注: 机翻,未校。
Special File Permissions in Linux: SUID, GUID and Sticky Bit
You see an s instead of x in the file permissions? Linux has some special file permissions called SUID, GUID and Sticky Bit. Know more about them.
在文件权限中看到 s 而不是 x?Linux 有一些特殊的文件权限,称为 SUID、GUID 和 Sticky Bit。
File permissions and ownership are the basic and yet essential security concepts in Linux. You probably are already familiar with these terms already. It typically looks like this:
文件权限和所有权是 Linux 中基本但必不可少的安全概念。可能已经熟悉这些术语。它通常看起来像这样:
Regular file permissions
Apart from these regular permissions, there are a few special file permissions and not many Linux users are aware of it.
除了这些常规权限外,还有一些特殊的文件权限,并且没有多少 Linux 用户知道它。
Linux Special Permissions: SUID, GUID and Sticky Bit
To start talking about of special permissions, I am going to presume that you have some knowledge of the basic file permissions. If not, please read our excellent guide explaining Linux file permission.
在开始讨论特殊权限之前,假设对基本文件权限有一定的了解。
Now I’m gonna show you some special permissions with new letters on the Linux file system.
现在,将展示 Linux 文件系统上带有新字母的一些特殊权限。
In this example, the passwd command, responsible to change the password of a user, has the letter s on the same place we expect to see x or -, for user permissions. It’s important to notice that this file belongs to the root user and root group.
在此示例中,负责更改用户密码的 passwd 命令在期望看到的 x 或 - 的同一位置具有字母 s,用于用户权限。请务必注意,此文件属于 root 用户和 root 组。
With this permission, you don’t need to give sudo access to a specific user when you want him to run some root script.
通过这种权限设置,无需给予特定用户 sudo 访问权限,就可以让他运行一些以 root 身份执行的脚本。
What is SUID?
When the SUID bit is set on an executable file, this means that the file will be executed with the same permissions as the owner of the executable file.
当在可执行文件上设置 SUID 位时,这意味着将以与可执行文件所有者相同的权限执行该文件。
Let’s take a practical example. If you look at the binary executable file of the passwd command, it has the SUID bit set.
让举一个实际的例子。如果查看 passwd 命令的二进制可执行文件,它会设置了 SUID 位。
linux:~$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
This means that any user running the passwd command will be running it with the same permission as root.
这意味着任何运行 passwd 命令的用户都将以与 root 相同的权限运行它。
What’s the benefit? The passwd command needs to edit files like /etc/passwd, /etc/shadow to change the password. These files are owned by root and can only be modified by root. But thanks to the setuid flag (SUID bit), a regular user will also be able to modify these files (that are owned by root) and change his/her password.
有什么好处?passwd 命令需要编辑 /etc/passwd、/etc/shadow 等文件以更改密码。这些文件归 root 所有,只能由 root 修改。但是多亏了 setuid 标志(SUID 位),普通用户也将能够修改这些文件(由 root 拥有)并更改他/她的密码。
This is the reason why you can use the passwd command to change your own password despite of the fact that the files this command modifies are owned by root.
这就是为什么可以使用 passwd 命令更改自己的密码的原因,尽管此命令修改的文件归 root 所有。
Why can a normal user not change the password of other users?
Note that a normal user can’t change passwords for other users, only for himself/herself. But why? If you can run the passwd command as a regular user with the same permissions as root and modify the files like /etc/passwd, why can you not change the password of other users?
请注意,普通用户不能为其他用户更改密码,只能为自己更改密码。但是为什么?如果可以以与root相同权限的普通用户身份运行passwd命令并修改/etc/passwd之类的文件,为什么不能更改其他用户的密码?
If you check the code for the passwd command, you’ll find that it checks the UID of the user whose password is being modified with the UID of the user that ran the command. If it doesn’t match and if the command wasn’t run by root, it throws an error.
如果检查 passwd 命令的代码,会发现它会检查密码正在修改的用户的 UID 与运行命令的用户的 UID 一起检查。如果它不匹配,并且如果命令不是由 root 运行的,则会引发错误。
The setuid/SUID concept is tricky and should be used with utmost cautious otherwise you’ll leave security gaps in your system. It’s an essential security concept and many commands (like ping command and programs (like sudo) utilize it.
setuid/SUID 概念很棘手,应非常谨慎地使用,否则会在系统中留下安全漏洞。这是一个基本的安全概念,许多命令(如 ping 命令)和程序(如 sudo)都使用它。
Now that you understand the concept SUID, let’s see how to set the SUID bit.
现在已经了解了 SUID 的概念,让看看如何设置 SUID 位。
How to set SUID bit?
