#6 Management of Linux permissions

User's rights management;

Normal permissions:

Special permissions:

Special attributes of the file;

Facl (File access control List):

Normal permissions:

The process security context;

1. Determine whether the owner of the process is the master of the file you want to manipulate, and if so, authorize it according to the Master's authority;

If not, go to the 2nd article;

2. Determine whether the owner of the process is a member of the group of files that you want to manipulate, and if so, authorize it in accordance with the permissions of the group; if not, go to article III;

3. Authorization according to other users ' privileges;

The composition of the permissions:

MODE (permission): Use right

R:readable, readable

W:writable, writable

X:executable, executable

Directory:

R: You can use the LS command to get a list of all of the file names, the Ls-l command to get a detailed property of the files in the directory, you cannot use the CD command to enter it, or to reference the directory in the path;

W: You can modify the file name or list of file names in this directory, that is: You can create, modify or delete the file name in this directory;

X: You can use Ls-l

command to get detailed property information about the file in it, or you can refer to it in the path, or you can use the CD command to enter it; Note: x permission is the most basic permission of the directory, any directory must be open to any user X permissions, otherwise the user will not be able to do anything;

File:

R: You can view or get the data stored in the file;

W: can modify the data stored in the file;

X: This file can be initiated to run as a process;

Ls-l <-->ll

-rw-r--r--: Three permissions--belong to the main, belong to the group, other users

Master privileges: rw-

Group permissions: r--

Other user rights: r--

Permission identification ternary group;

Identify binary octal

---000 0

--x 001 1

-w-010 2

-WX 011 3

r--100 4

R-x 101 5

RW-110 6

RWX 111 7

rw-r--r--

110100100

644

755-->rwxr-xr-x

Note: Only the owner of a file can modify the file's use rights (except root);

To modify the use rights of a file:

chmod-->change mode:chmod-change File mode bits

chmod [OPTION] ... Mode[,mode] ... FILE ...

MODE: Symbolic Permission Identification method

U,g,o,a represents ownership;

+,-,= identification authorization method;

+: Add new permissions on the basis of the original permissions;

-: Remove certain privileges on the basis of the original privileges;

=: Do not consider the original permissions, directly set permissions to the target permissions;

R,w,x express the specific permission content;

Example:

chmod u+w File

chmod g+rw File

chmod u+x,g-wx,o--x File

chmod u=fw,g=r,o=r File

chmod ug-x File

chmod +x file defaults to add Execute permission for a add;

chmod +w file default only for the owner to add write permission;

Note: File execution permissions; Linux file system, very important security identity;

Because once the file has execute permission, it means that the file can be initiated to execute as a process;

Therefore, by default, the file does not have the Execute permission;

chmod [OPTION] ... Octal-mode FILE ...

If the octal digital ID method is used, the full permission bit must be given every time;

If the given permission bit is incomplete, the file system will be automatically replenished, the given permission is placed on the right side, and the left uses the margin;

chmod 640 File

chmod [OPTION] ...--reference=rfile FILE ...

chmod--reference=/path/to/somefile Des_file

chmod--reference=a b

Options:

-R,--recursive: The file in the target directory and subdirectories and subdirectories are set uniformly to the specified permission identity;

Ownership: Ownership

Owner: A specific user under the control of the resource;

Group: Specific users of resource control; group,g

Other users: Those who have not mastered the resources; other,o

All Users: All,a

Chown-change file owner and group

chown [OPTION] ... [OWNER] [: [GROUP]] FILE ...

Chown OWNER FILE

Chown:group FILE

Chown Owner:file//

Change the owner of the target file to owners and change the group to the owner's base group;

Chown owner:group File//changes the owner and group of the target files to owners and groups;

chown [OPTION] ...--reference=rfile FILE ...

-R,--recursive: sets the files in the target directory and subdirectories and subdirectories in a uniform setting to the specified ownership;

Note: Modifying the ownership operation can only be done by superuser (root);

CHGRP: Can only modify the genus Group of a file

Chgrp-change Group Ownership

CHGRP [OPTION] ... GROUP FILE ...

CHGRP [OPTION] ...--reference=rfile FILE ...

Install Command:

Install: Copy files, give execution permission to files;

install-copy files and set attributes

Cell replication:

Install [OPTION] ... [-T] SOURCE DEST

Multivariate replication:

Install [OPTION] ... SOURCE ... DIRECTORY

Install [OPTION] ...-t DIRECTORY SOURCE ...

To create a directory:

Install [OPTION] ...-d DIRECTORY ...

Common choices:

-M,--mode=mode:: Specifies the permissions of the target file, default is 755;

-O,--owner=owner: Sets the owner of the target file, only the root is available;

-G,--group=group: Sets the genus Group of the target file, only root can;

Note: The install command cannot copy the directory, that is, its source cannot be a directory, and if its source is a directory, the install command enters the directory, copying all of its non-directory files to the target location, in turn;

Mktemp command:

In general, the temporary files will be created in the/TMP or/var/tmp directory, without manual deletion, the system will periodically automatically clear the files in both directories;

Mktemp-create a temporary file or directory

mktemp [OPTION] ... [TEMPLATE]

Choose:

-D,--directory: A temporary directory can be created;

Example:

Mktemp [-d] path/to/tmp.xxxxxxxxxx

Special permissions:

SUID, SGID, STICKY

By default, the user initiates the execution of a process whose owner is the initiator, i.e. the process is running as its initiator;

SUID:

Function: When the user initiates the execution of a process, if the program file has the SUID permission, the process initiated by the program is the owner of the program file, not its initiator;

The location displayed by the side permission: The execution permission bit in the master permission of the file, or the display as S if the owner has execute permission;

To manage Suid permissions for a file:

chmod u+|-s (u+ or-) file ...

