centos7.5-File Rights Management

What this section says:

- 7.1文件的基本权限：r w x （UGO）- 7.2文件的特殊权限：suid sgid sticky和文件扩展权限ACL- 7.3实战：创建一个让root都无法删除的文件- 7.1 文件的基本权限- 7.1.1 权限的作用

The following three types of access restrictions can be reached by setting permissions on a file:

• Allow users to access them only;
• Allows a user in a pre-specified user group to access;
• Allow any user in the system to access it.

7.1.2 View Permissions

[[email protected] ~]# ll /etc/passwd-rw-r--r--. 1 root root 2053 9月  19 2017 /etc/passwd

Basic explanation of file permissions:

-   rw-        r--       r--.     1 root root 2053 9月  19 2017 /etc/passwd-   rwx r-x r-x user1   user1   time    FILENAME

The permission of the owner of the file type belongs to the permissions of the group other people's rights owner group last modified time object

• Where: File type, can be P, D, L, S, C, B, and –
• P indicates named pipe file
• D Represents a catalog file
• L represents a symbolic connection file
• -Denotes normal file
• s represents a socket socket interface file, such as when we enable MySQL, a mysql.sock file is generated
• C represents a character device file, for example: Virtual Console or Tty0
• b = Block Device file Example: SDA, CDROM

Cases:

[[email protected] ~]# ll /dev/sda /dev/cdrom  /etc/passwd /dev/tty0lrwxrwxrwx  1 root root    3 9月  19 2017 /dev/cdrom -> sr0brw-rw----  1 root disk 8, 0 9月  19 2017 /dev/sdacrw--w----  1 root tty  4, 0 9月  19 2017 /dev/tty0-rw-r--r--. 1 root root 2053 9月  19 2017 /etc/passwd

As follows:

7.1.3 Permission Description

For files:

• R: Read
• W: Write
• X: Execute

For catalogs:

• R: Read (see what's in the catalogue) LS
• W: Build file in directory, delete, move touch mkdir RM MV CP
• X: Enter CD cat

7.1.4 file Owner

• UGO: Owner-User group-other users
• Owner: The user who created the file, who has all the permissions on the file it creates, and the owner can allow the user group it is in to access the owner's files.
• User groups:
  User group is a logical collection of users with the same characteristics, sometimes we need to let multiple users have the same permissions, such as viewing, modify the permissions of a file, one way is to separate the file access authorization for multiple users, if there are 10 users, you need to authorize 10 times, obviously this method is not very reasonable Another way is to set up a group that has permissions to view, modify, and then put all users who need access to this file into the group, so all users have the same permissions as the group. This is the user group.
• Other users: Other owner users in the system are other user classes

7.1.5 examples of 7.1.5.1 common several file permissions composition

• RWX------: The file owner has read, write, and execute permissions on the file.
• RWX r--r--: The file owner has read, write, and execute permissions, and users and other users in the user group have Read permissions
• Rw-rw-r-x: The file owner and the same group of users have read and write permissions to the file, while the other user has only read and execute permissions.
• Drwx--x-x: The directory owner has read and write access to the directory, and other users can access the directory, but cannot read any data.
• DRWX------: In addition to the full permissions of the directory owner, other users have no permissions on the directory at all.

Examples are as follows:
Each user has its own directory, which is usually placed under/home

• [Email protected] home]# ll/home/
• Total dosage 0
• DRWX------. 3 Mk Mk 78 September MK
• NOTE: [rwx------] indicates that the directory owner owns the permissions that other users cannot access. Root can.

Example 2: You log in as a user, then you create a file or directory that automatically becomes the owner and group of the file

• [Email protected] home]# SU-MK

Last login: 29 months 12:57:21 CST 2017:0

[[email protected] ~]$ [[email protected] ~]$ touch a.txt[[email protected] ~]$ ll a.txt -rw-rw-r-- 1 mk mk 0 5月   8 20:58 a.txt

7.1.5.2 change a file's owner and owner group

• Change the file's owning relationship with the command:
• Chown: The owner of a file (or directory) that can be used to change
• Chgrp: A default genus that can be used to change a file (or directory)
• If you want to manipulate the directory, add the parameter-R

Chown
Grammar:

chown user:group filename   比如：chown hr:san a.txt  把文件的属主和属组改为hr,sanchown user filename  比如：chown san a.txt  把文件的属主改为san用户chown :group filename  比如： chown :miao a.txt   把文件的属组改为miao这个组chown user: filename 比如：chown san: a.txt  自动继承这个用户所有的组chgrp hr filename 比如： chgrp hr f.txt  -R ：递归（目录下的所有内容都更改，否则只修改目录）

