This is the 7th day of my participation in Gwen Challenge
Basic concepts of permissions
In this article, we discuss common permissions for files on Linux. Linux permissions are a mechanism used by the operating system to restrict access to resources. Permissions are generally divided into three types:
- 读
- 写
- perform
In The Linux operating system, each process runs as a user and has the same permissions as the user. The greater the user’s permissions, the greater the process’s permissions.
File permissions are defined for three types of objects:
Owner: owner, U group: owner group, G Other: other, O
Each file defines three permissions for the above three objects:
| permissions | Corresponding operation object | Permission to illustrate |
|---|---|---|
| r | file | A file is readable in the sense that it can be viewed with grep or something like that |
| w | file | Writable, meaning that the file can be modified or deleted using vim |
| x | file | Executable and can be run as a command |
| r | directory | You can use ls to view everything in this directory |
| w | directory | Files can be created or deleted in a directory |
| x | directory | You can use the CD to switch to this directory and view the details of the directory |
The binary to decimal conversion of permissions needs to be mentioned separately here. The following table:
Next, let’s look at permission management commands
Permission Management Commands
1) chmod
Usage: chmod mode file operator + Add permission – Reduce permission = Give a permission directly
Parameters:
-f: do not display error messages if the file's permission cannot be changed. -v: Display details about permission changes. -r: Perform the same permission changes for all files and subdirectories in the current directory (that is, change them one by one in a recursive manner) --help--version: Displays the versionCopy the codeFor example:
1) Permission to view files
[root@zmgaosh zip]# ll Total Amount 8 drwxr-xr-x 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zipCopy the codeIn this example, the permission for the etc folder is r: 4 w:2 x:1 RWX =7 r_x = 5 so the permission for etc is 755 and the permission for the passwd.zip file is 644
Grant RWX permission to the etc directory
[root@zmgaosh zip]Check the current directoryTotal Amount 8 drwxr-xr-x 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zip Pay attention to the directory permission [root@zmgaosh zip]# ll etc/4 -rw-r--r-- 1 root root 1317 6月 20 15:16 passwdRw - rw- rw-
[root@zmgaosh zip]Grant permissions to directories and their contents to the owner of RWX
[root@zmgaosh zip]# llDrwxr-xr-x 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zip [root@zmgaosh zip]# ll etc/Total usage 4 -rwxr--r-- 1 root root 1317 6月 20 15:16 passwdYou can see that the owner has changed to RWX permissions
Copy the code3) Grant RWX permission to the owning group
[root@zmgaosh zip]# llDrwxr-xr-x 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zip [root@zmgaosh zip]# ll etc-rwxr--r-- 1 root root 1317 6月 20 15:16 passwd [root@zmgaosh zip]# chmod -R g+rwx etc
[root@zmgaosh zip]# ll8 DRWXRWXR -x 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zip [root@zmgaosh zip]# ll etc-rwxrwxr-- 1 root root 1317 6月 20 15:16 passwd [root@zmgaosh zip]#
Copy the codeCombined with the second example, this example is easy to understand, as you can see that the folder and file groups have become RWX
4) Remove read/write permissions from the owner of the etc directory
[root@zmgaosh zip]# chmod -R u-wx etc