SGID:

If a directory has write permissions for some users and the Sgid permission is set, all users who have write permission to this directory after creating a new file or directory, the group of the new file is no longer the base group to create the user, and it inherits the genus of the directory;

Sgid Permissions Display Location: The execution permission bit in the group permission of the file, if the group has EXECUTE permission, display as S;

To manage Sgid permissions for a file:

chmod g+|-s (g+ or-) file ...

Sticky:sticky (sticky): Sticky bit

If more than one user in a directory can have write permissions, the multi-user can randomly create, modify, and delete file names in that directory;

function of Sticky:

If sticky permissions are set for a similar directory, then each user can still create and modify the file name, but each user can delete only those filenames that belong to the owner;

The display location of the sticky permission, the execution permission bit of the other user in the file permission, or T if the original execution permission is present;

To manage sticky permissions for a file:

chmod o+|-t (o+ or-) file ...

Suid Sgid Sticky

---000 0

--T 001 1

-s-010 2

-st 011 3

s--100 4

S-T 101 5

SS-110 6

SST 111 7

Another way to modify special permissions:

The octal digits corresponding to the special permission are placed in front of the octal digits of normal permissions;

For example, to add a sticky bit to a directory;

chmod 1755 DIRECTORY ...

Umask

Permission Masking code: The default permission generation criteria when creating a file or directory;

root:0022

Do not consider special permission bits

For the newly created file or directory, does not obscure the owner of any permissions, masking the group of write permissions and other users write permission;

[Email protected] ~]# mkdir test--and Rwxr-xr-x

[email protected] ~]# Touch Test.txt-rw-r--r--

The default permissions for files are: 666-umask (controversial)

The default permissions for the directory are: 777-umask (controversial)

Understanding Masking Code:

The value of the mask code becomes binary, which has 1 of the location, and its permissions are not set when the file is created;

033 000011011---110100100 644

---

By default. The Mask code for the file already has a 0111, on which the unask is applied again to mask permissions

Special properties of the file:

To view special properties for a file:

Lsattr-list file attributes on a Linux second extended file system

lsattr [-RVADV] [files ...]

To modify the special properties of a settings file:

Chattr-change file attributes on a Linux file system

chattr [-RVF] [-v version] [mode] files ...

Mode: +-= is used to set the

The most critical and central setting of the entire chattr command is the [mode] section:

[Aaccddeijssttu] are the required properties:

+: On the basis of the original property setting, add the new attribute;

-: Removes the specified attribute from the original property setting;

=: Regardless of the original property settings, the file's properties are updated directly to the specified attribute content;

A:append, set this property of the file, its contents can not be changed and deleted, can only be appended to the file to write data; Most of the server log class files are set to this property;

A:atime, the access timestamp of the file, the IO bottleneck, and the set a attribute, can make the file not change the access timestamp of the file when it is accessed, so it can effectively prevent the IO bottleneck;

C: Set whether the file is automatically compressed and then stored by itself;

C: Set whether the file opens the "Copy on Write" property;

D: The settings file will not be the backup target when using dump for backup;

D: Set the file in the file system asynchronous write operation;

I: Settings file can not be deleted, modified, set link relationship;

S: Set the file's privacy delete, once the file setting s property is deleted, the space used in the corresponding storage device will be recovered;

U: In contrast to the S property, if such a file is deleted, the data stored on the storage device will be retained;

Most commonly used properties: I and a

Chattr +i FILE

Common choices:

-R: Recursive setting specifies the properties of all files and subdirectories in the directory;

Give the file additional permissions mechanism: Facl:file access Control list, file access controls lists;

In the original additional empowerment mechanism:

In the original U,g,o permission location, let the ordinary user can control the authority to give additional users and groups of a empowerment mechanism;

Generally in the CentOS or RHEL7 version after the release, only gradually mature;

Commands related to Facl:

Getfacl:

Getfacl-get File access Control lists

Getfacl [-ACEESRLPTPNDVH] File ...

Getfacl [-ACEESRLPTPNDVH]

User:username:mode

Group:groupname:mode

Other::mode

Setfacl:

Setfacl-set File access Control lists

Setfacl [-BKNDRLPVH] [{-m|-x} Acl_spec] [{-m|-x} Acl_file] File ...

Setfacl--restore=file

Acl_spec:acl_specification, the specified access control list

U:username:mode

G:groupname:mode

Mode: General use of symbolic permission identification method;

To give the user additional privileges:

Setfacl-m U:username:mode File ...

To assign additional permissions to a group:

Setfacl-m G:groupname:mode File ...

Revoke additional permissions given to the user:

Setfacl-x U:username

Revoke additional permissions given to the group:

Setfacl-x G:groupname

Note: If you modify the use rights of the target file after setting the Facl, then the entries set in Facl may be affected and will not be satisfied with the request, because, if you really need to set up Facl, you have to determine the target file's use rights after the set;

#6 Management of Linux permissions