配置 linux 开机运行脚本 && setuid & setgid

关于如何开机运行脚本：

方法1：

编辑文件： /etc/rc.local

sudo vi /etc/rc.local

添加你想要执行的脚本或者也可以直接将命令写在rc.local 里头，但是要注意rc.local 的 shebang 是 #!/bin/bash 还是 #!/bin/sh，这个对命令的执行有影响！因为有些系统上sh指向的是dash而不是bash

如果希望配置系统默认为bash而非dash: sudo dpkg-reconfigure dash

#!/bin/bash
# This script is executed at the end of each multiuser runlevel
export MY_ENV_VAR=/home/guowei/robot  # 添加命令
/path/to/my/script.sh  # or 添加想要执行的脚本
exit 0

e.g. script.sh 内容如下（最好添加 shebang）：

#!/bin/bash
service xxx restart  # 无需加sudo
chmode 777 xxx

方法2

在 /etc/init.d 文件夹中创建脚本 如：myscript.

sudo vi /etc/init.d/myscript  # 名字随意

添加想要执行的命令：

#!/bin/sh
export MY_ENV_VAR=/home/guowei/robot  # 添加命令
/path/to/my/script.sh  # 添加想要执行的脚本

使其拥有可执行权限

chmod ugo+x /etc/init.d/myscript  # 或者 chmod 777 /etc/init.d/myscript

配置其开机启动：

sudo update-rc.d myscript defaults

或者手动创建软连接 sudo ln -s /etc/init.d/myscript /etc/rcX.d/ 其中X为你的runleve具体的runlevel 可以 who -r 查看(一般是为所有的runlevel都创建软连接)。关于runleve: 0为halt， 1为Single-user mode，6为reboot， 2-5为正常登陆的runlevel

方法3：

添加一个 Upstart job，步骤：

创建 myjob.conf文件：

sudo vi /etc/init/myjob.conf

内容如下：

description     "my job"
start on startup
task
exec /path/to/my/script.sh

---

关于setuid和setgid

首先要清楚一个文件有哪些属性。第一，文件的归属权，即这个文件属于谁。第二，文件的是否可读，可写，可执行等属性。

一个文件归属权： 所有者 & 组
一个文件属性： 除了rwx属性外，还有 setuid&setgid属性(s)，可执行文件和目录有区别。

ls -l
drwxr-xr-x 2 root root 4096  5月 26 01:34 aa
drwxrwsr-x 4 guowei root 4096  5月 26 01:39 bb  // 用户为guowei, 组为 root. 其中s表示 setuid&setgid 属性，d表示目录，rwx表示读-写-执行

修改文件归属权：

sudo chown root ./bb  // 修改所有者
sudo chown :guowei ./aa  // 修改组
ls -l
drwxr-xr-x 2 root guowei 4096  5月 26 01:34 aa
drwxrwsr-x 4 root root 4096  5月 26 01:39 bb  // root root

修改属性：

修改可执行文件的setuid，使得其他用户能够以该文件所有者的权限来执行该文件（or setgid，以组的权限执行该文件）：

sudo chmod +s ./myapp  # 同时设置 UID&GID，如果该文件所有者（或者group）为root，那么其他用户无需加sudo等，便可以root权限去执行该程序
# 或者
sudo chmod u+s ./myapp  # 只设置UID

修改目录的setgid，使得在该目录下创建的新的文件或文件夹继承该目录的组，而不是该用户的组：

sudo chmod +s ./bb  # 设置UID&GID
#或者 
sudo chmod g+s ./bb  # 只设置GID

ls -l
drwxr-xr-x 2 guowei root 4096  5月 26 01:34 aa  # 没有setgid
drwxrwsr-x 4 guowei root 4096  5月 26 01:39 bb  # 有setgid
mkdir -p aa/aa2
mkdir -p bb/bb2
ls -l aa
drwxrwxr-x 2 guowei guowei 4096  5月 26 01:58 aa2  # 组为guowei
ls -l bb
drwxrwsr-x 2 guowei root 4096  5月 26 01:58 bb2  # 组为root，而不是guowei，而且继承了setgid

如何以普通用户登陆执行root权限的程序？

这个功能要慎用，因为 Buffer Overflow Attack 就是利用这个功能来获取root权限的。 link: http://www.cis.syr.edu/~wedu/seed/Book/book_sample_buffer.pdf

1. 对可执行文件 setuid & setgid：

SUID (Set User ID up on execution) When an executable file has been given the setuid attribute, normal users on the system who have permission to execute this file gain the privileges of the user who owns the file (commonly root) within the created process.

SGID (Set Group ID up on execution) is a special type of file permissions given to a file/folder. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SGID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file group permissions to become member of that group to execute the file. In simple words users will get file Group’s permissions when executing a Folder/file/program/command.

SGID is similar to SUID. The difference between both is that SUID assumes owner of the file permissions and SGID assumes group’s permissions when executing a file instead of logged in user inherit permissions.

setuid能够使普通用户获得与该文件的所有者相同的执行权限 (仅限可执行程序，出于安全考虑bash脚本不能够setuid——Setuid shebang)。如果该文件所有者是root，那么该用户久可以不用加sudo执行该程序，如下：

sudo chown root ./myapp  # myapp所有者为root

# chmod 可以指定 ugoa(owner, group, other, all)，默认为a(all user)
sudo chmod +s ./myapp # set user or group ID on execution (s), 取消：chmod -s

So, the setuid and setgid bits are normally set with the command chmod by setting the high-order octal digit to 4 for setuid or 2 for setgid. “chmod 6711 file” will set both the setuid and setgid bits (4+2=6), making the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). When a user other than the owner executes the file, the process will run with user and group permissions set upon it by its owner. For example, if the file is owned by user root and group wheel, it will run as root:wheel no matter who executes the file.

2. 对目录 setuid & setgid：

The setuid and setgid flags, when set on a directory, have an entirely different meaning.

Setting the setgid permission on a directory (“chmod g+s”) causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner ID is never affected, only the group ID). Newly created subdirectories inherit the setgid bit(再在子目录中创建新的目录，还是继承同样的gid). Thus, this enables a shared workspace for a group without the inconvenience of requiring group members to explicitly change their current group before creating new files or directories. Note that setting the setgid permission on a directory only affects the group ID of new files and subdirectories created after the setgid bit is set, and is not applied to existing entities. Setting the setgid bit on existing subdirectories must be done manually, with a command such as the following:

root@foo# find /path/to/directory -type d -exec chmod g+s '{}' \;

ref link: http://www.linuxnix.com/suid-set-suid-linuxunix/