Linux Special permissions and ACLs

Special permissions and ACLs

Special permissions

SUID:

When running a program, the owner of the corresponding process is the owner of the program file itself, not

The user itself, only valid for the binary program, the performer must have X permission for the program

Example: passwd command requires a password to be written in/etc/shadow

Ls-l/bin/cat

Ls-l/etc/shadow

chmod u+s file (if itself has X, S, otherwise s)

SGID:

For files: When you run a program, the group of the corresponding process is the group of the program file itself, not the basic group of the user itself

chmod g+s File

Example: Locate command requires access to/var/lib/mlocate/mlocate.db file

For directories:

The user has RX permission on this directory to enter the directory

After the user enters this directory, the active user group becomes the user group for that directory

If the user has W permissions in this directory, the user creates a file user group that is the same as the directory user group

For example:

When a team wants to work on a project in a directory of Linux, each team member has RWX permissions on all the files in that directory.

So we first create a new user group, and then create a few accounts, each user group to join the newly created user group.

Create a new working directory, set the permissions to 770, and add the user group of the directory to the new user group in the previous step.

So far, we think about what's going to be the problem?

Now account a creates a new file, and the owner and user group of the new file will be a! It is important that no other user can access this file!

So we need to add Sgid permissions to this directory, then any user-created file, the file user group will be the user group of this directory. Everything ok!

Develop team, Hadoop hbase Hive

/tmp/project Three users can edit files created between each other

#useradd Hadoop hbase Hive

#mkdir/tmp/project

#groupadd Developteam

#chown-R:d Evelopteam/tmp/project

#chmod-R 770/tmp/project

#usermod-G Developteam Hadoop

#chmod G+s/tmp/project

Sticky (BIT):

Valid only for the directory, when the user has WX permissions to the directory, the file or directory created by the user in the directory can only be deleted by himself and Root.

In a common directory, everyone can create files, delete their own files,

But you can't delete someone else's file (adventure bit, paste bit)

Example: chmod o+t dir

SUID is 4 Sgid is 2 sbit is 1

chmod 4755 filename

The first 7 represents these three special commands, followed by 755 are normal permissions. The above command adds the filename file to the SUID permission.

File system access Control List

Facl:filesystem Access Control List

Additional access control permissions are saved with the extended properties of the file

Getfacl View

Setfacl settings

Syntax: Setfacl [-BKRD] [-m|-x ACL parameter] target file name

Options and Parameters:

-M: Set subsequent ACL parameters and cannot be used with-X

-x: Remove subsequent ACL parameters and cannot be used with-m

-B: Remove all ACL parameters

-K: Remove default ACL parameters

-r: Recursively setting ACL parameters

-D: Set default ACL parameters, only valid for directory

Setfacl-m M:RW Inittab

-M settings, can be set to the user or the group

U:uid:perm

G:gid:perm

Example:

#mkdir/backup

#cd/backup

#cp/etc/inittab./

#getfacl Inittab

#setfacl-M U:REDHAT:RW inittab

Owner>facl,user> Group > Facl group>

All permissions cannot exceed the permissions of mask

SETFACL-M m:rwx [filename or directory_name]

-X Cancel

Setfacl-x u:uid file_name

To set a default access control list for a directory:

D:u:uid:perm file_name

Mount-o acl/dev/myvg1/mylv1/mnt

Dumpe2fs-h/DEV/MYVG1/MYLV1 (see if ACLs are supported)

Tune2fs-o

Example: authorizing a user to read permissions

Setfacl-m u:lisa:r File

Revoking write access from any groups and all named users (using the

Effective rights Mask)

Revoke write permissions for all groups and users (use a valid correct mask)

Setfacl-m M::rx File

Removing a named group entry from a file ' s ACL

Remove ACL permissions from a group

Setfacl-x G:staff File

Copying the ACL of one file to another

Copy the ACL of one file to another file

Getfacl File1 | Setfacl--set-file=-File2

Copying the access ACL into the Default ACL

Copy the ACL of the directory accessed as the default ACL for the directory

Getfacl--access dir | Setfacl-d-m-dir

Linux Special permissions and ACLs