Linux permissions (1)

Linux permission management differs greatly from Windows, which is difficult for many Linux users to understand. The importance of permissions is self-evident. This article uses case-based step-by-step explanations to help readers and friends. In the articles "starting from ls commands" and "deep understanding of SetUID", I have explained the rwx permissions and special permissions SetUID respectively. In this article, I will analyze the remaining permissions by checking for missing and missing information, it is expected that users will have a general understanding of Linux permissions after reading these three articles.

I. Adhesion of Permissions

In Linux, there is a directory for storing temporary files/tmp (similar to the temp directory in Windows). The temporary files generated by each user are stored in this directory, that is to say, each user should have the write permission on the/tmp directory (otherwise, the file cannot be copied and generated), which causes a problem. For example, Gao luofeng creates a file under the/tmp directory, zhang Mo can delete it if he looks unhappy. How can he control it?

In fact, this will never happen, because the/tmp directory has a special permission Tag:

ls -ld /tmpdrwxrwxrwt 5 root root 4096 May 24 13:55 /tmp

I can see that the last "t" of the rwx permission is absent. The magic "t" is the sticking bit t (some materials are also called sticks ), it is the third of the special Linux permissions (the other two are SetUID and SetGID), defined as: After the directory with the permission of 777 is set to stick bit t, with Write Permission, each user can create files in the directory. The difference is that each user can only Delete Files Owned by himself, that is, only files created by himself can be deleted.

Readers can perform a test, repeat the case 1 operation in "starting from the ls command" in the second phase of "Grassroots" (grant the directory/test the 777 permission to log on to another common user to delete the files created by another common user ), however, the directory/test created this time grants it an additional sticking bit permission:

Chmod o + t/test # Or chmod 1777/test

When a common user tries to delete files from other users, the system will prompt "Operation not permitted ).

Ii. File System Permissions

Each operating system requires a way to organize and manage data. We can understand that it is a file system, such as Windows NTFS, FAT, Linux EXT, when loading partitions in Linux, you can set permissions for the file system.

The configuration file/etc/fstab stores the partition information automatically loaded during Linux Startup. The fourth item in the/etc/fstab file defines the setting for loading. The default value is ults, including rw, suid, dev, exec, auto, nouser, and async. You can use these options to change the partition limitation. This article provides two examples to prove that the permission based on the file system is quite overbearing.

Case 1: Read-Only partitions

Partitions can be read and written by default. However, if a special application wants to read-only partitions after loading, you can make the following settings:

Vi/etc/fstab # edit the/etc/fstab file and add the ro option after ults (separated by commas) LABEL =/soft ext3 defaults, ro 1 2 mount-o remount/soft # reload/soft partition for the setting to take effect

If you are not in trouble, you can restart the system and the settings will take effect as well.

In this case, the entire/soft partition is read-only. Run the following command after logging on to the root account:

touch /soft/testfiletouch: cannot touch `testfile': Read-only file system

It will prompt that/soft partitions are read-only. Even if Niu X is root, files cannot be created. This is the file system permission above rwx, which is equivalent to that between Niu A and Niu C. In this example, the software shared directory of my company is usually updated once every half a month. I do not want anyone to add or delete the software at ordinary times (including not wanting the root user to delete it by mistake), so I set it to ro, when updating the software, you can temporarily change the rw settings:

mount -o remount,rw /soft

You can also set the partition permission on the command line, but only the current session is valid, and it will always be valid after the/etc/fstab file is written.

Case 2: Secure partitioning

For data storage partitions, such as those used for backup, we can add the following security settings options:

Vi/etc/fstab # edit the/etc/fstab file and add the noexec option LABEL =/backup ext3 defaults after ults, noexec 1 2 mount-o remount/backup # reload/backup partition for the setting to take effect

In this experiment, we use a common user to copy a command file pwd under the/backup directory.

cp /bin/pwd /backup/backup/pwd-bash: pwd: Permission deniedls -l pwd-rwxr-xr-x 1 liming liming 93560 Sep 25 10:13 pwd

Although the command copy to/backup has the executable permission, it cannot be executed. In the/backup partition, no executable file can be executed. What does this mean? If the attack program, Trojan, or virus cannot be executed, it is meaningless.

Other options are not described in detail. Here, we will only introduce them. For other options, you can view the options in man mount. For more options, you can try them by yourself, the so-called "fish" is better than "fish". It is better to read a thousand books by fishing than to write a thousand books in a WAN Li Road.