LinuxFocus 1999: File Access Permissions

��

�� : �� Linux �� , �� "��" ��, �� Linux-�� . �� , �� , �� BBC World Service radio, �� Linux'��.

��

��:
��
T-��, SUID � SGID

�� - ��

��: �� :

�� - (�� ) �� Unix.

�� - (T-��, SUID � SGID) �� , �� "��-��-��".

��

Linux - �� , � �� . �� (user-ID). �� . �� . �� - �� "��" ��. �� user-ID � ��, � �� , �� id:

>id uid=550(alice) gid=100(users) groups=100(users),6(disk)

�� "��" owner, "��" group � "��" others . � �� (r), �� (w) � "��" (x) ��. �� ls -l:

>ls -l /usr/bin/id -rwxr-xr-x 1 root root 8632 May 9 1998 /usr/bin/id

�� , �� /usr/bin/id �� root, �� root. ��

 -rwxr-xr-x

�� . �� (r), �� (w) � �� (x) �� . �� "��" � "��" �� (r) � �� (x).

�� , � �� 3 �� . �.�. �� r-x �� 101 �� 4+1=5 � �� . � �� (r) �� 4, �� (w) - 2, � �� (x) - 1 � �� .

sst 421 (�� ) rwx 421 user (��) rwx 421 �� rwx 421 ��

�� chmod. �� root �� . �� chmod "��" �� , �� . �� : [ugoa][+-][rwx]. �� :
u (user(��)=�� ),
g (group/��),
o (others/��),
a (�� =u, g � o)
�� + �� - ��, �� (r - ��), (w - ��) �� (x - ��) �� (+) �� (-) � �� . ��, �� "file.txt" �� w �� a �� , �� :

>chmod a+w file.txt or >chmod 666 file.txt >ls -l file.txt -rw-rw-rw- 1 alice users 79 Jan 1 16:14 file.txt

�� chmod 644 file.txt �� "��" �� , �.�. �� , � �� - �� .

�� (�� cd) �� , �� , �� . �� "��" �� (directory) �� 755 � �� 644:

>chmod 755 mydir >ls -ld mydir drwxr-xr-x 2 alice users 1024 Dec 31 22:32 mydir

�� umask �� "�� ". �� "�� " �� , �� .�. � �� , �� �� .

�� umask 022 - �� . �� 022 �� , �� , �� . �� , �� umask �� .
�� (w) �� . �.�. �� "�� " �� "�� " �� -�� , �� (��. ��.)

�� , �� umask � chmod:

�� "�� ": >umask 22 � �� myscript: >nedit myscript (or vi myscript ...) � �� : #!/bin/sh #myscript echo -n "hello " whoami echo "This file ( $0 ) has the following permissions:" ls -l $0 | cut -f1 -d" "

�� . �� myscript �� - 644: >ls -l myscript -rw-r--r-- 1 alice users 108 Jan 1 myscript �� : >chmod 755 myscript or >chmod a+x myscript � �� : >./myscript

��, �� "��". �� , �� , �� (shell) �� . �� .
�� , ��: >sh myscript. ��. ��.

�� :

 
hello alice
This file ( ./myscript ) has the following permissions:
-rwxr-xr-x

T-��, SUID � SGID

�� Linux ��-�� , ��, ��, �� , �� "rwx" � �� "s" � "t":

>ls -ld /usr/bin/crontab /usr/bin/passwd /usr/sbin/sendmail /tmp

drwxrwxrwt 5 root root 1024 Jan 1 17:21 /tmp -rwsr-xr-x 1 root root 0328 May 6 1998 /usr/bin/crontab -r-sr-xr-x 1 root bin 5613 Apr 27 1998 /usr/bin/passwd -rwsr-sr-x 1 root mail 89524 Dec 3 22:18 /usr/sbin/sendmail

�� , � �� "s" � "t"? � ��, �� 4 �� 3 �� . �� chmod 755 �� : chmod 0755.

t-��

t-�� (�� -�� ("sticky bit") �� "��") �� . �� , �� /tmp.

