Advanced permission settings for files in Linux

Advanced permission settings for files in Linux

Linux System File advanced permission settings
1. File hiding Properties
Chattr
Chattr [+-=] [ASacdi] File Name or directory
+: Add a special parameter. Other existing parameters do not change.
-: Delete a special parameter. Other existing parameters do not change.
=: Set fixed parameters
A: When reading and writing files or directories, the service time remains the same, which can avoid excessive disk read/write by I/O slow machines.
S: When the modified file or directory is automatically synchronized to the disk
A: the specified file can only be written, and the file cannot be deleted or repaired.

Modify the data. Only the root user can set the data.
C: automatic compression. It is automatically decompressed during reading.
D: During dump backup, files or directories set to d will not be dumped by dump.
I: only root users can delete, rename, set connections, and write a file.
Note that a and I are the most common ones. Root users often use protection systems
For example, it is prohibited to create or delete users in the system. files that have been set cannot be deleted.
Chattr + I/etc/passwd/etc/shadow
To cancel:
Chattr-I/etc/passwd/etc/shadow
To protect log files from clearing logs
Chattr + a/var/log/messages

Lsattr: View hidden Permissions
Chattr + ai/tmp/test
Lsattr/tmp
Of course, chattr can be set recursively using-R.
Lsattr uses-R together with sub-directory data is also listed

-------------------------------------- Split line --------------------------------------

Common commands for Linux User Management

Common commands for Linux user and group management

Linux _ users, groups, and permissions

Linux users and group commands

Linux User and permission management

-------------------------------------- Split line --------------------------------------

2. File Access Control List (acl), which is a bit similar to the acl of the NTFS system, which is very useful for setting specific permissions for specific users.
Define the object acl using setfacl
View the object acl using getfacl
For example, you want to set the read and write permissions for a specific user u01.
Setfacl-m user: u01: rwx/etc/yum. repos. d/
View usage
Getfacl/etc/yum. repos. d/
Delete permissions (do not specify the permission List)
Setfacl-x user: u01/etc/yum. repos. d/

3. Set UID

SUID restrictions and functions:
1) The SUID permission is only valid for binary (binary program ).
2) The executor has x permissions for the program.
3) this permission is only valid when the program is executed (run-time)
4) The executor will be granted permissions to the owner.
For example, this is like the emperor's sword, the swordsman has the right of the emperor, but this is only the time in his hand.
Passwd in linux is the best example. It is set to SUID, and common users can change the password.
Note that if the file has x
Use ls-l to view the lower-case s permission on the owner
If not, it is S.
Setting method:
Chmod u + s File

4. SGID
Unlike suid, SGID can be set for directories or files:
If you set SGID for a file, the functions and restrictions are as follows,
1) the SGID permission is valid for binary (binary program ).
2) The executor has x permissions for the program.
3) this permission is only valid when the program is executed (run-time)
4) the performer will be granted group permissions.
/Usr/bin/locate is an example.
If you want to set SGID for the directory, the following are the work capabilities and restrictions,
1) if the user has the r and x permissions for this directory, the user can access the Directory
2) The valid group in this directory will be changed to the group
3) Purpose: if the user has w permissions in this directory, the group of the file created by the user will become the group of the directory.
4) SGID is a useful setting method for Team Project Development:
Chmod g + s

5. Sticky Bit
Currently, SBIT is only valid for directories and files. His role:
When multiple users have the w and x permissions on this directory, only the root user has the right to delete the file or directory created by the user, that is, other users can only perform del, rename, move, and other actions on their files, but cannot delete files of others.
The/tmp in the system is such a directory

Setting method:
Chmod o + t

This article permanently updates the link address: