setuid的作用是以该命令拥有者的权限去执行,比如修改密码的passwd命令,执行passwd时会拥有root权限,不然就修改不了/etc/passwd文件了。
而setgid的意思是以命令所有组的权限去执行,它们的标志位是s,出现在x的地方,例如-rwsr-xr-x。手动添加这一位的方式:
|
1 2 3 4 5 6 7 |
> touch ls > chmod u+s ls # UID权限设置 > ll ls -rwSrw-r--. 1 ma ma 0 Nov 3 00:50 ls > chmod g+s ls # GID权限设置 > ll ls -rwSrwSr--. 1 ma ma 0 Nov 3 00:50 ls |
对于以下程序:
|
1 2 3 4 5 6 7 8 9 |
#include <stdio.h> #include <unistd.h> #include <sys/types.h> int main() { // 打印实际用户ID和有效用户ID printf("uid: %u euid: %d\n", getuid(), geteuid()); return 0; } |
编译后加上UID权限,分别使用不同的身份运行:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
> make setuid # 编译 gcc setuid.c -o debug/setuid > ll debug/setuid # 查看权限 -rwxrwxr-x. 1 ma ma 8552 Nov 3 02:24 debug/setuid > chmod u+s debug/setuid # 加上UID权限位 > ll debug/setuid # 查看权限位 -rwsrwxr-x. 1 ma ma 8552 Nov 3 02:24 debug/setuid # 已经有了s位 > ./debug/setuid # 当前用户运行 uid: 1000 euid: 1000 > sudo ./debug/setuid # 以root身份运行 [sudo] password for ma: uid: 0 euid: 1000 |
可以看到,不管是以当前用户还是root用户运行,实际用户id都是一样的,都是其所有者。
二、黏着位(sticky bit)
关于黏着位找了很多资料也没有找到明确的描述,网上众说纷纭也没有清晰的描述出它的作用,最后还是在《UNIX环境高级编程》中找到一些更明确的解释:
The S_ISVTX bit has an interesting history. Onversions of the UNIX System that predated demand paging, this bit was known as the sticky bit.If it was set for an executable program file, then the first time the program was executed, a copy of the program’s text was saved in the swap area when the process terminated. (The text portion of a program is the machine instructions.) The program would then load into memory morequickly the next time it was executed, because the swap area was handled as a contiguous file, as compared to the possibly random location of data blocks in a normal UNIX file system. The sticky bit was often set for common application programs, such as the text editor and the passes of the C compiler. Naturally,therewas a limit to the number of sticky files that could be contained in the swap area beforerunning out of swap space, but it was a useful technique. The name sticky came about because the text portion of the file stuck around in the swap area until the system was rebooted. Later versions of the UNIX System referred to this as the saved-text bit; hence the constant S_ISVTX.With today’s newer UNIX systems, most of which have a virtual memory system and a faster file system, the need for this technique has disappeared.
在早期的unix系统中,如果一个程序被设置了黏着位,那么当它第一次执行结束之后,程序的正文段会被写入到交换空间中,以此加快后续使用的加载速度。因为交换空间是顺序存放,而磁盘上是随机的。它通常被设置成经常被使用的公用程序例如文本编辑器、编译器等,会一直持续到系统重启。
在后续的unix系统都设计了新的更快速的文件系统,所以这种用法逐渐消失。而对于这一黏着位“现在的用途”的描述是:
On contemporary systems, the use of the sticky bit has been extended. The Single UNIX Specification allows the sticky bit to be set for a directory. If the bit is set for a directory, a file in the directory can be removed or renamed only if the user has write permission for the directory and meets one of the following criteria:
- Owns the file
- Owns the directory
- Is the superuser
The directories /tmp and /var/tmp are typical candidates for the sticky bit—they are directories in which any user can typically create files. The permissions for these two directories are often read, write, and execute for everyone (user, group, and other). But users should not be able to delete or rename files owned by others.
现在的系统里面,黏着位已经被扩展了,它被用于目录权限上,如果一个目录设置了这一位,这个目录下的文件就只能被满足以下条件的用户重命名或者删除:
- 所有者
- 当前目录所有者
- 超级用户
目录/tmp和/var/tmp是设置粘住位的候选者—这两个目录是任何用户都可在其中创建文件的目录。这两个目录对任一用户 (用户、组和其他)的许可权通常都是读、写和执行。但是用户不应能删除或更名属于其他人的文件,为此在这两个目录的文件方式中都设置了粘住位
手动给目录添加sticky位:
|
1 2 3 4 |
> mkdir 123 > chmod +t 123 > ll -d 123 drwxrwxr-t. 2 ma ma 6 Nov 3 02:18 123 |
加上这一个权限之后目录的颜色也有变化:
评论