Cases:

[[email protected] ~]# touch  {a,b,c}.txt[[email protected] ~]# ll  *.txt-rw-r--r-- 1 root root 0 5月   8 21:03 a.txt-rw-r--r-- 1 root root 0 5月   8 21:03 b.txt-rw-r--r-- 1 root root 0 5月   8 21:03 c.txt[[email protected] ~]# chown mk a.txt[[email protected] ~]# ll a.txt -rw-r--r-- 1 mk root 0 5月   8 21:03 a.txt[[email protected] ~]# chown mk:mk a.txt[[email protected] ~]# ll a.txt -rw-r--r-- 1 mk mk 0 5月   8 21:03 a.txt[[email protected] ~]# chown :root  a.txt[[email protected] ~]# ll a.txt -rw-r--r-- 1 mk root 0 5月   8 21:03 a.txt

Interaction: A file is only read permission, can the owner write this file?
Experiment:
[Email protected] ~]# SU-MK

[[email protected] ~]$ touch a.txt[[email protected] ~]$ ll a.txt -rw-rw-r-- 1 mk mk 0 5月   8 21:07 a.txt

On the other terminal, log in as root:

[[email protected] ~]# chmod 000 /home/mk/a.txt   #修改成000权限[[email protected] ~]# ll /home/mk/a.txt  ---------- 1 mk mk 14 5月   8 21:08 /home/mk/a.txt

Return to the terminal that is logged in as MK:

[[email protected] ~]$ vim a.txt   # 写入aaa  ,  :wq!  保存

On the other terminal, log in as root:

[[email protected] ~]# cat /home/mk/a.txt aaaaa

Experimental results: The file owner must be able to write files. Just like root, you can force write to shadow. Because the owner of the shadow is root
The Linux architect's high-paying entrance:
1. Learn God It Education official website: http://xuegod.ke.qq.com
2.1 Years veteran veteran of the industry MK:QQ2659153446
3. Join the Linux Technical Communication QQ Group:722287089, you can get the following benefits:
① regularly share free learning materials and videos (Tools + notes + expand Combat)
②10 senior veteran old birds online answer: Skills + Combat + Project sharing + high-paying employment
③ has the opportunity to receive 4 books of Linux cloud computing cluster architects free of charge

7.1.6 Modify Permissions 7.1.6.1 use character settings

command to modify permissions: chmod

• Role: Modify file, directory permissions
• Syntax: chmod [operator] [what permissions to assign] file name

Who to work with:

• U----> User, representing the owner of the file or directory
• G----> User groups Group, which represents the user group to which the file or directory belongs
• o----> Other users others
• A----> All users

Operator:

• #添加权限;-# reduce permissions; = #直接给定一个权限

Permissions: R W x
For example the following in the combination:

• U-w User Owner

• G+x Group

• O=r other people

• A+x All

Example: chmod Modify Permissions

[[email protected] ~]# touch 1.txt[[email protected] ~]# ll 1.txt -rw-r--r-- 1 root root 0 5月   8 21:20 1.txt[[email protected] ~]# [[email protected] ~]# chmod u-w  1.txt[[email protected] ~]# ll 1.txt -r--r--r-- 1 root root 0 5月   8 21:20 1.txt[[email protected] ~]# chmod g+x  1.txt[[email protected] ~]# ll 1.txt -r--r-xr-- 1 root root 0 5月   8 21:20 1.txt[[email protected] ~]# chmod a+x  1.txt    # 给shell脚本加一个可执行权限[[email protected] ~]# ll 1.txt -r-xr-xr-x 1 root root 0 5月   8 21:20 1.txt[[email protected] ~]# [[email protected] ~]# chmod a=rwx  1.txt[[email protected] ~]# ll 1.txt -rwxrwxrwx 1 root root 0 5月   8 21:20 1.txt

7.1.6.2 using octal (0-7) numbers to represent permission methods

Permission binary Value eight binary value description

• ---000 0 without any permissions
• --x 001 1 Only Execute permissions
• -w-010 2 Write access only
• -WX 011 3 have write and Execute permissions
• r--100 4 Only Read access
• R-x 101 5 has read and Execute permissions
• RW-110 6 has read and write permissions
• RWX 111 7 with full privileges

Example 1:

Example 2:

• Interaction: What is the value of rw-? Answer: 4+2=6
• What is the value of rwx r-x r-x? Answer: rwx=4+2+1=7; R-x=4+1=5 rwx
  R-x r-x=7 5 5

