Linux privilege management (3) set uid privilege, set GID privilege, sticky bit privilege, chatr privilege

Time:2021-3-17

Suid permissions, sgid permissions, sbit permissions are extremely unsafe permissions, here is just for learning, try not to set these permissions in the production environment!

1、 Set uid permission (suid permission)

1. Restrictions and functions of set uid permission

  • Only executable binaries can set suid permissions(Invalid for normal shell scripts
  • The command executor has the right to execute the program(x)Authority
  • The command executor obtains the identity of the owner of the program file when executing the program (the soul appendage is the owner of the file in the process of executing the program)
  • Suid permission is only valid during the execution of the program

2. How to set uid permission

Chmod 4755 file name

Chmod + X, U + s file name

TIPS

  1. The original umask value is 0022. The first bit refers to the special permission bit, which is often entered when setting permissions755 644In this case, the special permission is omitted.
  2. Add the4, representing suid permission.
  3. When the file has set uid permission, the permission corresponding to the file owner will be changed torws
  4. To set set uid permissions, the owner must have the execution rights of the file(x)Otherwise, the permission corresponding to the file owner will be changed torwS, which is an invalid permission.

example

[root/tmp/suid]# touch 4755.sh
[root/tmp/suid]# touch u+s.sh
[root/tmp/suid]# ll
The total dosage is 4.0k
-Rw-r -- R -- 1 root 0 June 8 09:22 4755.sh
-Rw-r -- R -- 1 root 0 June 8 09:22 U + s.sh

[root/tmp/suid]# chmod 4755 4755.sh
[root/tmp/suid]# chmod +x,u+s u+s.sh
[root/tmp/suid]# ll
The total dosage is 4.0k
-Rwsr-xr-x 1 root 0 June 8 09:22 4755.sh*
-Rwsr-xr-x 1 root 0 June 8 09:22 U + s.sh*

3. How to cancel set uid permission

Chmod 0755 file name

Chmod U-S file name

example

[root/tmp/suid]# ll
The total dosage is 4.0k
-Rwsr-xr-x 1 root 0 June 8 09:22 4755.sh*
-Rwsr-xr-x 1 root 0 June 8 09:22 U + s.sh*

[root/tmp/suid]# chmod 0755 4755.sh

[root/tmp/suid]# chmod u-s u+s.sh

[root/tmp/suid]# ll
The total dosage is 4.0k
-Rwxr-xr-x 1 root 0 June 8 09:22 4755.sh*
-Rwxr-xr-x 1 root 0 June 8 09:22 U + s.sh*

4. System command of applying suid authority

Passwd command

  • What the passwd command actually modifies is/etc/shadowFile, whose permissions are000. In theory, only root should have permission to modify the file.
[root/tmp/suid]# ll /etc/shadow
----------1 root 829 June 8 02:21 / etc / shadow
  • Passwd has suid permission, and ordinary users are executingpasswdCommand, the identity is automatically switched to root, so ordinary users can change their password.
[root/tmp/suid]# ll /usr/bin/passwd
-Rwsr-xr-x. 1 root 28K June 10, 2014 / usr / bin / passwd*

Other common commands (files) with suid permission

find / -perm -4000
/usr/bin/mount
/usr/bin/su
/usr/bin/chsh
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/sudo
/usr/bin/passwd
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/mount.nfs

5. Dangerous set UID

  • Write permission of key directory should be strictly controlled. such as//usrAnd so on.
  • Make a list of files that should have set uid permission by default in the system, and regularly check whether other files are given set uid permission.

View all files with suid or sgid permissions

find / -perm -4000 -o -perm -2000

Script for checking the permissions of suid and sgid

#!/bin/bash

find / -perm -4000 -o -perm -2000 > /tmp/setuid.check

for i in $(cat /tmp/setuid.check)
    do
        grep $i /home/suid.log> /dev/null

        if [ "$?" != "0" ]
            then
            echo "$i isn't in listfile!">>/home/suid_log_$(date +%F)
        fi
    done

rm -rf /tmp/setuid.check

2、 Set GID permission (sgid permission)

1. The function of set GID for files

  • Only executable binaries can set sgid permissions
  • The command executor should have the right to execute the program(x)Authority
  • When the command executor executes the program, the group identity is upgraded to the group of the program file
  • Set GID permission is only valid during program execution

2. The function of set GID for directory

  • Regular users must own this directoryrandxPermission to enter this directory.
  • The valid groups of ordinary users in this directory will become the membership groups of this directory.
  • If ordinary users havewPermission. The default group of a new file is the group of this directory.

