Linux文件安全
File permissions, the most basic form of security control that exists on Unix-like systems
Linux中每一个文件(或目录)都包含有访问权限,访问权限决定了谁能访问和如何访问这些文件。
Linux中有三种用户类型,每一种用户类型都有它自身的读、写和执行权限。
相关概念
用户类型
Linux 文件系统中,用户可以分为三种类型:
用户类型 | 含义 | 访问权限 |
---|---|---|
所有者 | 创建文件的用户 | 控制所有者的访问权限 |
同组用户 | 与所有者同组的其他用户 | 控制同组用户的访问权限 |
其他用户 | 系统内的其他用户 | 控制其他用户的访问权限 |
Permission
Unix permissions are represented either in symbolic notation or in octal notation.
Unix 系统中权限有两种表示方式:符号表示 & 八进制数字表示。
Symbolic notation (符号表示)
The most common form is symbolic notation as shown by ls -l.
The first character of the ls display indicates the file type and is not related to permissions.
The remaining nine characters are in three sets, each representing a class of permissions as three characters. The first set represents the user class. The second set represents the group class. The third set represents the others class.
文件类型 | 所有者权限 | 同组用户权限 | 其他用户权限 |
---|---|---|---|
d | rwx | r-x | r-x |
- | rwx | rwx | rwx |
l | rwx | rwx | rwx |
Each of the three characters represent the read, write, and execute permissions
字符位置 | 字符权限 |
---|---|
first character | r:readable, -:not readable |
second character | w:writable,-:not writable |
third character | x:executable, -:not executable s:setuid/setgid (executable) ,S:setuid/setgid (not executable) t:sticky (executable) ,t:sticky (not executable) |
To represent the setuid, setgid and sticky, the executable character (‘x’ or ‘-‘) is modified.
For the setuid or setgid attributes, in the first or second triad, the ‘x’ becomes ‘s’ and the ‘-’ becomes ‘S’.
For the sticky or text attribute, in the third triad, the ‘x’ becomes ‘t’ and the ‘-’ becomes ‘T’.
例子:
ls -l myfile
-rwxr-x--- 1 foo staff 7734 Apr 05 17:07 myfile
表示文件myfile是普通文件,所有者foo对文件有读写执行权限,staff组的成员对文件有读和执行权限,其他的用户对这个文件没有权限。
Numeric notation(数字表示)
Another method for representing Unix permissions is an octal (base-8) notation as shown by stat -c %a.
This notation consists of at least three digits. Each of the three rightmost digits represents a different component of the permissions: owner, group, and others.
Each of these digits is the sum of its component bits in the binary numeral system. As a result, specific bits add to the sum as it is represented by a numeral:
+ The read bit adds 4 to its total (in binary 100),
+ The write bit adds 2 to its total (in binary 010), and
+ The execute bit adds 1 to its total (in binary 001).
These values never produce ambiguous combinations; each sum represents a specific set of permissions. More technically, this is an octal representation of a bit field – each bit references a separate permission, and grouping 3 bits at a time in octal corresponds to grouping these permissions by user, group, and others.
Numerical permissions
字符 | 二进制 | 八进制 |
---|---|---|
r | 100 | 4 |
w | 010 | 2 |
x | 001 | 1 |
- | 000 | 0 |
Symbolic Notation | Numeric Notation | Permission |
---|---|---|
rwx | 7 | read, write and execute |
rw- | 6 | read and write |
r-x | 5 | read and execute |
r-- | 4 | read only |
-wx | 3 | write and execute |
-w- | 2 | write only |
--x | 1 | execute only |
--- | 0 | none |
Symbolic Notation | Numeric Notation | Permission |
---|---|---|
- --- --- --- | 0000 | no permissions |
- --x --x --x | 0111 | execute |
- -w- -w- -w- | 0222 | write |
- -wx -wx -wx | 0333 | write & execute |
- r-- r-- r-- | 0444 | read |
- r-x r-x r-x | 0555 | read & execute |
- rw- rw- rw- | 0666 | read & write |
- rwx rwx rwx | 0777 | read, write, & execute |
File system security
12个二进制位表示
File system security within UNIX and Unix-like systems is based on 9 permission bits, set user and group ID bits, and the sticky bit, for a total of 12 bits. These permissions apply almost equally to all filesystem objects such as files, directories and devices.
Unix 和 Unix-like 系统的文件系统安全用12个二进制位表示:9个权限位、setuid & setgid位、sticky位。
+ 如果该位置上的值是1,表示有相应的权限
+ 如果该位置上的值是0,表示没有相应的权限
9 permission bits
The 9 permission bits are divided into three groups of three bits each. The first group describes the permissions of the file owner, the second group describes the permissions of a group associated with the file owner , and the third group describes the permissions associated with any process which does not have the same user ID as the file. Each group of three bits contains a bit indicating the read, write or execute access is granted.
