Default Permissions: umask, file system, special permissions, and umask
Chapter 4 permission errors 1st common user ls/root/
/Root is a common root user and does not have any permissions, so it cannot be viewed.
[Oldboy @ znix ~] $ Ls/root/
Ls: cannot open directory/root/: Permission denied
[Oldboy @ znix ~] $ Ls-ld/root/
Dr-xr-x ---. 5 root 4096 Sep 5 :05/root/
1.2 normal user touch/root/oldboy.txt
The permission to create a file depends on the permission of the directory where the file is located./root is a common root user who does not have any permission. Therefore, you cannot create a file in it. To create a file, you must have the wx permission in the directory.
[Oldboy @ znix ~] $ Touch/root/oldboy.txt
Touch: cannot touch '/root/oldboy.txt': Permission denied
[Oldboy @ znix ~] $ Ls-ld/root/
Dr-xr-x ---. 5 root 4096 Sep 5 :05/root/
1.3 normal user \ rm-f/etc/passwd
To delete a file, you must have the wx permission on the directory where the file is located. Normal users only have the r-x permission, so they cannot delete the file.
[Oldboy @ znix ~] $ \ Rm-f/etc/passwd
Rm: cannot remove '/etc/passwd': Permission denied
[Oldboy @ znix ~] $ Ls-ld/etc
Drwxr-xr-x. 78 root 4096 Sep 5 11: 27/etc
[Oldboy @ znix ~] $ Ll/etc/passwd
-Rw-r -- 1 root 1177 Sep 5 11: 27/etc/passwd
1.4 normal user cat/etc/shadow
When viewing the file content, you need to view the file's permissions. Here, normal users do not have any permissions for this file, so they cannot view the file content.
To view the file content, you must grant the r permission to the file.
[Oldboy @ znix ~] $ Cat/etc/shadow
Cat:/etc/shadow: Permission denied
[Oldboy @ znix ~] $ Ll/etc/shadow
---------- 1 root 881 Sep 5/etc/shadow
1.5 solutions to errors
1. First, determine whether the operation is a file or a directory.
2. Check the relationship between you and the operation object.
3. file first view Permissions
4. view directory permissions first
5. view the file content, modify the file content, and run the file (SCRIPT), depending on the file permissions
6. view the contents in the directory, delete files, create files, and rename (change the name of the file), depending on the directory permissions.
Chapter 2 file access process 2nd process 2.1.1
Inode File Permissions Block location |
Block Actual File Content |
Access files from relative paths
2.1.2 data-to-path access
Directory block, find the corresponding file |
Inode Of The/etc directory |
Inode File Permissions Block location |
Block Actual File Content |
2.2 Relationship
1. The file name is stored in the block in the directory.
2. Put the correspondence between the file name and inode in the block of the directory.
Chapter 4 website permissions-website root Security 3rd linux system default permissions 3.1.1 file Default Permissions
Maximum file permissions: rw-oldboy.txt 666
Generally, the rw-r -- 644 permission is granted to the file --
3.1.2 default directory permissions
Default directory maximum permission-rwxrwxrwx 777
Generally, rwxr-xr-x root oldboydir is assigned the directory 755 permission.
3.2 how to plan website permissions to make the website more secure 3.2.1 make the website run as www
[Root @ znix/] # useradd www
3.2.2 keep the main Files Owned by the root user
[Root @ znix/] # mkdir-p/app/blog
[Root @ znix/] # mkdir-p/app/blog/upload
[Root @ znix/] # ll-d/app/blog // app/blog/upload/
Drwxr-xr-x 3 root 4096 Sep 6 10:09/app/blog/
Drwxr-xr-x 2 root 4096 Sep 6 10:09/app/blog/upload/
[Root @ znix/] # su-www
[Www @ znix ~] $ Cd/app
App/application/
[Www @ znix ~] $ Cd/app/blog/upload/
[Www @ znix upload] $
3.2.3 process uploaded files
Put the files uploaded by the user in the folder of the www user;
Restrict the file suffix;
You cannot view uploaded files ......
[Root @ znix/] # chown www. www/app/blog/upload/
[Root @ znix/] # ll-d/app/blog // app/blog/upload/
Drwxr-xr-x 3 root 4096 Sep 6 10:09/app/blog/
Drwxr-xr-x 2 www 4096 Sep 6/app/blog/upload/
[Root @ znix/] # cd/app/blog/upload/
[Root @ znix upload] # touch aaa.png
[Root @ znix upload] #
Chapter 2 umask-default permission Control
Control the default permissions in linux
4.1 default permissions for files and directories in the system
File --- 666-rw
Dir --- 777 drwxrwxrwx
4.2 umask anti-mask Calculation
Default maximum permission minus umask
4.2.1 when umask is an even number
Instance 4-1 umask is 0022
File:
File-666-022 = 644
Directory:
