ACL Rights Management
The ACL (Access control list) is primarily provided with specific permission settings other than the traditional owner,group,others Read,write,execute permissions, and ACLs can be r for a single user, a single file, or a directory. W,x permission control is useful for use situations that require special permissions.
Example ①: The permissions for the directory/home/acl are: drwxr-x---, the owner and the owning group are root, and only the users of the other group are required to have full access to the directory (RWX) without changing the owner (Justin does not belong to the root group)
(1) for the/home/acl directory, the Justin user belongs to the other group, and if you add rwx permissions to/home/acl's other group, all members of the other group have RWX permissions.
(2) If you add Justin to the root group and assign rwx permissions to the root group, it clearly does not match test instructions.
In order to solve this problem, the ACL can be used to set the permissions for a specific user or group of users to operate on a file.
| ACL Rights Management |
Setfacl: Setting ACL settings items for a file/directory Getfacl: Get ACL Settings item for a file/directory Description: There are two types of ACLs, one is Access ACL (Access ACLs), and the Access control list is set for files and directories. One is the default ACL, which is set only for directories, ACLs. If a file in the directory does not have an ACL set, it uses the default ACL for that directory. |
| Parameters |
Function |
Parameters |
Function |
| -M |
Modify file (clip) current ACL settings |
-X |
Remove ACL settings for files (clips) |
| -M |
Read file (clip) modified ACL settings |
-X |
Read deleted file (clip) ACL settings |
| -B |
Remove all ACL settings |
-R |
Recursive set ACL |
| -K |
Remove the default ACL settings |
-D |
Set the default ACL |
Note: In addition to setting up a user or group, you can set the effective permissions (mask), and the permissions set by the user or group must be within the scope of the mask's permission setting to take effect
The above example ① can be done as follows:
SetUID SetGID Sticky bit (sticky bit)
| permissions |
function |
| setuid |
User has permission to file owner ... The setuid will only appear in the binaries, and there will be no meaning in the directory. When other users use a command with the setuid identity, they must also have X (execute) permission on the command |
| SetGID |
Set the user has permission to the group to which the directory belongs. This permission is valid only for the directory. After the directory is set, any user who creates the file in this directory has the same group as the group to which the directory belongs. |
| sticky bit |
sticky bits are primarily set for public directories (for example, permissions of 777), and the effect is that users cannot delete the item Other users ' files (except the root user). Sticky only valid for files |
File (folder) permissions are actually represented by 4-bit 8 decimal digits, these 4 digits are composed of setuid+setgid+ sticky bits, genera, genera, other users, SetUID, SetGID, sticky bits (sticky bits) are respectively represented by the number 4, 2, 1, after setting, you can use Ls-l To view. If there is an X on that bit, these special flags appear as lowercase letters (s, s, T). Otherwise, display as uppercase (s, S, T), give setuid permission chmod command: chmod 4xxx file (s) or chmod u+s file (s), revoke setuid permissions: chmod xxx file (s) or chmod u-s file (s )
Example: 1, take setuid as an example:
2. Any user in the/home/sticky directory can create a file or directory, but only the user itself and the root user can delete files or directories created by the user.
Chattr and Lsattr command
These two commands are used to view and change the file, directory properties, compared to chmod this command, these two commands are used to view and change the file, directory properties, compared with chmod this command, chmod just change the file read and write, execute permissions, the more underlying property control is changed by the chattr.
chattr command usage: chattr [-RVF] [-v version] [mode] files ...
+: On the basis of the original parameter setting, append the parameter. +: On the basis of the original parameter setting, append the parameter.
-: Remove parameters based on the original parameter setting.
=: Updated to specify parameter settings.
A: Atime (access time) of a file or directory cannot be modified (modified), which can effectively prevent the occurrence of disk I/O errors such as laptops.
S: HDD I/O sync option, similar to sync.
A: Append, after setting this parameter, can only add data to the file, not delete, more for the server log file security, only root can set this property.
C: Compresse, set whether the file is compressed and then stored. An automatic decompression operation is required for reading.
D: No dump, the settings file cannot be the backup target of the dump program.
I: The settings file cannot be deleted, renamed, linked, and cannot be written or added. The I parameter is useful for file system security settings.
J: Journal, set this parameter so that when the file system is mounted via the Mount parameter: data=ordered or Data=writeback, the file is recorded (in journal) when it is written. If the filesystem parameter is set to Data=journal, the parameter is automatically invalidated.
S: Delete files or directories confidentially, that is, the hard disk space is fully recovered.
U: In contrast to S, when set to U, the data content actually exists in the disk and can be used for undeletion.
A and I are commonly used in the various parameter options. The A option enforces that only non-removable, multi-log system security settings can be added. While I is a more stringent security setting, only superuser (root) or processes with cap_linux_immutable processing power (identity) can apply this option.
Use the chattr command to prevent a critical file in the system from being modified
| 123456 |
[[email protected] ~]# lsattr /etc/resolv.conf-------------e- /etc/resolv.conf[[email protected] ~]# chattr +i /etc/resolv.conf[[email protected] ~]# lsattr /etc/resolv.conf----i--------e- /etc/resolv.conf[[email protected] ~]# vim /etc/resolv.conf |
Allow a file to append data only to it, but not delete it, for various log files
| 1 |
[[email protected] ~]# chattr +a /var/log/messages |
RHEL6 Basic 49 Rhel File (folder) permissions Advanced article