�� (�.�. �� t-�� ) �� , �� . �.�. �� , �� , �� .

t-�� . �� t-��, �� . �� t-�� chmod a+tw �� chmod 1777. ��:

�� t-��: >mkdir mytmp chmod 1777 mytmp �� : >ls -al drwxrwxrwt 3 alice users 1024 Jan 1 20:30 ./ -rw-r--r-- 1 bob users 0 Jan 1 20:31 f.txt �� (�� ) �� (�� ), � �� :

>whoami tux rm -f f.txt rm: f.txt: Operation not permitted

S-�� - ��

�� Linux �� (user-ID). �� , �� .�. �� user-ID: �� . �� user-ID. �� idinfo � �� (chmod 755 idinfo):

#!/bin/sh #idinfo: Print user information echo " effective user-ID:" id -un echo " real user-ID:" id -unr echo " group ID:" id -gn

�� , �� user-ID (�� Alice):

 effective user-ID:
alice
 real user-ID:
alice
 group ID:
users

�� , �� -�� . �� , �� , �� .

�� s-�� , �� (�� Perl). �� -��, �� :

/*suidtest.c*/ #include <stdio.h> #include <unistd.h> int main(){ /*secure SUID programs MUST *not trust any user input or environment variable!! */ char *env[]={"PATH=/bin:/usr/bin",NULL}; char prog[]="/home/alice/idinfo"; if (access(prog,X_OK)){ fprintf(stderr,"ERROR: %s not executable\n",prog); exit(1); } printf("running now %s ...\n",prog); execle(prog,(const char*)NULL,env); perror("suidtest"); return(1); }

�� :
"gcc -o suidtest -Wall suidtest.c"
� �� s-��:

>chmod 4755 suidtest �� >chmod u+s suidtest

��. �� ? � �� !.

�� suidtest �� , �� , �� s-�� , �� (�.�. � �� "x"). �� user-ID (�.�. user-ID ��, �� ) �� user-ID, �� user-ID �� ! �� , �� :

>ls -l suidtest -rwsr-xr-x 1 alice users 4741 Jan 1 21:53 suidtest >whoami tux

running now /home/alice/idinfo ... effective user-ID: alice real user-ID: tux group ID: users

�� , �� , �� s-�� , �� root. �� , �� , �� root'�.!
� �� . �� s-��, �� , �� , �� . �� . �� , �� . �� - �� , �� , �� .

�� SUID-�� root �� user-ID �� setreuid().

�� user-ID �� , �� . ��, �� root, �� suidtest.c �� ppp-on/ppp-off �� .

S-��

�� s-�� group-ID �� . �� group-ID �� group-ID �� , �� .

�� s-�� , �� , ��  �� , � �� (�� , �� ). ��, �� :

>id uid=550(alice) gid=100(users) groups=100(users),6(disk)

��, �� , �� , �� users. �� disk, �� , �� , �� disk � �� group-ID.

>chmod 2775 . >ls -ld . drwxrwsr-x 3 tux disk 1024 Jan 1 23:02 .

�� , �� disk >touch newfile >ls -l newfile -rw-r--r-- 1 alice disk 0 Jan 1 23:02 newfile

�� , � �� . �� , �� group-ID, �� (�� . ��. ��.). �� "�� " umask 027, �.�. �� -�� .
�� , �� . �� /etc/group��. ��.

�� . ��

This website is maintained by Miguel Angel Sepulveda
� Guido Socher 1999
LinuxFocus 1999

����� - ���������� ��������

������ ���������� ��������

T-���, SUID � SGID

t-���

S-��� - ��������� ��� ������������

S-��� ������������� ��� ������

�� - ��

��

T-��, SUID � SGID

t-��

S-�� - ��

S-��