I find the symbolic way easier while setting SUID bit. You can use the chmod command in this way:
发现在设置 SUID 位时,符号方式更容易。可以通过以下方式使用 chmod 命令:
chmod u+s file_name
Here’s an example: 下面是一个示例:
linux:~$ ls -l test.txt
-rwxrw-rw- 1 linuxhandbook linuxhandbook 0 Apr 12 17:51 test.txt
linux:~$ chmod u+s test.txt
linux:~$ ls -l test.txt
-rwsrw-rw- 1 linuxhandbook linuxhandbook 0 Apr 12 17:52 test.txt
You can also use the numeric way. You just need to add a fourth digit to the normal permissions. The octal number used to set SUID is always 4.
也可以使用数字方式。只需要在正常权限中添加第四位数字即可。用于设置 SUID 的八进制数始终为 4。
linux:~$ ls -l test2.txt
-rwxrw-rw- 1 linuxhandbook linuxhandbook 0 Apr 12 17:53 test2.txt
linux:~$ chmod 4766 test2.txt
linux:~$ ls -l test2.txt
-rwsrw-rw- 1 linuxhandbook linuxhandbook 0 Apr 12 17:54 test2.txt
How to remove SUID?
You can use either the symbolic mode in chmod command like this:
可以在 chmod 命令中使用符号模式,如下所示:
chmod u-s test.txt
Or, use the numeric way with 0 instead of 4 with the permissions you want to set:
或者,使用带有 0 而不是 4 的数字方式来设置要设置的权限:
chmod 0766 test2.txt
Difference between small s and capital S as SUID bit
Remember the definition of SUID? It allows a file to be executed with the same permissions as the owner of the file.
还记得SUID的定义吗?它允许使用与文件所有者相同的权限执行文件。
But what if the file doesn’t have execute bit set in the first place? Like this:
但是,如果文件一开始就没有设置执行位怎么办?喜欢这个:
linux:~$ ls -l test.txt
-rw-rw-rw- 1 linuxhandbook linuxhandbook 0 Apr 12 17:51 test.txt
If you set the SUID bit, it will show a capital S, not small s:
如果设置 SUID 位,它将显示大写字母 S,而不是小 s:
linux:~$ chmod u+s test.txt
linux:~$ ls -l test.txt
-rwSrw-rw- 1 linuxhandbook linuxhandbook 0 Apr 12 17:52 test.txt
The S as SUID flag means there is an error that you should look into. You want the file to be executed with the same permission as the owner but there is no executable permission on the file. Which means that not even the owner is allowed to execute the file and if file cannot be executed, you won’t get the permission as the owner. This fails the entire point of setting the SUID bit.
S as SUID 标志表示存在应调查的错误。希望以与所有者相同的权限执行文件,但该文件没有可执行权限。这意味着甚至连所有者都不允许执行该文件,如果文件无法执行,将无法获得作为所有者的权限。这无法满足设置 SUID 位的全部意义。
How to find all files with SUID set?
If you want to search files with this permission, use find command in the terminal with option -perm.
如果要使用此权限搜索文件,请在终端中使用带有 -perm 选项的 find 命令。
find / -perm /4000
What is SGID?
SGID is similar to SUID. With the SGID bit set, any user executing the file will have same permissions as the group owner of the file.
SGID类似于SUID。设置了 SGID 位后,执行文件的任何用户都将具有与文件组所有者相同的权限。
It’s benefit is in handling the directory. When SGID permission is applied to a directory, all sub directories and files created inside this directory will get the same group ownership as main directory (not the group ownership of the user that created the files and directories).
它的好处是处理目录。当将 SGID 权限应用于目录时,在此目录中创建的所有子目录和文件将获得与主目录相同的组所有权(而不是创建文件和目录的用户的组所有权)。
Open your terminal and check the permission on the file /var/local:
打开终端并检查文件 /var/local 的权限:
linux:~$ ls -ld /var/local
drwxrwsr-x 1 root staff 512 Apr 24 2018 /var/local
This folder /var/local has the letter s on the same place you expect to see x or - for group permissions.
此文件夹 /var/local 的同一位置包含字母“s”,希望看到组权限的“x”或“-”。
A practical example of SGID is with Samba server for sharing files on your local network. It’s guaranteed that all new files will not lose the permissions desired, no matter who created it.
SGID的一个实际例子是与Samba服务器一起使用,用于在本地网络上共享文件。可以保证所有新文件都不会丢失所需的权限,无论它是由谁创建的。
How to set SGID?
You can set the SGID bit in symbolic mode like this:
可以像这样在符号模式下设置 SGID 位:
chmod g+s directory_name
Here’s an example: 下面是一个示例:
linux:~$ ls -ld folder/
drwxrwxr-x 2 linuxhandbook linuxhandbook 4096 Apr 12 19:32 folder/
linux:~$ chmod g+s folder
linux:~$ ls -ld folder/
drwxrwsr-x 2 linuxhandbook linuxhandbook 4096 Apr 12 19:32 folder/
You may also use the numeric way. You just need to add a fourth digit to the normal permissions. The octal number used to SGID is always 2.
