Linux basic permissions and attribution, additional permissions control

I. Basic authority and attribution

1. Access rights

READ: Allow viewing, displaying directory listings

Write: Allow modification, allow new, move, delete files or subdirectories in the directory

Executable: Allow to run programs, switch directories

2. View permissions for a file

# ls-l Install.log

-|rw-|r--|r--1 root root 26195 Dec 10:42 Install.log

①②③④⑤⑥⑦⑧⑨⑩

①. File type

-Representing ordinary documents

D Stands for Directory

L Stands for Connection

②. rw-: Permissions on behalf of the file owner (U)

R= Read =4

W= Write =2

x= Execution =1

③. r--: Permissions on behalf of the group to which the file belongs (g)

R= Read =4

W= Write =2

x= Execution =1

④. r--: Permissions for other users (O)

R= Read =4

W= Write =2

x= Execution =1

A=ugo

⑤. Number of hard links to files

Directory how many subdirectories are in this directory include. and.

⑥. File owner

⑦. Group to which the file belongs

⑧. File size

⑨. File modification Time

⑩. File name

3. Command (r = recursive)

chmod changing permissions

chmod Ugoa [+-=] [rwx] File

chmod Digital Files

Maximum file Permissions 666

Directory Maximum permissions 777

Default permissions to create files 644

Permissions to create a directory by default 755

Umask

rwx= default permissions for Rwx-umask with maximum permissions

Add:

No x permission for the directory, no RW, no access to the directory

Chown change owner and owning group

Chown owner: Owning Group object

CHGRP Group File change file genus

Second, additional permissions control

1. Introduction of special privileges

Set UID:4user+x

Set GID:2group+x

Sticky Bit:1other+x

2. Special permission function

Set UID:

Can only be set on the executable program, when other users execute the program with SUID tag, will use the identity of the program owner to execute

Set GID:

The executable can be set, and when other users execute a program with the sgid tag, they will use the identity of the group that the program belongs to perform

You can set the directory, and when you set Sgid to the directory, anyone who creates files and directories in that directory automatically inherits the group to which the directory belongs

Sticky Bit:

For directory settings, anyone who creates files and directories in this directory, only root and file creators have delete permissions

3. ACL policies

Getfacl file view ACL policy

Setfacl[options] u: User name: Permissions file

Setfacl[option] G: Group name: Permission file

- m defines an ACL policy

- x deletes the specified ACL policy

- b clears all ACL policies that have been set

- R recursive settings

- D Set default permissions for the directory

I. Basic authority and attribution

The company's technical department has a Linux development server, according to the composition of the project team within the Department, the need to establish a corresponding user account, and the development of data-related directories to configure access rights.

1. Folder/tech/nsdhome,/tech/jsdhome, respectively, belong to the NSD group, JSD Group, prohibit other users to enter.

2. Create departmental public directory/public, where all employees of the technical department (Tech group) are readable, writable, and executable, other users are forbidden to access this directory.

[Email protected]/]# mkdir-p/tech/nsdhome

[Email protected]/]# mkdir-p/tech/jsdhome

[Email protected]/]# Mkdir/public

[Email protected]/]# Groupadd NSD

[Email protected]/]# Groupadd JSD

[Email protected]/]# Groupadd Tech

[Email protected]/]# useradd-g NSD nsd01

[Email protected]/]# useradd-g NSD nsd02

[Email protected]/]# useradd-g jsd jsd01

[Email protected]/]# useradd-g jsd jsd02

[Email protected]/]# useradd-g Tech YG01

[Email protected]/]# Useradd yg02

[Email protected]/]# Chown:nsd/tech/nsdhome

[Email protected]/]# ls-l/tech/nsdhome

Total 0

[Email protected]/]# Ls-ld/tech/nsdhome

Drwxr-xr-x 2 root nsd 4096 07-30 11:36/tech/nsdhome

[Email protected]/]# chmod o-rx/tech/nsdhome

[Email protected]/]# Chown:jsd/tech/jsdhome

[Email protected]/]# Ls-ld/tech/jsdhome

Drwxr-xr-x 2 root jsd 4096 07-30 11:36/tech/jsdhome

[Email protected]/]# chmod o-rx/tech/jsdhome

[Email protected]/]# Chown:tech/public

[Email protected]/]# Ls-ld/public

Drwxr-xr-x 2 root tech 4096 07-30 11:36/public

[Email protected]/]# chmod g+w/public

[Email protected]/]# Ls-ld/public

Drwxrwxr-x 2 root tech 4096 07-30 11:36/public

[Email protected]/]# chmod o-rx/public

[Email protected]/]# Ls-ld/public

DRWXRWX---2 root tech 4096 07-30 11:36/public

[Email protected]/]# Ls-ld/tech/nsdhome

Drwxr-x---2 root nsd 4096 07-30 11:36/tech/nsdhome

[Email protected]/]# Ls-ld/tech/jsdhome

Drwxr-x---2 root jsd 4096 07-30 11:36/tech/jsdhome

[Email protected]/]#

Second, additional permissions control

1. SUID Experiment

Only for Program (command) settings, when anyone executes a command with SUID permission, the owner of the command is used to execute