[root@zmgaosh zip]# ll8 Dr --rwxr-x 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zip [root@zmgaosh zip]#
Copy the code5) Use binary to grant RWX permissions to etc directory, owner, owning group, and other users
[root@zmgaosh zip]# chmod -R 777 etc
[root@zmgaosh zip]# ll8 DRWXRWXRWX 2 root root 4096 6月 20 20:26 etc -rw-r--r-- 1 root root 685 6月 20 20:25 passwd.zip [root@zmgaosh zip]#
Copy the code2) chown command
Function: Change the owner of a specified file to a specified user or group. The user can be a user name or user ID. A group can be a group name or a group ID
Parameters:
- -c: Displays information about the changed part
- -f: Ignores error information
- -h: Restores symbolic links
- -v: displays detailed processing information
- -r: processes all files in the specified directory and its subdirectories
- –help: Displays auxiliary instructions
- –version: Displays the version
For example:
1) Change the owner and all groups of passwd to Xinsz
[root@zmgaosh etc]# ll-rwxrwxrwx 1 root root 1317 6月 20 15:16 passwd [root@zmgaosh etc]# chown xinsz:xinsz passwd
[root@zmgaosh etc]# llTotal dosage 4 - RWXRWXRWX 1 xinsz xinsz 1317 6月 20 15:16 passwd## You can see that both user groups and owners have become Xinsz
[root@zmgaosh etc]#
Copy the code2) Another way to pass the passwd owner and group
[root@zmgaosh etc]# chown root: passwd
[root@zmgaosh etc]# ll-rwxrwxrwx 1 root root 1317 6月 20 15:16 passwd [root@zmgaosh etc]#
Copy the code3) Change only the owning group of passwd
[root@zmgaosh etc]# chown :xinsz passwd
[root@zmgaosh etc]# ll-rwxrwxrwx 1 root xinsz 1317 6月 20 15:16 passwd [root@zmgaosh etc]#
Copy the codeFile special permission management
Special file management permissions are discussed as follows: SUID SGID Sticky bit
1. The SUID explanation
chmod u+s chomd 4777 chmod u-s
When we create a user, we usually set the password. We all know passwd and shadow. Let’s look at their permissions
[root@zmgaosh test]# ll /etc/passwd-rw-r--r-- 1 root root 1317 June 20 15:16 /etc/passwd [root@zmgaoshtest]# ll /etc/shadow
---------- 1 root root 1073 6月 20 15:16 /etc/shadow
[root@zmgaosh test]#
Copy the codeAs you can see from the above, /etc/shadow does not have any access permission. To change the password, you need to write the password into the shadow that does not have access permission. If root changes the password, we can understand.
- No, because there is no permission, only root can change the password for him
- Yes, well, if you ask, you’re gonna have to guess yes
Let’s try an experiment:
[root@zmgaosh test]# useradd gaosh
[root@zmgaosh test]# passwd gaoshChange the password of user gaosh. New password: Invalid password: Password failed dictionary check - it did not contain enough different characters to re-enter a new password: passwd: All authentication tokens have been successfully updated. [root@zmgaoshtest]# su - gaosh
[gaosh@zmgaosh ~]$ whoami
gaosh
[gaosh@zmgaosh ~]$ passwd
Changing password for user gaosh.
Changing password for gaosh.
(current) UNIX password: Enter your own password first
New password: Enter a new password
Retype new password:
passwd: all authentication tokens updated successfully.
[gaosh@zmgaosh ~]$
[gaosh@zmgaosh ~]$ ll /usr/bin/passwd
-rwsr-xr-x 1 root root 27856 Aug 9 2019 /usr/bin/passwd
Copy the codeThe owner field of the passwd command is not x. The owner field of the passwd command is s
Conclusion: If the SUID bit of a command is set to S, the executing user of the command will switch to the owner of the command for execution.