也可以使用数字方式。只需要在正常权限中添加第四位数字即可。用于 SGID 的八进制数始终为 2。
linux:~$ ls -ld folder2/
drwxrwxr-x 2 linuxhandbook linuxhandbook 4096 Apr 12 19:33 folder2/
linux:~$ chmod 2775 folder2
linux:~$ ls -ld folder2/
drwxrwsr-x 2 linuxhandbook linuxhandbook 4096 Apr 12 19:33 folder2/
How to remove SGID bit?
Just use the -s instead of +s like this:
只需使用 -s 而不是 +s,如下所示:
chmod g-s folder
Removing SGID is the same as removing SGID. Use the additional 0 before the permissions you want to set:
删除 SGID 与删除 SGID 相同。在要设置的权限之前使用额外的 0:
chmod 0755 folder
How to find files with SGID set in Linux
To find all the files with SGID bit set, use this command:
要查找设置了 SGID 位的所有文件,请使用以下命令:
find . -perm /2000
What is a Sticky Bit?
The sticky bit works on the directory. With sticky bit set on a directory, all the files in the directory can only be deleted or renamed by the file owners only or the root.
粘滞位在目录上工作。在目录上设置粘滞位时,目录中的所有文件只能由文件所有者或根用户删除或重命名。
This is typically used in the /tmp directory that works as the trash can of temporary files.
这通常在 /tmp 目录中使用,该目录充当临时文件的垃圾桶。
linux:~$ ls -ld /tmp
drwxrwxrwt 1 root root 512 Apr 12 13:24 /tmp
As you can see, the folder /tmp, has the letter t on the same place we expect to see x or – for others permissions. This means that a user (except root) cannot delete the temporary files created by other users in the /tmp directory.
如所见,文件夹 /tmp 在希望看到 x 或 – 的同一位置上有字母 t,用于其他权限。这意味着用户(root 除外)无法删除其他用户在 /tmp 目录中创建的临时文件。
How to set the sticky bit? 如何设置粘滞位?
As always, you can use both symbolic and numeric mode to set the sticky bit in Linux.
与往常一样,可以在 Linux 中使用符号和数字模式来设置粘滞位。
chmod +t my_dir
Here’s an example: 下面是一个示例:
linux:~$ ls -ld my_dir/
drwxrwxr-x 2 linuxhandbook linuxhandbook 4096 Apr 12 19:54 my_dir/
linux:~$ chmod +t my_dir/
linux:~$ ls -ld my_dir/
drwxrwxr-t 2 linuxhandbook linuxhandbook 4096 Apr 12 19:54 my_dir/
The numeric way is to add a fourth digit to the normal permissions. The octal number used for sticky bit is always 1.
数字方式是在正常权限上添加第四位数字。用于粘滞位的八进制数始终为 1。
linux:~$ ls -ld my_dir/
drwxrwxr-x 2 linuxhandbook linuxhandbook 4096 Apr 12 19:55 my_dir/
linux:~$ chmod 1775 tmp2/
linux:~$ ls -ld tmp2/
drwxrwxr-t 2 linuxhandbook linuxhandbook 4096 Apr 12 19:55 my_dir/
How to remove the sticky bit: 如何去除粘性钻头:
You can use the symbolic mode:
可以使用符号模式:
chmod -t my_dir
Or the numeric mode with 0 before the regular permissions:
或者常规权限前加 0 的数字模式:
chmod 0775 tmp2
How to find files with sticky bit set in Linux 如何在 Linux 中查找设置了粘滞位的文件
This command will return all files/directories in with sticky bit set:
此命令将返回设置了粘滞位的所有文件/目录:
linux:~$ find . -perm /1000
If the directory doesn’t have the execute permission set for all, setting a sticky bit will result in showing T instead of t. An indication that things are not entirely correct with the sticky bit.
如果目录没有为所有目录设置执行权限,则设置粘滞位将导致显示 T 而不是 t。表明粘性位的情况并不完全正确。
Conclusion 结论
I’ll put this picture here to recall what you have just learned:
把这张图片放在这里,是为了回忆你刚刚学到的东西:
This flexibility to manage folders, files and all their permissions are so important in the daily work of a sysadmin. You could see that all those special permissions are not so difficult to understand but they must be used with utmost caution.
这种管理文件夹、文件及其所有权限的灵活性在系统管理员的日常工作中非常重要。可以看到,所有这些特殊权限并不难理解,但必须非常谨慎地使用它们。
via:
-
What is SUID, GUID and Sticky Bit in Linux? How to Use Them? Sep 15, 2022 — Abhishek Prakash
https://linuxhandbook.com/suid-sgid-sticky-bit/