[Email protected] ~]# ls-l/etc/shadow

[email protected] ~]# which passwd

[Email protected] ~]# ls-l/usr/bin/passwd

[Email protected] ~]# umask 022

[[email protected] ~]# which touch

[Email protected] ~]# Cp/bin/tosuuch/bin/suidtouch

[Email protected] ~]# ls-l/bin/*touch

[Email protected] ~]# Useradd Lily

[Email protected] ~]# su-lily

[Email protected] ~]$ Suidtouch suid-file1.txt

[Email protected] ~]$ ls-l suid-file1.txt

[[Email protected] ~]$ exit

[Email protected] ~]# ls-l/bin/suidtouch

[Email protected] ~]# chmod U+s/bin/suidtouch

[Email protected] ~]# ls-l/bin/suidtouch

[Email protected] ~]# su-lily

[Email protected] ~]$ Suidtouch suid-file2.txt

[Email protected] ~]$ ls-l suid-file*

[[Email protected] ~]$ exit

[Email protected] ~]# Rm-rf/bin/suidtouch

2. Sgid Experiment

Can be set to the program (command), you can also set the directory

When anyone executes a command that has Sgid permissions, it executes with the group that owns the command

[email protected] ~]# which mkdir

[Email protected] ~]# Cp/bin/mkdir/bin/sgidmkdir

[Email protected] ~]# ls-l/bin/*mkdir

[Email protected] ~]# su-lily

[Email protected] ~]$ Sgidmkdir test1

[Email protected] ~]$ ls-ld test1

[[Email protected] ~]$ exit

[Email protected] ~]# chmod g+s/bin/sgidmkdir

[Email protected] ~]# ls-l/bin/sgidmkdir

[Email protected] ~]# su-lily

[Email protected] ~]$ Sgidmkdir test2

[Email protected] ~]$ ls-ld test*

[[Email protected] ~]$ exit

[Email protected] ~]# Rm-rf/bin/sgidmkdir

For directory settings Sgid, the owning group of any file or subdirectory created by anyone in that directory automatically inherits the group that the directory itself belongs to

[Email protected] ~]# Mkdir/testgid

[Email protected] ~]# Ls-ld/testgid/

Drwxr-xr-x 2 root root 4096 Jan 6 16:53/testgid/

[Email protected] ~]# chmod 0757/testgid/

[Email protected] ~]# su-lily

[Email protected] ~]$ Mkdir/testgid/lilytest1

[Email protected] ~]$ Touch/testgid/lilyfile1.txt

[Email protected] ~]$ ls-l/testgid/

[[Email protected] ~]$ exit

[Email protected] ~]# chmod 2757/testgid/

[Email protected] ~]# Ls-ld/testgid/

[Email protected] ~]# su-lily

[Email protected] ~]$ Mkdir/testgid/lilytest2

[Email protected] ~]$ Touch/testgid/lilyfile2.txt

[Email protected] ~]$ ls-l/testgid/

3. T-bit permission echo

For common directory settings, after the directory sets the T-bit permissions, the files or subdirectories in that directory are only rooted and the file owner can delete

[Email protected] ~]# Mkdir/soft

[Email protected] ~]# ls-ld/soft/

[Email protected] ~]# chmod o+w/soft/

[Email protected] ~]# ls-ld/soft/

[Email protected] ~]# Useradd WBB

[Email protected] ~]# Useradd LHQ

[Email protected] ~]# SU-LHQ

[Email protected] ~]$ Cat/soft/lhq.txt

Hello,byebye

[[Email protected] ~]$ exit

[Email protected] ~]# SU-WBB

[Email protected] ~]$ ls-ld/soft/

[Email protected] ~]$ ls-l/soft/

[Email protected] ~]$ Rm-rf/soft/lhq.txt

[Email protected] ~]$ ls-l/soft/

[Email protected] ~]# chmod o+t/soft/

[Email protected] ~]# ls-ld/soft/

[Email protected] ~]# SU-LHQ

[Email protected] ~]$ Cat/soft/lhq.txt

Hello,byebye

[[Email protected] ~]$ exit

[Email protected] ~]# SU-WBB

[Email protected] ~]$ ls-l/soft/

[Email protected] ~]$ ls-ld/soft/

[Email protected] ~]$ Rm-rf/soft/lhq.txt

[[email protected] ~]# Find/-type f-a-perm +6000//Find the Suid/sgid program in the system

4. ACL Permissions settings

Create an account: Mike John Kaka

Create file:/data/file1.txt

Mike has read and write access to the file, and John only has access to it. Other users do not have any permissions

