Big Data and cloud computing (Wang Minglong) lecturer-linux-day02-File and directory Rights Management

A View the file/directory information

Ls-l or ll file name
ls-d or ll-d directory name
Two Modify the genera and genera groups

Chown User name/directory name//modify the owner of the file and directory
Chown. Group name File name/directory name//modify file and directory of the genus Group
Chown: Group name File name/directory name//modify file and directory of the genus Group
Chown User name: Group name File name/directory name//modify file and directory of the genus Master Group
Three Rights Management
1. Basic permissions: ugo= Master/Group/others rwx=421
2. View Basic permissions:

Stat file name/directory name
GETFACL file name/directory name
ll file name//view file permissions
ll-d file name//view directory Permissions
Four Modify Permissions

chmod a/u/g/o/+/-r/w/x file name/directory name
Example

chmod G-r A
chmod o+w A
chmod u-w,g+w,o+x A
chmod a-r a.txt a means Ugo
chmod U+r+w-x A
Use less:

chmod +x A
Chmod-x A
Five Hide Permissions

1. Set Hidden permissions

Chattr +a file name/directory name//can only add data to the file, not delete, more for the server log file security, only the root can be set
chattr +i filename/directory Name//settings file can not be deleted, renamed, set link relationship, and can not write or add content, but can >> append
CHATTR-A file name/directory name
Chattr-i file name/directory name
2. Show hidden permissions

LSATTR file name/directory name
Six Advanced permissions (View the absolute path of the command: which command name)

1. Set suid//only valid for command/executable files

which command name//view the full path of the command
chmod u+s+x Command/executable//Set this permission, the normal user has root identity when executing the command and executable file
2. Set Sgid

chmod g+s file name/directory name//Set this permission, all files or directories created under this directory will inherit the home directory of this directory
3. Set Sticky

chmod o+t Directory Name//Set this permission, any user in this directory will only delete the files that have been created, others cannot be deleted, only valid for the directory
You can also use a digital representation
X-bits of the suid=4-–>>> user
The X for the sgid=2-–>>> group is
X-Bit of Sticky=1-–>>>other

Seven. Set FACL permissions

Getfacl File/directory//view ACL permissions for a file or directory
Setfacl-m U:username:mode File/dir//Set a user's permission mode to represent permissions, if you do not give a user any permissions setfacl-m u:username:000 File/dir
Setfacl-m G:groupname:mode File/dir//Set a permission for a group
Setfacl-b file/dir//Remove ACL permissions for all users
Setfacl-x u:username File/dir//Cancel a user's permission
Setfacl-x g:groupname File/dir//Cancel a certain permission for a group
Permissions settings for the Facl file system
Facl File system Permissions setting (file access Contrl list)

For the lack of UNIX system privilege mechanism, a new permission mechanism called POSIX ACL was born, in order to set up a compatible ACL standard between UNIX system, and make use of unified interface between each operating system. An ACL is an extension of an existing permission mechanism that adds access to a specified user or group based on the three basic settings (owner, group, and other) of the existing mechanism.

POSIX ACLS have been formally supported on Linux Kernel 2.6, and ACLs can be used by commonly used file systems such as EXT2,EXT3,XFS,JFS and ReiserFS. Of course, you need to start an ACL when compiling kernel.

Related kernel option:

Config_fs_posix_acl
Config_ext3_posix_acl
Config_ext2_posix_acl

Rules

User: (uid/name):(perms) specify permissions for a user
Group: (gid/name):(perms) specify permissions for a group of groups
Other::(perms) Specify the permissions of other users
Mask::(perms) set a valid permission mask

ACLs can set the file specific permissions for certain users of a file, meaning that a file permission can be extended by ACLs, and different users have different permissions on a file.
Option

-m Add or modify rules in ACLs
-x Remove rule from ACL

Getfacl < filename > Get access control information for a file
Setfacl settings File Acl-m Modify the acl-x of the file to cancel the file settings
Setfacl–m u: User name: Permission file name
Setfacl–m g: Group name: Permission file name

To set a default ACL, simply precede each rule with "default:".
Example: Setfacl-m Default:user::rw/home/alex
or abbreviated as: Setfacl-m D:u::rw/home/alex