Dir-777-022 = 755
4.2.2 when umask is an odd number
Instance 4-2 umask is 0032
4.3 When umask is an odd number, add 1 to the odd number when calculating the default permissions of the file.
File-666-032 = 634
+ 010 = 644
Directory unchanged
4.4 sample umask = 035
[Root @ znix ~] # Umask 035
[Root @ znix ~] # Touch file035
[Root @ znix ~] # Mkdir dir035
[Root @ znix ~] # Ll file035 & ll-d dir035
-Rw-r --- w-1 root 0 Sep 6 10:42 file035
Drwxr --- w-2 root 4096 Sep 6 10:42 dir035
File = 642 dir = 742
4.5 permanent umask modification method
[Root @ znix ~] # Vim/etc/profile
If [$ UID-gt 199] & ["'/usr/bin/id-gn'" = "'/usr/bin/id-un'"]; then
Umask 002
Else
Umask 022
Fi
Explanation:
If [user UID> = 199] and [user name = user group name], then
Umask 002
So
Umask 022
Guoru
Chapter 2 file system permissions 5th chattr setting file system permissions (change attr)
Chattr + a can only append (append)
Chattr + I cannot perform any operations (immutable)
5.2 Test +
You can only Append content to an object, but cannot delete it.
[Root @ znix ~] # Chattr + a oldboy.txt
[Root @ znix ~] # Lsattr oldboy.txt
----- A ------- e-oldboy.txt
[Root @ znix ~] # Echo 123> oldboy.txt
[Root @ znix ~] #> Oldboy.txt
-Bash: oldboy.txt: Operation not permitted
5.2.1 remove permission-
[Root @ znix ~] # Chattr-a oldboy.txt
[Root @ znix ~] # Lsattr oldboy.txt
------------- E-oldboy.txt
5.3 test + I
The root user cannot perform any operations on files.
[Root @ znix ~] # Chattr + I oldboy.txt
[Root @ znix ~] # Lsattr oldboy.txt
---- I -------- e-oldboy.txt
5.4 lsattr
List attr: Permission to display the File System
[Root @ znix ~] # Lsattr-d/etc/
------------- E-/etc/
Chapter 4 special linux Permissions
-Rw-r -- 1 root 252 Sep 6 :04 oldboy.txt
This is the 9-bit basic permission.
Linux has 12-bit permissions and three special permissions.
6.1 three special permissions
[Root @ znix ~] # Ls-ld/tmp/usr/bin/passwd/usr/bin/locate/bin/ls
-Rwxr-xr-x. 1 root 117048 Mar 23/bin/ls
Drwxrwxrwt. 11 root 4096 Sep 6 11: 29/tmp/
-Rwx -- s -- x. 1 root slocate 38464 Mar 12 2015/usr/bin/locate
-Rwsr-xr-x. 1 root 30768 Nov 24 24 2015/usr/bin/passwd
6.2 rwsr-xr-x
Place suid on the host. When running a command containing suid permissions, it is equivalent to the owner of the command.
For example:/usr/bin/passwd to change the User Password
6.2.1 grant the suid permission to the rm directory
[Root @ znix ~] # Chmod u + s/bin/rm
[Root @ znix ~] # Ll/bin/rm
-Rwsr-xr-x. 1 root 57440 Mar 23/bin/rm
[Oldboy @ znix ~] $ \ Rm-f/root/oldboy.txt
[Root @ znix ~] # Chmod u-s/bin/rm
[Root @ znix ~] # Ll/bin/rm
-Rwxr-xr-x. 1 root 57440 Mar 23/bin/rm
6.2.2 suid: Big S and small s
File Permission. If there is x permission, + s is a small number of seconds. If there is no x permission, + s is a large number of seconds.
[Root @ znix ~] # Ll test.txt
-Rw-r --. 2 root 22 Sep 4 :28 test.txt
[Root @ znix ~] # Chmod u + s test.txt
[Root @ znix ~] # Ll test.txt
-RwSr -- r --. 2 root 22 Sep 4 :28 test.txt
[Root @ znix ~] # Chmod u + x test.txt
[Root @ znix ~] # Ll test.txt
-Rwsr -- r --. 2 root 22 Sep 4 :28 test.txt
6.3 drwxrwxrwt
[Root @ znix ~] # Ll-d/tmp/
Drwxrwxrwt. 11 root 4096 Sep 6 11: 29/tmp/
You can only manage files created in directories with the specified sticky bits.
6.4 rwx -- s -- x sgid
The user runs the locate group. Rarely used!
Rwx -- s -- x. 1 root slocate 38464 Mar 12 2015/usr/bin/locate
Chapter 1 What about viruses in the system 7th Solutions
1. Use the top command to check who uses the most cpu resources.
2. Find the pid Number of the process that occupies cpu or memory.
3. Kill the process based on the pid of the process
7.2 Process Termination Method
[Root @ znix ~] # Kill process number
7.3 top Command
PID pid process id the number of the process is unique in the system
CMD process name (command)
Pid user pr ni virt res shr s % CPU % mem time + COMMAND
14011 oldboy 20 0 102 m 672 568 R 19.2 0.1. 45 dd