3. Set gid

Chmod 2755 file name

Chmod + X, G + s file name

TIPS

  1. Add the2, representing sgid permissions.
  2. When a file has sgid permissions, the permissions corresponding to the group to which the file belongs will be changed torws
  3. To set sgid permissions, the group to which you belong must have the execution of the file(x)Otherwise, the permissions corresponding to the group to which the file belongs will be changed torwS, which is an invalid permission.

example

  • Create a new file file, if not executed(x)If the sgid permission is set directly, the group permission will be changed tor-S, this permission is not available
[root/tmp/sgid]# touch file
[root/tmp/sgid]# chmod g+s file

[root/tmp/sgid]# ll
Total dosage 0
-Rw-r-sr -- 1 root 0 June 8 10:44 file
  • Add the execution permission to the file and change it to the normal suid permission
[root/tmp/sgid]# chmod +x file

[root/tmp/sgid]# ll
Total dosage 0
-Rwxr-sr-x 1 root 0 June 8 10:44 file*
  • Create a directory dir and change the permissions to2777(to enable ordinary users to create files in this directory)
[root/tmp/sgid]# chmod 2777 dir/
[root/tmp/sgid]# ll
Total dosage 0
Drwxrwsrwx 2 root June 8 10:48 dir/
  • Switch to the normal user vagrant, and create a file in the dir directory. It can be seen that the file belongs to the root group
[vagrant/tmp/sgid/dir]$ touch file
[vagrant/tmp/sgid/dir]$ ll
Total dosage 0
-Rw-rw-r -- 1 vagrant root 0 June 8 10:52 file

4. Cancel set gid

Chmod 0755 file name

Chmod G-S file name

example

  • Chmod 0755 file nameValid for files, but not for folders
[root/tmp/sgid]# ll
Total dosage 0
Drwxrwsrwx 2 root June 8 10:48 dir/
-Rwxr-sr-x 1 root 0 June 8 10:44 file*

[root/tmp/sgid]# chmod 0755 dir/
[root/tmp/sgid]# chmod 0755 file

[root/tmp/sgid]# ll
Total dosage 0
Drwxr-sr-x 2 root 17 June 8 10:52 dir/
-Rwxr-xr-x 1 root 0 June 8 10:44 file*
  • Chmod G-S file nameValid for both files and folders
[root/tmp/sgid]# ll
Total dosage 0
Drwxrwsrwx 2 root 6 June 8 10:57 dir/
-Rwxr-sr-x 1 root 0 June 8 10:44 file*

[root/tmp/sgid]# chmod g-s dir/
[root/tmp/sgid]# chmod g-s file

[root/tmp/sgid]# ll
Total dosage 0
Drwxrwxrwx 2 root 6 June 8 10:57 dir/
-Rwxr-xr-x 1 root 0 June 8 10:44 file*

5. System command of applying suid authority

Locate command

  • The locate command actually queries/var/lib/mlocate/mlocate.dbFile, whose permissions are640. In theory, ordinary users do not have access to the file.
[root/tmp/sgid]# ll /var/lib/mlocate/mlocate.db
-Rw-r --- 1 root slocate 2.4m June 8 03:20 / var / lib / mlocate/ mlocate.db
  • Location has sgid permission, and ordinary users are executinglocateCommand, the group identity is automatically switched to slocate, and the slocate group pair/var/lib/mlocate/mlocate.dbThe file has read permission, so ordinary users can use the locate command to search for the file.
[vagrant/tmp/sgid/dir]$ ll /usr/bin/locate
-RWX -- s -- x 1 root slocate 40K April 11 03:46 / usr / bin / locate*

Other common commands (files) with sgid permissions


find / -perm -2000
/usr/bin/wall
/usr/bin/lockfile
/usr/bin/write
/usr/bin/ssh-agent
/usr/bin/locate
/usr/sbin/netreport
/usr/sbin/sendmail.sendmail
/usr/libexec/utempter/utempter
/usr/libexec/openssh/ssh-keysign

3、 Sticky bit (sbit permission)

1. The binding site of sbit

  • The adhesive bit is currently only valid for directories
  • Ordinary users have W and X permissions on this directory, that is, ordinary users can have write permissions on this directory
  • If there is no adhesive bit, because ordinary users have w permission, all files in this directory can be deleted, including files created by other users. One order is given an adhesion bit. Except for root, all files can be deleted. Even if an ordinary user has w permission, he can only delete the files he has created,