Next, in order to verify the above conclusion, let’s try the experimental steps with one without S permission:
- Can perform operations without suID permission
- Add the suID permission to view the results again
This time we use the more command
[root@zmgaosh test]# ll /usr/bin/more-rwxr-xr-x 1 root root 41112 December 3 2019 /usr/bin/moreCopy the codeYou can see that there is no SUID permission
[root@zmgaosh test]# su - gaosh [gaosh@zmgaosh ~]$whoami gaosh [gaosh@zmgaosh ~]$more /etc/shadowYou cannot view this file without the suid permission
/etc/shadow: Permission denied
[gaosh@zmgaosh ~]$ exit
logout
[root@zmgaosh test]Chmod u+s /usr/bin/more
[root@zmgaosh test]# ll ! $Ll /usr/bin/more-rwsr -xr-x 1 root root 41112 12月 3 2019 /usr/bin/more# you can see the x bit s
[root@zmgaosh test]# su - gaosh[gaosh@zmgaosh ~]$whoami gaosh [gaosh@zmgaosh ~]$more /etc/shadowYou can view it now
root:$6$SlVomD$EBjlGVUUOnCCk.lupiqnL58ESGeVJBNCvIc7IE6LNQ9J66OEhNSvlZQvk8EJkx6laSHDeDnuVN3NnJgqZxZid.:18430:0:999
99:7:::
Copy the codeNote that s may sometimes be set to S in the owner area. Suid = “x”; suID = “S”; suID = “x”;
Experimental steps:
- First check the permissions of ordinary files
- Grant the normal file s permission and check whether the large S appears
- Remove suID permission and give execute permission first and then s permission
- Check whether the X bit is small s
[root@zmgaosh test]# ll0 -rw-r--r-- 1 root root 0 6月 22 07:31 gaosh.txt [root@zmgaoshtest]# chmod u+s gaosh.txt
[root@zmgaosh test]# ll0 -rwsr --r-- 1 root root 0 6月 22 07:31 gaosh.txt [root@zmgaoshtest]# chmod u-s gaosh.txt
[root@zmgaosh test]# ll0 -rw-r--r-- 1 root root 0 6月 22 07:31 gaosh.txt [root@zmgaoshtest]# chmod u+x gaosh.txt
[root@zmgaosh test]# chmod u+s gaosh.txt
[root@zmgaosh test]# ll0 -rwsr--r-- 1 root root 0 6月 22 07:31 gaosh.txt [root@zmgaoshtest]#
Copy the code2. SGID (set-group identification)
SGID is similar to SUID. The user whose knowledge is changed after a command is executed is a group rather than an owner. The user can be set to a binary executable file or a directory
If you set the SGID permission for a directory, when a new file is created in the directory, the owning group of the newly created file integrates the permissions of the upper-level directory.
[root@zmgaosh test]# mkdir gaosh
[root@zmgaosh test]# ll -d gaoshDrwxr-xr-x 2 root root 4096 6月 22 08:20 gaosh [root@zmgaoshtest]# chmod g+s gaosh
[root@zmgaosh test]# llDrwxr-sr-x 2 root root 4096 6月 22 08:20 gaosh [root@zmgaoshtest]# chown :gaosh gaosh # change the ownership group of the file directory
[root@zmgaosh test]# ll -d gaoshDrwxr-sr-x 2 root gaosh 4096 6月 22 08:21 gaosh [root@zmgaoshtest]# cd gaosh
[root@zmgaosh gaosh]# touch test1 # verify that the ownership group of the newly created file will not change
[root@zmgaosh gaosh]# ll0 -rw-r--r-- 1 root root 0 6月 22 08:21test
[root@zmgaosh gaosh]#
Copy the codeNote: SGID s is case sensitive. If a g group does not have x, SGID will be capitalized to S, just like SUID.
3. SBIT permission (Sticky Bit)
Setting method: chmod g+s
Note: This is valid for directories only
Sticky Bit Is used for directory sharing. The /var/tmp and/TMP directories have the sharing function. All users can create files, modify or execute files of other users, but only the file owner can delete files. Once the Sticky Bit of a directory is set, only the file owner and root can delete the files in each directory.
[root@zmgaosh gaosh]# ll -d /var/tmpDrwxrwxrwt. 4 root root 4096 6月 20 20:31 /var/tmpCopy the codeT is also case-sensitive, uppercase means no permission x, lowercase means x, which is the same thing as permission S.
Conclusion:
- There are three permission setting methods:
SUID: chmod u+ S SGID: chmod g+ S SBIT: chmod O + T Numbers: SUID =4 SGID =2 SBIT=1 CHMOD 4777 CHmod 2777 chmod 1777
If all three permissions are set, it is chmod 7777
- Remove users with special permissions in a timely manner, remove special permissions if they are not set up by you, and check for backdoor vulnerabilities.
In Linux, everything is a file, and permissions are divided into normal permissions, advanced permissions, and default permissions, but today we are only talking about normal permissions.
Remember the three objects for which permissions are applied: owner, owner group, and other users. Each object has three permissions: read, write, and execute. Fully understand the meaning of UGO, and set permissions using letters and numbers.