[[email protected] ~]# getfacl hello_world view ACL permissions for files

File:hello_world
Owner:root
Group:root
user::rw-
group::r–
other::r–

[[email protected] ~]# setfacl-m student:rwx Hello_world Let the user student have RWX permissions
[Email protected] ~]# Getfacl Hello_world

File:hello_world
Owner:root
Group:root
user::rw-
User:student:rwx
group::r–
Mask::rwx
other::r–

[[email protected] ~]# setfacl-m g:student:rx hello_world let group student have RWX permissions
[Email protected] ~]# Getfacl Hello_world

File:hello_world
Owner:root
Group:root
user::rw-
User:student:rwx
group::r–
Group:student:r-x
Mask::rwx
other::r–

[email protected] ~]# ll Hello_world
-rw-rwxr-+ 1 root root 0 07-21 13:48 Hello_world
[[email protected] ~]# setfacl-x student hello_world unblock student user ACL permissions on files
[[email protected] ~]# setfacl-x g:student hello_world release student group permissions to files
(Undo ACL Action: Add user name directly to the user to group, preceded by G: Group name)
[Email protected] ~]# Getfacl Hello_world

File:hello_world
Owner:root
Group:root
user::rw-
group::r–
mask::r–
other::r–

[Email protected] ~]# Getfacl Hello_world

File:hello_world
Owner:root
Group:root
user::rw-
User:student:rwx
group::r–
Group:student:rwx
Mask::rwx
other::r–

[[email protected] ~]# setfacl-b hello_world Remove all extended ACL rules
[Email protected] ~]# Getfacl Hello_world

File:hello_world
Owner:root
Group:root
user::rw-
group::r–
other::r–

[Email protected] lianxi]# Getfacl a

File:a
Owner:root
Group:root
user::rw-
User:wl:rwx
group::r–
Group:wl:rwx
Mask::rwx
other::r–

Recover Write permissions for all users and all groups
[Email protected] lianxi]# setfacl-m m::r-x A
[Email protected] lianxi]# Getfacl a

File:a
Owner:root
Group:root
user::rw-
USER:WL:RWX #effective: R-x
group::r–
GROUP:WL:RWX #effective: R-x
Mask::r-x
other::r–

To inherit files and folders under subdirectories
[[email protected] lianxi]# setfacl-m d:u:wl:rwx,g:wl:rwx B (where d means defaults)
[Email protected] lianxi]# Getfacl b

File:b
Owner:root
Group:root
User::rwx
Group::r-x
Group:wl:rwx
Mask::rwx
Other::r-x
Default:user::rwx
Default:user:wl:rwx
Default:group::r-x
Default:mask::rwx
Default:other::r-x

[Email protected] lianxi]# CD b/
[Email protected] b]# mkdir C;touch D
[[email protected] b]# ls
C D
[Email protected] b]# Getfacl C

File:c
Owner:root
Group:root
User::rwx
User:wl:rwx
Group::r-x
Mask::rwx
Other::r-x
Default:user::rwx
Default:user:wl:rwx
Default:group::r-x
Default:mask::rwx
Default:other::r-x
[[email protected] b]# Getfacl D may be due to the default permissions of the file itself 666 problem, file does not inherit x permission

File:d
Owner:root
Group:root
user::rw-
USER:WL:RWX #effective: rw-
Group::r-x #effective: r –
mask::rw-
other::r–
Getfacl a |setfacl-set-file=-b

This is a very interesting command, it can allow a file to directly copy the permissions to change to that one file

[email protected] lianxi]# LL
Total 4
-rw-rwxr–+ 1 root root 0 07-21 20:34 a
-rw-r–r–1 root root 0 07-21 20:34 b
[Email protected] lianxi]# Getfacl a

File:a
Owner:root
Group:root
user::rw-
User:wl:rwx
group::r–
Group:wl:rwx
Mask::rwx
other::r–

[Email protected] lianxi]# Getfacl a |setfacl–set-file=-b
[email protected] lianxi]# LL
Total 8
-rw-rwxr–+ 1 root root 0 07-21 20:34 a
-rw-rwxr–+ 1 root root 0 07-21 20:34 b
[Email protected] lianxi]# Getfacl b

File:b
Owner:root
Group:root
user::rw-
User:wl:rwx
group::r–
Group:wl:rwx
Mask::rwx
other::r–

Big Data and cloud computing (Wang Minglong) instructor-linux-day02-file and directory Rights Management