Though we usually see an octal permission mask expressed as a three-digit number, it is more technically correct to express it in four digits. Why? Because, in addition to read, write, and execute permissions, there are some other, less-used permission settings.
The first of these is the setuid bit (octal 4000). When applied to an execut-able file, it sets the effective user ID from that of the real user (the user actually running the program) to that of the program’s owner. Most often this is given to a few programs owned by the superuser. When an ordinary user runs a pro-gram that is setuid root, the program runs with the effective privileges of thesuperuser. This allows the program to access files and directories that an ordinary user would normally be prohibited from accessing. Clearly, because this raises security concerns, the number of setuid programs must be held to an absolute minimum.
The second less-used setting is the setgid bit (octal 2000). This, like the setuid bit, changes the effective group ID from that of the real group ID of the user to that of the file owner. If the setgid bit is set on a directory, newly created files in the directory will be given the group ownership of the directory rather the group ownership of the file’s creator. This is useful in a shared directory when mem-bers of a common group need access to all the files in the directory, regardless of the file owner’s primary group.
The third is called the sticky bit (octal 1000). This is a holdover from ancient Unix, where it was possible to mark an executable file as “not swap-pable.” On files, Linux ignores the sticky bit, but if applied to a directory, it pre-vents users from deleting or renaming files unless the user is either the owner of the directory, the owner of the file, or the superuser. This is often used to control access to a shared directory, such as /tmp.
Here are some examples of using chmod with symbolic notation to set these special permissions.
The first of these is the setuid bit (octal 4000). When applied to an execut-able file, it sets the effective user ID from that of the real user (the user actually running the program) to that of the program’s owner. Most often this is given to a few programs owned by the superuser. When an ordinary user runs a pro-gram that is setuid root, the program runs with the effective privileges of thesuperuser. This allows the program to access files and directories that an ordinary user would normally be prohibited from accessing. Clearly, because this raises security concerns, the number of setuid programs must be held to an absolute minimum.
The second less-used setting is the setgid bit (octal 2000). This, like the setuid bit, changes the effective group ID from that of the real group ID of the user to that of the file owner. If the setgid bit is set on a directory, newly created files in the directory will be given the group ownership of the directory rather the group ownership of the file’s creator. This is useful in a shared directory when mem-bers of a common group need access to all the files in the directory, regardless of the file owner’s primary group.
The third is called the sticky bit (octal 1000). This is a holdover from ancient Unix, where it was possible to mark an executable file as “not swap-pable.” On files, Linux ignores the sticky bit, but if applied to a directory, it pre-vents users from deleting or renaming files unless the user is either the owner of the directory, the owner of the file, or the superuser. This is often used to control access to a shared directory, such as /tmp.
Here are some examples of using chmod with symbolic notation to set these special permissions.
First, assign setuid to a program:
chmod u+s program
Next, assign setgid to a directory:
chmod g+s dir
chmod u+s program
Next, assign setgid to a directory:
chmod g+s dir
Finally, assign the sticky bit to a directory:
chmod +t dir
By viewing the output from ls, you can determine the special permissions.
Here are some examples. First, a program that is setuid:
-rwsr-xr-x
Now, a directory that has the setgid attribute:
drwxrwsr-x
Finally, a directory with the sticky bit set:
drwxrwxrwt
chmod +t dir
By viewing the output from ls, you can determine the special permissions.
Here are some examples. First, a program that is setuid:
-rwsr-xr-x
Now, a directory that has the setgid attribute:
drwxrwsr-x
Finally, a directory with the sticky bit set:
drwxrwxrwt
559
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
