’s executable bit enabled (lowercase s) – the bits rwsr-x-r-x are set.
$ chmod u+s b.pl $ ls -lt b.pl -rwsr-xr-x 1 root root 179 Jan 9 01:01 b.pl
suid enabled & executable bit disabled (uppercase S) – the bits rwSr-xr-x are set.
$ chmod u-x b.pl $ ls -lt b.pl -rwSr-xr-x 1 root root 179 Jan 9 01:01 b.pl
guid & group’s executable bit enabled (lowercase s) – the bits rwxr-sr-x are set.
$ chmod g+s b.pl $ ls -lt b.pl -rwxr-sr-x 1 root root 179 Jan 9 01:01 b.pl
guid enabled & executable bit disabled (uppercase S) – the bits rwxr-Sr-x are set.
$ chmod g-x b.pl $ ls -lt b.pl -rwxr-Sr-x 1 root root 179 Jan 9 01:01 b.pl
sticky bit
The sticky bit on the other hand is denoted as t, such as with the /tmp directory:
$ ls -l /|grep tmp drwxrwxrwt. 168 root root 28672 Jun 14 08:36 tmp
This bit should have always been called the “restricted deletion bit” given that’s what it really connotes. When this mode bit is enabled, it makes a directory such that users can only delete files & directories within it that they are the owners of.
excerpt
RESTRICTED DELETION FLAG OR STICKY BIT
The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp. For regular files on some older systems, the bit saves the program’s text image on the swap device so it will load more quickly when run; this is called the sticky bit.