linux-Rights Management (i)

• ACL Permissions

1. Overview of permissions

2. turn on ACL

[[Email protected]~]# dumpe2fs-h/dev/sda1#dumpe2fs command is a command option that queries the specified partition detail file system Information:-H displays only the information in the Super block, not the details of the disk block group. .... Omit part of the output ...... ....... Defaultdirectory hash:half_md4 .... Omit part of the output ...... .......

if it is not turned on, manually open the partition ACL Permissions:

[[email protected] ~]# mount-o remount,acl/#重新挂载根分区, and Mount ACL permissions can also modify the/etc/fstab file, permanently open ACL permissions: [[email protected] ~]# VI/ ETC/FSTABUUID=03502B44-AF6B-494A-9C8D-7F3B96AE9DFA/EXT4 defaults 1 1 #加入acl [[email protected] ~]# Mount-o remount/# Re-mount the file system or reboot the system for the changes to take effect

3. ACL Basic command

getfacl  file name                Query ACL permissions for files setfacl  options    file names          set ACL permissions options:   -m                   Set Permissions         -b                    Delete permissions setfacl -m u: User name: Permissions   file name setfacl - M g: Group Name: Permissions    file name setfacl -m u:aa:rwx  /test     Assigning AA to the test directory is the ACL permission for read-write execution setfacl -m u:cc:rx -r soft/    gives the recursive ACL permission, Only the directory-r recursive setfacl  -b d:u:aa:rwx -r /test    acl default permissions can be given. Note: The default permissions can only be assigned to the directory, if the directory is given ACL permissions, two commands to enter-r  recursive   -m    u: User name: Permissions          only takes effect on files that already exist-m   &nbsP;d:u: User name: Permissions       only for future files to be created 

4. Maximum Effective permission mask

[Email protected]~]# setfacl-m m:rx project/#设定mask权限为r-X.                            Use "M: Permissions" format [[email protected]~]# getfacl project/# file:project/# owner:root# group:rootuser::rwxgroup::r-x #effective: R-xmask::r-x #mask权限变为了r-xother::r-x

5. Remove ACL permissions

[Email protected] ~]# setfacl-x u:aaproject/#删除指定用户和用户组的ACL权限 [[email protected] ~]# setfacl-bproject/#会删除文件的所有的ACL权限

Second,Audo authorized to give some administrator rights to ordinary users

/sbin/This directory command is only available to Superuser users/usr/sbin/

1. root identity:

visudo      give ordinary user permission command, command after execution and VI use 98 root  all= (All)   all# username      managed Host address = (available identity)    authorized command (absolute path) 105 #  %wheel  all= (All)   all#% group name        managed Host address = (the identity that can be used)    Authorized command (absolute path)    username/Group name: which user or user group is given the command on behalf of root, note the "%" 
 before the group name

The specified command can be used by the user to manage the specified the IP address of the server. If you writeall, the delegate can manage any host, and if you write a fixed IP, you can manage the specified server on behalf of the user. (The "Man 5 sudoers" Help lets you see where the IP specifies the server that the user can manage which IP address.) If it is a stand-alone server, write all and the IP address of your server here , the function is the same. Writing to a network segment makes sense only for servers such as NIS servers, which are centrally managed by users and passwords. The IP address written here does not mean that only the user of this computer is allowed to use the specified command, and that the specified user can manage the current server from any IP address.

can use identity: is to switch the source user to what identity use, ( All) delegates can be switched to any identity. This field can be omitted

Authorization command: On behalf of root, What command is authorized to the ordinary user. The default is all, which represents any command, of course not. If you need to authorize the command, write the command, but be aware that you must write the command absolute path

2. Example

1) For example, if an authorized user Wulaoer can restart the server, the root user adds the following line:

[Email protected] ~]# visudo99 wulaoer all=/sbin/shutdown-r now[[email protected] ~]$ Sudo–l # To view the password required to enter root on a normal user wulaoer can run the following command on the host: (Root)/sbin/shutdown-r now #授权的命令

2) For example, to authorize users to manage Web services, do not intervene in the future to modify the settings update the page can not manage anything.

The first step is to analyze the authorized user management Apache should at least implement those basic authorizations:

1. You can use Apache to manage Scripts

2. can modify Apache configuration file

3, can update the content of the Web page

Assumptions the Apache administrative script is /etc/rc.d/init.d/httpd.

To satisfy the condition one, authorize with Visudo: [[Email protected]~]# visudowulaoer 192.168.216.159=/etc/rc.d/init.d/httpd,/etc/rc.d/init.d/ httpd Configtest Authorized user wulaoer can connect to Apache server on 192.168.216.159, re-read the configuration file with Apache Admin script to make the changed settings take effect (reload) and can detect Apache configuration file Syntax error (configtest) , but does not allow it to perform operations such as shutdown (stop), restart (restart), and so on. To meet condition two, the same Visudo authorization is used: [[email protected]~]# visudowulaoer 192.168.216.159=/binvi/etc/httpd/cong/ httpd.conf authorized user wulaoer can use the root identity to edit the Apache configuration file using VI. The above two sudo settings, to pay special attention, many friends use sudo will make two errors: first, the authorization command is not refined to the options and parameters; Second, it is considered that only administrators can be authorized to execute commands. Condition three is relatively simple, see the Web page storage directory for/var/www/html, only need to authorize wulaoer to this directory have write permission or simply more directory owner for Wulaoer can. If you want, you can also set Wulaoer to update the Web page with file sharing services such as FTP.

3), authorized AA users can add other ordinary users

AA all=/usr/sbin/useradd give AA add user right, command must write absolute path AA all=/usr/bin/passwd give password change permission, remove root password Modify AA all=/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd "",!/usr/bin/passwd Root

AA Identity

Sudo/usr/sbin/useradd ee Normal user uses the sudo command to execute superuser commands

This article is from the "Wu-Dick" blog, please be sure to keep this source http://9827789.blog.51cto.com/9817789/1659507

linux-Rights Management (i)