However, files created by other users cannot be deleted

It is not recommended to manually create a directory with sbit

2. Set sbit

Chmod 1755 directory name

CHMOD O + T directory name

TIPS

  1. Add the1, representing sbit permissions.
  2. When a file has sgid permissions, the permissions corresponding to the group to which the file belongs will be changed torwt

example

  • establishdir_1755anddir_o+tTwo directories, giving sbit permission respectively
[root/tmp/sbit]# mkdir dir_1755
[root/tmp/sbit]# mkdir dir_o+t
[root/tmp/sbit]#
[root/tmp/sbit]#
[root/tmp/sbit]# chmod 1755 dir_1755/
[root/tmp/sbit]# chmod o+t dir_o+t/
[root/tmp/sbit]# ll
Total dosage 0
Drwxr-xr-t 2 root 6 June 8 11:34 dir_ 1755/
Drwxr-xr-t 2 root 6 June 8 11:34 dir_ o+t/

3. Cancel sbit

Chmod 0755 directory name

Chmod O-T directory name

example

[root/tmp/sbit]# ll
Total dosage 0
Drwxr-xr-t 2 root 6 June 8 11:34 dir_ 1755/
Drwxr-xr-t 2 root 6 June 8 11:34 dir_ o+t/

[root/tmp/sbit]# chmod 0755 dir_1755/
[root/tmp/sbit]# chmod o-t dir_o+t/

[root/tmp/sbit]# ll
Total dosage 0
Drwxr-xr-x 2 root 6 June 8 11:34 dir_ 1755/
Drwxr-xr-x 2 root 6 June 8 11:34 dir_ o+t/

4. System directory with sbit permission

/TMP directory

  • /tmpThe directory actually has 777 permissions. Under normal circumstances, any user can delete it/tmpFiles in directory
[root/tmp/sbit]# ll -d /tmp
Drwxrwxrwt. 12 root 4.0k June 8 11:33 / tmp/
  • However, ordinary users cannot delete files created by others
[vagrant/tmp]$ ll /tmp/test.md
-Rw-r -- R -- 1 root 215 May 31 04:24 / tmp/ test.md

[vagrant/tmp]$ rm test.md
RM: delete write protected normal files“ test.md "? yes
RM: can't delete“ test.md ": operation not allowed

4、 Chatr permission

1. Chattr command

Chatr [+ -] [options] [file or directory]

[+-=]

+: add permissions
-: delete permissions
=: set permissions

option

i: (insert) insert

  • File: cannot delete or rename a file, cannot add or modify file data.
  • Directory: cannot create or delete files, you can modify the file data in the directory

a: (append) append

  • File: you cannot delete or modify data, you can only useEcho 'string' > fileAppend data to the file in the form of.
  • Directory: only add and modify files in the directory, not delete files

2. Lsattr view file system properties

Lsattr [option] [file name]

option

-a: displays all files and directories
-d: if the target is a directory, only the attributes of the directory itself are listed, not the attributes of the child files

3. Examples

File applicationioption

You cannot delete or rename a file, or add or modify file data.
  • Create file_ i. And write something at will
[root/tmp/chattr]$ touch file_i

[root/tmp/chattr]$ date > file_i
[root/tmp/chattr]$ cat file_i
Friday, June 08, 2018 12:04:57 UTC
  • chattr +i file_i
[root/tmp/chattr]# chattr +i file_i

[root/tmp/chattr]# lsattr file_i
----i----------- file_i
  • Cannot delete
[root/tmp/chattr]# rm file_i
RM: unable to delete file_ I ": operation not allowed
  • You can’t change your name
[root/tmp/chattr]# mv file_i file
MV: unable to change "file" to "file"_ I "move to" file ": operation not allowed
  • Data cannot be added
[root/tmp/chattr]# date >> file_i
bash: file_ i: Insufficient authority
  • Data cannot be modified
[root/tmp/chattr]# date > file_i
bash: file_ i: Insufficient authority

Catalog applicationioption

Unable to create and delete files, you can modify the file data in the directory
  • Dir create directory_ i. And create a file in the directory
[root/tmp/chattr]# mkdir dir_i
[root/tmp/chattr]# touch dir_i/file

[root/tmp/chattr]# ll dir_i/
Total dosage 0
-Rw-r -- R -- 1 root 0 June 8 12:13 file
  • chattr +i file_i
[root/tmp/chattr]# chattr +i dir_i/

[root/tmp/chattr]# lsattr -d dir_i/
----i----------- dir_i/
  • Unable to create file
[root/tmp/chattr]# touch dir_i/file2
Touch: unable to create 'dir'_ I / File2 ": insufficient permissions
  • The file cannot be deleted
[root/tmp/chattr]# rm dir_i/file
RM: unable to delete "dir"_ I / file ": insufficient permissions
  • You can modify the file data in the directory
[root/tmp/chattr]# date > dir_i/file
[root/tmp/chattr]# cat dir_i/file
Friday, June 08, 2018 12:17:16 UTC