CentOS system files and User rights assignment detailed ftp,nginx,php

File permission settings

Rights Management

The main orders are: chmod, Chown, Chgrp, umask
1. Change the permissions of a file or directory
chmod
2). Change the owner of a file or directory
Chown
3). Change the group to which the file or directory belongs
Chgrp
4). Show, set default permissions for files and directories
Umask

I want to change the directory permissions, because I want to make this server configuration more like a virtual host, because my operating environment is NGINX+PHP-FPM, I will their running users are set to Nginx, group set to FTP, with my name built an FTP account, User name is Zhangcunchao, of course also FTP, so that PHP run users and Nginx run users and FTP accounts belong to a group, then we program if there is a need to write permission to the program, only to specify 664 can be.

Linux users can share a UID, that is, I can get the FTP account UID and PHP to run the user an ID, but this is equivalent to the use of the virtual host directory is set to 777 is not much different, security vulnerabilities too large. Since we need to configure the right to the best, there are several principles.
1.php directory, PHP running user is required to execute permissions on the directory, or PHP can not run;
2. But the general PHP file does not need to have permission to execute and write, because the PHP program is read by the process load run, so the general 644 on it, of course, including other documents
3. Do not store PHP directory, if only need to read, on 755, if you need to write, then you can 775, because FTP and PHP is a group
4, all the files that need PHP to write permission to the file, can be 664.
Here are two combination commands that work well and can be used for project initiation;

Find/path-type f-exec chmod 644 {}; Set file permissions to 644

Find/path-type d-exec chmod 755 {}; Set directory permissions to 755

We can then write permission to a separate open group that requires write access.
If all files in a directory need to have write permission to do so

Chmod-r 644 Directory/*.*

Try to avoid all file directories are 777, we have to ensure that convenient at the same time, as far as possible to ensure security, the minimum authority principle

1.

CHGRP, change the file belongs to user group;

Chown, change the file owner;

chmod, change the permissions on the file.

2.

CHGRP is the abbreviation for Change group, where the group name to be changed must exist in the/etc/group file.

#chgrp [-R] Group filename (or dirname) where R represents a persistent change in recursion (recursive), along with all files and directories under the subdirectory. So when you modify a user group for all files in a directory (same as owner and permissions), add-R.

For example, to change the file Install.log to the Users group

$CHGRP Users Install.log

3.

Chown is the short name of change owner.

#chown [-r] User filename (or dirname), change file owner to user.

#chown [-r]. Group filename (or dirname), change the user group for file to group (note dot).

#chown [-R] User.group filename (or dirname), the file owner is changed to user, and the group is set. To avoid "." Caused by a system miscalculation, usually using a command to indicate the sentence:
#chown [-R] User:group filename (or dirname).

4.

Copy the file to someone else, copy the command:

$CP [-option] [source file or dir] [target file or dir]

Replication behavior (CP) duplicates the performer's properties and permissions, so you must modify the permission if it is still unavailable even if the user group is copied to others.

5.

CHMOD is the abbreviation for change mode bits.

Number type change file permissions:

#chmod [-R] XYZ Fileordir, where x represents owner permissions, y represents group permissions, and Z represents others permissions.

R=4,w=2,x=1, the above three identity permissions are r+w+x and, if there is no corresponding permission, the value is 0.

For example: Install.log file, owner=rwx=4+2+1=7,group=rwx=4+2+1=7,others=---=0+0+0=0, so this file will change the permission value of 770:

#chmod 770 Install.log.

6.

Symbol Type Change file permissions

We can use the U,g,o three parameters to represent user,group,others 3 kinds of identity permissions.

A stands for all, and that is all identity.

Read and Write permissions can be written as r,w,x.

+,-,= respectively to join, go out, set a permission.

Add the permission to set a file to "-rwxr-xr-x", and the instructions are:

#chmod u=rwx,go=rx FileName, note that the comma is added.

To add x permissions to the entire identity of a file, the instruction is:

#chmod a+x filename.

User & Group permissions & Add Delete user

The above is the file permissions, see user & Group permissions & Add delete users

Account system files under 2.Linux environment
Account system files are mainly in/etc/passwd,/etc/shadow,/etc/group, and/etc/gshadow four files.

Where the UID of root is 0, from 1-499 is the standard account of the system, the average user starts from UID 500.

3. Use command to manage accounts

Useradd option User name//Add new user

Usermod option User name//Modify existing User

Userdel-r User name//delete user indicates the deletion of the home directory together.

Groupadd option group name//Add new Group

GROUPMOD option group name//modify already existing group

Groupdel Group name//delete a specific group that already exists.

Example

Useradd zhh888//Add a user zh888

Groupadd Blog//Create a new blog group

Useradd-g blog en//means to create a new user en and join the blog attachment group.

useradd-d/var/ftp/pub-m ftpadmin//Create a new user ftpadmin, specify directory is/var/ftp/pub, do not create your own directory (-M)

USERMOD-G Blog zh888//means to add zh888 to the additional group blog.

Userdel ftpadmin//Express Delete ftpadmin user

Userdel-r zhh888//indicates deletion of directories in zh888 and/home.

Groupdel Blog//means delete blog group.

4. Password management and prescription

After you create a user, you add a password to the user, and the command for the password is set passwd
passwd option User Name

PASSWD-L username//prohibit user account password

Passwd-s username//Indicates view user account password status

Passwd-u username//means restore user account

passwd-d username//means delete user account password

5.chage command

Chage is a time limit for protecting passwords so that other people can be prevented from guessing the password.

Chage option User Name

Parameters are-M days,-M days, D-Days, I-days, e-date,-W days,-l

Example:

#chage-M 2-m 30-w zhh//means that the user zhh cannot change the password for two days, and the maximum lifetime of the password is 30 days, and the password expires 5 days notice ZHH

6. User and group Status query commands

WHOAMI//is used to display the current user name.

Groups user name//indicates the group to which the specified user belongs, or the group to which the current user belongs if no user is specified.

ID//Represents the UID GID for the current user and the list of groups to which the user belongs.

Su-user//representations are converted to other users if Su represents switching to their current user.

NEWGRP Group name//represents the conversion of the current group of users to the specified additional group, and the user must belong to that group.

7. Change the owner and the same group
Sometimes you also need to change the owner of the file and the group to which it belongs. Only the owner of the document has the right to change other owners and members of the group, users can transfer their own documents to everyone. Change file owner with chown command
Chown [-r] < user name or group >< file or directory >

Chown zh888 files//to convert file files to zh888 users.

Chown zh888.zh888 files//Changes the owner and group of file files to zh888.

Chown-r zh888.zh888 files//changes all files or directories under all directories and subdirectories of files to zh888.

8. Set directory and directory generation masks for files
The user can use the umask command to set the file default build mask. The default build mask tells the system what permissions should not be given to create a file or directory. If the user places the Umask command in the environment file. Bash_profile, you can control access to all newly created files and directories.

Umask [A1A2A3]

A1 represents a permission that does not allow the owner, A2 represents permissions that do not allow the same group of people, and the A3 delegate does not allow permission from others.

Umask 022//indicates that the setting does not allow Write permissions for the same group of users and other users.

Umask//Displays the current default build mask.

9. Settings for special permissions

SUID SGID and Sticky-bit
In addition to the general permissions and special permissions exist, some special permissions have special permissions, if the user does not need special permissions generally do not open special permissions to avoid security issues.