7th Chapter Rights Management (3) _ File System Properties and sudo permissions

3. File System Properties chattr permissions

(1) chattr command

Command format:	#chattr [+-=][Options] File or directory name
+ 、-、 =	means to increase permissions , Delete permissions, and assign permissions
Options	I: mainly used to prevent the wrong operation of files or directories . If you set the I attribute to the file, then the file is not allowed to be deleted, renamed, or added and modified, and if you set the I property on the directory, you can only modify the data of the files in the directory, but do not allow the creation and deletion of files. (Note that the settings here also work for Root ) A: If you set a property to a file, you can only add data to the file, but you cannot delete or modify the data, and if you set a property on the directory, only the directory is allowed to be established and modified, but not deleted.

(2) View File System Properties: Lsattr command

① format: #lsattr [options] File name, where the options are as follows:

② option:-a displays all files and directories

-D If the target is a directory, list only the properties of the directory itself, not the child file's

(3) Application examples

① add I attribute to file

Conclusion

A. After you add the I attribute to the ABC file, you can view its properties through Lsattr, and the "I" in the permission indicates that it has an I attribute. "E" means that the file is in the EXT4 format.

B. when the I attribute is added, the file cannot be deleted, even if it is the root user. However, you can view its contents.

② to directory Plus I attribute

Conclusion

A. Add I attribute to/test/directory

B. You can modify the ABC file under the test directory, but you cannot delete the file.

C. Also because the/test directory has the I attribute, you cannot delete the test directory itself, nor can you create a new file or directory in it.

4. system commands sudo permissions

4.1 sudo Permissions

(1) Root can only be executed by the Superuser command to the ordinary user , but do not need to provide the root password to the ordinary user.

(2) sudo is the operating object of the system command.

4.2 sudo the Use

(1)#visudo (Note that this is a command, not "VI sudo", can also #vim/etc/sudoers file )

root all= (All) all// authorizing the root user

is the address of the managed host #用户名 (can use Identity) Authorization command (absolute path), respectively. where "user name" indicates which user is authorized , " address of Managed host " indicates which host the user can run authorization command on (all means any host), " can use identity " indicates the identity of the test user to run the authorization command , which is omitted. An " authorization command " means a command that is authorized to be executed by a user , all representing all commands.

test all= (Root)/usr/sbin/useradd// Authorization for Test

The above line means that the Superuser grants the test user permission to run the Useradd command on any host, which is executed as root when the test user executes the command with Sudo.

#%wheel all= (All) all// authorize a command for a group (such as a wheel group) user

//#% Address of group name managed host = (can use Identity) Authorization command (absolute path)

(2) Application examples

① Authorized SC user can restart server

#visudo

SC all=/sbin/shutdown–r now//for SC authorization to execute the command of Shudown–r, but note that only the shutdown command with the "-r" option is granted here. Instead of all shutdown commands.

② a normal user to execute sudo-given commands

$sudo –l//view available sudo commands. (Note that $ represents a normal user)

$sudo/sbin/shutdown–r now//normal user performs sudo-given commands

7th Chapter Rights Management (3) _ File System Properties and sudo permissions