9个权限位,和 Permission 的字符表示形式类似:
+ 分为三组、每组三位
+ 第一组是所有者权限、第二组是同组用户权限、第三组是其他用户。
+ 每组中的三个二进制位分别表示可读、可写、可执行权限。
setuid & setgid bit
The set user ID and set group ID bits are used to change the identity of the process which executes a file having either or both of those bits set. A file having the set-UID permission bit set will cause a process which executes that file to temporarily switch the effective user ID to that of the file owner. A file having the set-GID permission bit set will cause a process which executes that file to temporarily switch the effective group ID to that of the file group. A process may then alternate between the effective user or group ID which it inherited from the file and the real user or group ID which it inherited when the user logged on to the system. This provides a mechanism by which a process may limit the access rights it possesses to those code regions which require those access rights. This is a form of a security technique known as privilege separation and improves program security by limiting the unintended or undesirable actions of a processes.
通过设置 setuid 和 setgid 位可以改变执行文件的进程的ID。文件设置了 setuid 位之后,就会把执行该文件的进程的 euid 临时转变成该文件所有者 UID。文件设置了 setgid 位之后,就会把执行该文件的进程 egid 临时转变成该文件所有者的 GID。进程UID会在从文件中获取的 euid & egid 和登陆系统时获取的 ruid & rgid 之间切换。这提供了一个可以限制进程的访问权限的机制。这是一种权限分离技术,可以提高程序安全性。
由于SUID和SGID是在执行文件时起作用,所以一般在文件的可执行位设置,在可读位、可写位设置没有什么意义。如果一个文件被设置了setuid 或 setgid 位,会分别表现在所有者或同组用户权限的可执行位上。执行该文件时会把进程的 euid 或 egid 临时成为文件所有者的 UID 或 GID 。
给文件设置SUID和SGID的命令如下:
chmod u+s filename 设置SUID位
chmod u-s filename 去掉SUID设置
chmod g+s filename 设置SGID位
chmod g-s filename 去掉SGID设置
sticky bit
In computing, the sticky bit is a user ownership access right flag that can be assigned to files and directories on Unix-like systems.
When a directory’s sticky bit is set, the filesystem treats the files in such directories in a special way so only the file’s owner, the directory’s owner, or root user can rename or delete the file. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of the file’s owner. Typically this is set on the
/tmp
directory to prevent ordinary users from deleting or moving other users’ files.
sticky 位是文件的所有者权限标识。如果一个目录设置了 sticky 位,则该目录中的文件,只有该文件的所有者或 root 用户能够删除或重命名这个文件。没有设置 sticky 位的文件,任何用户都可以删除或重命名这个文件。通常/tmp
目录默认会设置 sticky 位,来阻止普通用户删除或移动其他用户的文件。
sticky bit (粘着位)一般用于目录文件,普通文件设置 sticky 意义不大。一个目录设置 sticky 位后(如/home,权限为1777),所有的用户都可以在这个目录下创建文件,但只能删除自己创建的文件(root除外),这就对公共目录下的用户文件启到了保护作用。
11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
---|---|---|---|---|---|---|---|---|---|---|---|
S | G | T | r | w | x | r | w | x | r | w | x |
+ 第11位:setuid位
+ 第10位:setgid位
+ 第9位: sticky位
+ 第8~6位:表示所有者的权限
+ 第5~3位:表示同组用户的权限
+ 第2~0位:表示其他用户的权限
实例
Symbolic Notation | Binary | Octal | Description |
---|---|---|---|
- rws r-x r-x | 100 111 101 101 | 4755 | setuid |
- rw- r-S r-- | 010 110 100 100 | 2644 | setgid |
- rwx rwx rwt | 001 111 111 111 | 1777 | sticky |
4个八进制位表示
chmod命令允许用户使用一个四位八进制数字来指定文件安全模式。我们可以把12个二进制位分成四组,每组的三个二进制位用一个八进制数字表示。
+ 第1个数字:特殊的执行权限(special execute)
+ 第2个数字:所有者权限
+ 第3个数字:同组用户权限
+ 第4个数字:其他用户权限
Octal value | Purpose |
---|---|
4000 | Set user ID on execution |
2000 | Set group ID on execution |
1000 | Sticky bit |
0400 | Read by owner |
0200 | Write by owner |
0100 | Execute/search by owner |
0040 | Read by group |
0020 | Write by group |
0010 | Execute/search by group |
0004 | Read by others |
0002 | Write by others |
0001 | Execute/search by others |