Grammar:

chmod 755 文件或文件夹名字chmod a=rwx b.txt  等于 chmod 777 b.txt

Cases:

[[email protected] ~]# touch dd.txt[[email protected] ~]# ll dd.txt -rw-r--r-- 1 root root 0 5月   8 21:40 dd.txt[[email protected] ~]# chmod 755 dd.txt [[email protected] ~]# ll dd.txt -rwxr-xr-x 1 root root 0 5月   8 21:40 dd.txt[[email protected] ~]# chmod 700 dd.txt [[email protected] ~]# ll dd.txt -rwx------ 1 root root 0 5月   8 21:40 dd.txt

Effects of 7.1.7 permissions on files and directories

There are three types of permissions that can be applied: Read, write, and execute, and the effects of these permissions on accessing files and directories are as follows:
Impact of permissions on files on the directory

• R (Read) can read the contents of the file to list the contents of the directory (file name)
• W (write) can change the contents of a file to create or delete arbitrary files in a directory
• X (execute) can access the contents of the directory as a command execution file (depending on the permissions of the files in the directory)

7.1.8 complement

Why do we create a file with permissions of 644?
How do we get the default permissions for creating files?

umask命令允许你设定文件创建时的缺省模式，对应每一类用户(文件属主、同组用户、其他用户)存在一个相应的umask值中的数字文件默认权限＝666 ，目录默认权限＝777我们一般在/etc/profile、$ [HOME]/.bash_profile或$[HOME]/.profile中设置umask值。永久生效，编辑用户的配置文件vim .bash_profile  [[email protected] ~]# vim /etc/profile

Note: The UID is greater than 199 and the user's group name and user name are the same, then the Umask value is 002, otherwise 022.
Note:-gt in the shell represents greater than; Id-g Displays the user group ID, ID-GN displays the group name.

Temporary entry into force: Umask right complement

[[email protected] ~]# umask 044[[email protected] ~]# touch ss.txt[[email protected] ~]# ll ss.txt -rw--w--w- 1 root root 0 5月   8 21:47 ss.txt

Algorithm for permissions: General: Directory default permissions-umask value

666-022=644  777-022=755 #这是一个好的记忆方法，但不严谨。

Interaction: Umask Mask to 033 What are permissions after you create a normal file?
Interaction: Umask Mask to 033 What are permissions after you create a normal file? 666-033=633 (rw--wx-wx)?

例：[[email protected] ~]# umask 033[[email protected] ~]# touch k.txt[[email protected] ~]# ll k.txt -rw-r--r-- 1 root root 0 5月

The method of computing Authority Science:

• 1, the default permissions (directory 777, File 666) and Umask values are converted to 2 2, Umask 3, the default permissions and the value of Umask to do with the operation
  4, the resulting binary value is converted to 8 binary, that is, the permission,

example 1:umask for 022

6  6  6            umask   0  2   2110 110 110               000 010  010    # 转成二进制                            111 101  101    # umask取反的值110 110 110    与              #第二步，默认权限和umask取反后的值做与运算111 101 101   # umask取反的值110 100 1006   4   4     #转成8进制

Example 2:umask to 033 results: 644

6  6  6            umask   0  3   3110 110 110               000 011  011    # 转成二进制                           111 100  100    # umask取反的值110 110 110    与              #默认权限和umask取反后的值做与运算111 100 100   # umask取反的值110 100 1006   4   4    #转成8进制

The Linux architect's high-paying entrance:
1. Learn God It Education official website: http://xuegod.ke.qq.com
2.1 Years veteran veteran of the industry MK:QQ2659153446
3. Join the Linux Technical Communication QQ Group:722287089, you can get the following benefits:
① regularly share free learning materials and videos (Tools + notes + expand Combat)
②10 senior veteran old birds online answer: Skills + Combat + Project sharing + high-paying employment
③ has the opportunity to receive 4 books of Linux cloud computing cluster architects free of charge

7.2 Special permissions for files: suid sgid sticky and file extended permissions ACL

• In fact, the file and directory settings more than these, there are so-called special permissions. Because special permissions have some "privileges".

