14. Permissions (user, file, process)

Computer resources: Defines the access capability of a resource, which is the permission
Permissions
User, container, associated permissions: User group, easy to assign permissions
As long as the user is placed in this container, he has the relevant permissions, this container is the concept of user groups.
So the permissions for three groups of users are defined under Linux
Owner: Genus Group: other users
Group is a logical concept, he only assigns permissions, is not logged in, but the group has a password
The process is also a group and owner, who initiated the process, with what kind of permission to execute, and the execution of the target just have the same owner and group, it can be run
We do not allow the file to execute permissions by default, but the default directory has execute permissions, as follows:

[[Email protected] tmp]$ CD mulu/(not go in, the Mulu directory is allowed to mage this user into the group must not have x Execute permission)
-bash:cd:mulu/: Permission denied
Safety context (Security CONTESXT):-Z
Ls-lz
[Email protected] ~]# Ls-lz anaconda-ks.cfg
-RW-------. Root root System_u:object_r:admin_home_t:s0 anaconda-ks.cfg
RWX corresponds to the 8 binary is 421 so rwxrw-r-x is 765
Use the chmod when you give permission back.
User: UID
Group: GID so each user has a UID, this is the internal database one by one corresponding

Parsing: Name resolution: WWW.SOHU.COM-->IP
How do we know the ID number of the user name, in fact, is based on the database, and the Linux login account user password database is our well-known/etc/passwd,/etc/shadow,/etc/group
So this is the/etc/passwd/data that's used to log in.
And the group is using the data under the/etc/group to parse it.
User-friendly management, it is impossible to put the password in the passwd, in fact, he is placed in the shadow, that is, shadow files
Shadow Password:/etc/shadow
Group: The/etc/gshadow Group also has a password, although it is not required to log in

User category: (from the ID number to understand each different user)
admin: uid:0 Root
Normal User: 1-65535 2 of 16 times
System users: 1-499
General users: 500-65536 But on the Redhat7.0, it starts at 1000.
[[email protected] tmp]$ ID Mage
uid=1000 (Mage) gid=1000 (Mage) groups=1000 (Mage), Ten (wheel)
[[email protected] tmp]$ ID togogo01
uid=1001 (togogo01) gid=1001 (Togogo) groups=1001 (Togogo)

System User: Any process is executed by a user
If a process is running as an administrator, then if someone attacks the execution of the process, then it has all the permissions of the process.

Question: What is the role of the system user?
Therefore, the role of the system user is because in many background needs to run, but does not need to be associated with the user process, he should also be in a common identity of the way to run, so this class of users dedicated to run the background process of users we call system users, of course, we use a lot behind, such as Web server, Nginx has to use this type of user: So this type of user is restricted to not allow login.
Just for a certain class of processes that do not require user interaction, so do not need to log in, from security considerations

User groups:
Administrators group:
Normal group: 1. System Group (1-499) 2. General Group (500-65536)
User Group Category:
Private group: When a user is created, a group with the same name as the user name is automatically created if the group to which it belongs is not specified
A user's private group is not necessarily a basic group
Basic group:
Additional groups: Groups other than the default group
Processes also have group and owner

Instance
If a process to: Tom Tom Run (such as our LS this program, execute LS a.txt, then because the genus and owner of LS is root, so it is the other user's permission to execute LS This process, of course, the group and the owner of the process is Tom)
Visit this object: rwxrw-r--Jerry Tom A.txt
Excuse me: When the process accesses a.txt, it is accessed by which permission
The answer to this question is to be executed under the purview of the group.

[Email protected] tmp]$ ll-d/bin/ls
-rwxr-xr-x 1 root root 109208 Nov 17:43/bin/ls
/bin/ls is an executable file. The execution of LS would be to use this file to form an LS process.

WWW is to execute this LS with the permission of another user group.
When the WWW is executed, the owner of this LS process is www, not root, and when the process is formed, it is irrelevant to the file/bin/ls, and only to the initiator.
This involves the knowledge of the security context, which is to be understood in depth, as in one example below
[[Email protected] ~]# PS aux | grep PS
Root 8568 0.0 0.0 103236 876 pts/1 s+ 11:36 0:00 grep PS
[email protected] ~]# su haha
[[Email protected] root]$ PS aux | grep PS
haha 8584 0.0 0.0 103236 880 pts/1 s+ 11:36 0:00 grep PS
So the owner of the process is the user of the initiator, and it's irrelevant to the program itself.

14. Permissions (user, file, process)