Kaka has the same permissions as John

• Create lily,lily to file1.txt with read Execute permission, no other user has any permissions

[Email protected] ~]# Tune2fs-l/dev/sda2 | grep ACL

Default Mount Options:user_xattr ACL

[Email protected] ~]# Tune2fs-l/dev/sda1 | grep ACL

Default Mount Options:user_xattr ACL

[Email protected] ~]# ls-ld/data/

DRWXRWXRWX 3 root root 4096 12-09 16:21/data/

[Email protected] ~]# rm-rf/data/

[Email protected] ~]# Mkdir/data

[Email protected] ~]# getfacl/data/

Getfacl:removing leading '/' from absolute path names

# File:data

# Owner:root

# Group:root

User::rwx

Group::r-x

Other::r-x

[Email protected] ~]# ls-ld/data/

Drwxr-xr-x 2 root root 4096 12-09 16:27/data/

[Email protected] ~]# setfacl-m u:mike:rwx/data/

[Email protected] ~]# ls-ld/data/

drwxrwxr-x+ 2 root root 4096 12-09 16:27/data/

[Email protected] ~]# getfacl/data/

Getfacl:removing leading '/' from absolute path names

# File:data

# Owner:root

# Group:root

User::rwx

User:mike:rwx

Group::r-x

Mask::rwx

Other::r-x

[Email protected] ~]# setfacl-m u:john:r--/data/

[Email protected] ~]# setfacl-m u:kaka:r--/data/

[Email protected] ~]# setfacl-m u:lily:r-x/data/

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F2/wKiom1PY9y_xyI_7AAX4XkJDzFk155.jpg "style=" float: none; "title=" Sogou 20140730192438.jpg "alt=" Wkiom1py9y_xyi_7aax4xkjdzfk155.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKioL1PY-ErglQTVAAJ9qB1Ry9c419.jpg "style=" float: none; "title=" Sogou 20140730192810.jpg "alt=" Wkiol1py-erglqtvaaj9qb1ry9c419.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKioL1PY-EvTdZlWAAOjYMs4Lpw549.jpg "style=" float: none; "title=" Sogou 20140730193038.jpg "alt=" Wkiol1py-evtdzlwaaojyms4lpw549.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKioL1PY-E2hzGj_AAKuYdIBx-Y636.jpg "style=" float: none; "title=" Sogou 20140730193223.jpg "alt=" Wkiol1py-e2hzgj_aakuydibx-y636.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKioL1PY-E7g1bJYAAJlRbqKH2o564.jpg "style=" float: none; "title=" Sogou 20140730193534.jpg "alt=" Wkiol1py-e7g1bjyaajlrbqkh2o564.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKiom1PY9zWRFJuSAAHPRTcjumY105.jpg "style=" float: none; "title=" Sogou 20140730193650.jpg "alt=" Wkiom1py9zwrfjusaahprtcjumy105.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKiom1PY9zfxuGiSAAK_yrVtCMU079.jpg "style=" float: none; "title=" Sogou 20140730193903.jpg "alt=" Wkiom1py9zfxugisaak_yrvtcmu079.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKioL1PY-FKQF02-AALrSHqF6Ck345.jpg "style=" float: none; "title=" Sogou 20140730194058.jpg "alt=" Wkiol1py-fkqf02-aalrshqf6ck345.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKiom1PY9zrA4p8gAAKivHESxc8693.jpg "style=" float: none; "title=" Sogou 20140730195116.jpg "alt=" Wkiom1py9zra4p8gaakivhesxc8693.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKiom1PY9zrTca20AAGFVgYo02U630.jpg "style=" float: none; "title=" Sogou 20140730195222.jpg "alt=" Wkiom1py9zrtca20aagfvgyo02u630.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKioL1PY-FWAt-6vAAFedESh2ww161.jpg "style=" float: none; "title=" Sogou 20140730195350.jpg "alt=" Wkiol1py-fwat-6vaafedesh2ww161.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKiom1PY9zzx_FLxAAGaF5GXSRs767.jpg "style=" float: none; "title=" Sogou 20140730195439.jpg "alt=" Wkiom1py9zzx_flxaagaf5gxsrs767.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKiom1PY9z6T-DvWAATNJNv8zLs566.jpg "style=" float: none; "title=" Sogou 20140730200317.jpg "alt=" Wkiom1py9z6t-dvwaatnjnv8zls566.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKiom1PY90DAbbAEAAOS5GqnxKo436.jpg "style=" float: none; "title=" Sogou 20140730200355.jpg "alt=" Wkiom1py90dabbaeaaos5gqnxko436.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKioL1PY-FvTiFCnAANYOLh-6bE112.jpg "style=" float: none; "title=" Sogou 20140730200430.jpg "alt=" Wkiol1py-fvtifcnaanyolh-6be112.jpg "/>