• Special permissions:

Special permissions for 7.2.1 files: suid sgid sticky

• 1, SUID (set UID setting user ID): limit: Can only be set on the binary executable program above. Invalid directory setting

Function: Permissions from the performer to the program owner when the program runs

• 2, SGID: limit: Can be set to the binary executable program, you can also set the directory
  Function: When creating a file in a directory with Sgid permissions set, the owning group of the newly created file inherits the owning group of the parent directory
• 3, Stickybit: Sticky bit permissions for the directory, the file is invalid, also known as the anti-deletion bit of the 3 special permissions corresponding to the value of

SUID SGID Stickybit

• U+s or u=4 g+s or g=2 o+t or o=1
  The Suid property is typically used on an executable file, and when the user executes the file, it temporarily owns the owner permission for the execution file. Use "Ls-l" or "ll"
  When a command browses a file, if the third bit of the executable's owner's permission is a lowercase "s", it indicates that the execution file has the Suid property. Like/usr/bin/passwd files.

* * Interaction: Normal User MK, there is no permission to write to the shadow file, but the MK user can modify the contents of the shadow file when using passwd to modify their password, what is the reason ?
[Email protected] ~]# Ll/etc/shadow
----------. 1 root root 1179 September 2017/etc/shadow
[Email protected] ~]# SU-MK
Last Login: 25 months 8 21:07:24 CST 2018pts/0
[Email protected] ~]$ passwd
Change the user Mk password.
Change the STRESS password for Mk.
(current) UNIX password: 123456
New password: Xuegod666
Re-enter the new password: Xuegod666
PASSWD: All the authentication tokens have been successfully updated.
[Email protected] ~]# Vim/etc/shadow #查看shadow文件已经被mk用户修改成功.
Because the MK user executes the passwd command, the permissions are promoted to the root user, so it can be modified successfully. **

Example 2:

[[email protected] ~]# useradd mk[[email protected] ~]# su - mk[[email protected] ~]$less /etc/shadow  #看不到内容[[email protected] ~]# su - root[[email protected] ~]# chmod u+s /usr/bin/less  #切换到root，给一个suid权限[[email protected] ~]# su - mk[[email protected] ~]$ less /etc/shadow  #看到

To see the effect after U+s:

[[email protected] ~]# ll /usr/bin/less-rwsr-xr-x 1 root root 154536 Sep 26  2011 /usr/bin/less[[email protected] ~]# ps -axu | grep lessroot     43407  0.0  0.0 110260   980 pts/0    S+   22:30   0:00 less /etc/shadow

Other than that:

[[email protected] ~]# chmod 4755 /usr/bin/less  # 等同于 chmod u+s /usr/bin/less

SGID:

• Qualification: Both the binary executable program can be set, or the directory can be set.

• Function: When a file is established under a directory with Sgid permissions set, the owning group of the newly created file inherits the permissions of the parent directory.

  [Email protected] ~]# mkdir test
  [Email protected] ~]# ll-d test
  Drwxr-xr-x 2 root root 4096 Jan 20:14 test
  [Email protected] ~]# chmod g+s test
  [Email protected] ~]#!ll
  ll-d Test
  Drwxr-sr-x 2 root root 4096 Jan 20:14 test

Test: Sgid Effect

-[[email protected] ~]# chown :bin test/ [[email protected] ~]# touch   test/a.txt [[email protected] ~]# ll !$ ll test/a.txt   -rw-r--r-- 1 root bin 0 Jan 24 20:15 test/a.txt

Stickybit
Limit: Only for directory
Features: Files created under the directory can only be deleted by root, file creator, and directory owner.
Example: This is the TMP directory in the system

[[email protected] ~]# ll -d /tmp/drwxrwxrwt. 11 root root 4096 Jan 24 19:41 /tmp/

Usage:

chmod o+t /tmp/test/

7.2.1 File extended Permissions ACL

Extended acl:access Control List
Example: Set the user Mk to file a.txt have rwx permissions, Mk is not belong to A.txt and group, MK is other. What do you do?

[[email protected] ~]# touch /tmp/a.txt[[email protected] ~]# getfacl  /tmp/a.txtgetfacl: Removing leading ‘/‘ from absolute path names# file: tmp/a.txt# owner: root# group: rootuser::rw-group::r--other::r--#setfacl -m u:mk:rwx   /tmp/a.txt     u ： 设置某个用户拥有的权限[[email protected] ~]# getfacl  /tmp/a.txtgetfacl: Removing leading ‘/‘ from absolute path names...user::rw-user:mk:rwx[[email protected] ~]$ vim /tmp/a.txt [[email protected] ~]$ ll /tmp/a.txt -rw-rwxr--+ 1 root root 8 5月   8 22:42 /tmp/a.txt

Example 2: Add extended permissions to a directory

[[email protected] ~]# mkdir /tmp/test #setfacl -m d:u:mk:rwx    /tmp/test   # -d  default    设置默认acl，对目录有效，此目录下新建的目录或文件都继承此acl权限

Example: Test the-D parameter:

[[email protected] ~]# mkdir/tmp/test [[email protected] ~]# setfacl-m d:u:mk:rwx/tmp/test [[EMAIL PR Otected] ~]# getfacl/tmp/test/getfacl:removing leading '/' from absolute path names# file:tmp/test/# owner:root# Grou P:rootuser::rwxgroup::r-xother::r-xdefault:user::rwxdefault:user:mk:rwxdefault:group::r-xdefault:mask:: Rwxdefault:other::r-x[[email protected] ~]# touch/tmp/test/a.txt[[email protected] ~]# mkdir/tmp/test/ Data[[email protected] ~]# getfacl/tmp/test/a.txt #因为-D parameter, so all files and directories created under test inherit the default ACL permissions getfacl:removing Leading '/' from absolute path names# file:tmp/test/a.txt# owner:root# group:rootuser::rw-user:mk:rwx #effectiv E:rw-group::r-x #effective: r--mask::rw-other::r--[[email protected] ~]# Getfacl/tmp/test/datagetfacl:remov ing leading '/' from absolute path names# file:tmp/test/data# owner:root# group:rootuser::rwxuser:mk:rwxgroup::r-xmask: : rwxother::r-xdefault:user::rwxdefault:user:mk:rwxdefault:gRoup::r-xdefault:mask::rwxdefault:other::r-x

Example 3: Add extended permissions to all files in the directory

[[email protected] ~]# setfacl -R -m u:lee:rw- testdirectory/    #-R一定要在-m前面，表示目录下所有文件[[email protected] ~]# setfacl -x u:mk /tmp/a.txt          # 去掉单个权限[[email protected] ~]# setfacl -b  /tmp/a.txt              # 去掉所有acl权限

7.3 Combat: Create a file that cannot be deleted by root

What if I find a file in Windows that can't be deleted? Use to force delete, smash files
So what do you do under Linux?

[[email protected] ~]# touch hack.sh aa.sh [[email protected] ~]# ll hack.sh aa.sh -rw-r--r-- 1 root root 0 May 24 21:29 aa.sh-rw-r--r-- 1 root root 0 May 24 21:29 hack.sh[[email protected] ~]# rm -rf aa.sh***使用xshell悄悄执行在后台添加attr扩展属性：（这个别让学员看到^_^）[[email protected] ~]# chattr  +i hack.sh

To delete a file:

[[email protected] ~]# rm -rf  hack.sh  #发现删除不了

Why can't I delete it?

Starting with REHL6, new file system extension properties are added:
command: Chattr

• Parameter: A can only append content; I cannot be modified
• +a: can only append content such as: Echo AAA >> hack.sh
• +i: That is immutable, the system does not allow any modifications to this file. If the directory has this attribute, then any process can only modify files under the directory, not allow the creation and deletion of files.

Note: immutable [?? MJU:T?BL] immutable; Append [?? Pend] Append

• -I: Remove the I parameter. -A: Remove the A parameter

Solve:

[[email protected] ~]# lsattr hack.sh----i----------- hack.sh[[email protected] ~]# chattr -i hack.sh[[email protected] ~]# echo aa >> hack.sh[[email protected] ~]# lsattr hack.sh   #查看扩展属性---------------- hack.sh[[email protected] ~]# chatchat    chattr  [[email protected] ~]# chattr +a hack.sh[[email protected] ~]# rm -rf hack.shrm: 无法删除"hack.sh": 不允许的操作[[email protected] ~]# echo aaa >> hack.sh

The Linux architect's high-paying entrance:
1. Learn God It Education official website: http://xuegod.ke.qq.com
2.1 Years veteran veteran of the industry MK:QQ2659153446
3. Join the Linux Technical Communication QQ Group:722287089, you can get the following benefits:
① regularly share free learning materials and videos (Tools + notes + expand Combat)
②10 senior veteran old birds online answer: Skills + Combat + Project sharing + high-paying employment
③ has the opportunity to receive 4 books of Linux cloud computing cluster architects free of charge

Public Number:

MK Teacher Number:

Summarize:

• 7.1 Basic Permissions for files: R W x (UGO)
• 7.2 Special permissions for files: suid sgid sticky and file extended permissions ACL
• 7.3 Combat: Create a file that cannot be deleted by root

centos7.5-File Rights Management