Linux Beginner--rights management

The previous article already mentions the management knowledge of users and groups, we have learned how to create users and groups in a Linux system, and make some changes to the content and properties of users and groups. However, we know that the Linux system is a multi-user multitasking operating system, multiple legitimate users can log on to the system through remote devices, in order to prevent users from malicious competition in system resources or to make some malicious actions that harm the system security, you need to make some settings for the user's permissions. This article will mainly introduce the management of the rights related content.

The user's rights management mainly includes four parts: ordinary permission, special permission, special attribute and Facl of the file.

I. GENERAL permissions

1. The Process security context:

⑴ determines whether the owner of the process is the master of the manipulated file, and if so, authorizes it according to the Master's authority;

If not, go to ⑵.

⑵ determines whether the owner of the process is a member of the owning group that wants to manipulate the file.

If yes, it is used in accordance with the permissions of the group,

If not, go to ⑶

⑶ authorized by other users

2. Authority Composition:

The permissions of the file are for the owner of the file, the group and other user restrictions on the file operation

OWNERSHIP: Ownership

Owner: A specific user under the control of the resource;

Group: Specific users with resources in control; Group,g

Other users: Users who have not mastered the resources; Other, O

All Users: All,a

MODE (Permission), typically with three basic permissions:

R:readable: Readable

W:writable: Writable

X:executable: Executable

These three permissions have different meanings for files and directories:

To the directory:

R: You can use the LS command to get a list of all the file names, the Ls-l command to get the details of the files in the directory, you cannot enter them using the CD command, or you cannot reference the directory in the path

W: You can modify the file name or list of file names in this directory, that is: You can create, modify, and delete file names in this directory

x; You can use the Ls-l command to get detailed property information about the file in it, or you can refer to it in the path, or you can use the CD command to enter it; x permission is the most basic permission for a directory file, and any directory must open X permissions to the user, otherwise the user cannot do anything

To the file:

R: You can view or get the data that the file holds

W: can modify the data stored in the file

X: You can run this file as a process

Note: File execution permissions are very important for Linux file systems because once the file has execute permissions, it means that the file can be initiated as a process so the file does not have execute permissions by default

Example: rw-r--r--: Three privilege bits, other users of the main group

Owner's Permission: rw-

Permissions of the genus group: r--

Permissions for other users: r--

Permissions Identify triples:

---000 0

--x 001 1

-w-010 2

-WX 011 3

r--100 4

R-x 101 5

RW-110 6

RWX 111 7

Note: Only the owner of a file can modify the file's use (except root)

the three types of permissions are: Character permissions (rw-r--r--), 8-bit binary permissions (110100100), and Decimal permissions (644)

3. Modify the File usage rights: chmod, Chown, chgrp, install

Chmod:change mode-change File Mode bits

chmod [OPTION] ... Mode[,mode] ... FILE ...

MODE: Symbolic Permission Identification method

U,g,o,a: Identity Ownership

+,-,=: Identity Authorization method

+: Add new permissions based on existing permissions

-: Remove certain permissions on the basis of the original permissions

=: Set permissions directly to target permissions regardless of the original permissions

R,w,x: Indicates specific permission content

For example:

chmod u+x,g-wx,o-x File

chmod ug-x File

chmod +x file defaults to a add permission to all users to add

chmod +w file defaults to only the owner add permission

chmod [OPTION] ... Octal-mode FILE ...

If the octal digital ID method is used, the full permission bit must be given every time;

If the given permission bit is incomplete, the file system will be automatically replenished, the given permission is placed on the right side, and the left uses the margin;

chmod [OPTION] ...--reference=rfile FILE ...

chmod--reference=/path/to/file

chmod--reference=a b

-R,--recursive: uniformly set all files in the target directory and subdirectories and subdirectories to the specified permission ID

Chown: Can modify a file's owner and owner group

Change file owner and group

chown [OPTION] ... [OWNER] [: [GROUP]] FILE ...

Chown OWNER FILE

Chown:group FILE

Chown Owner:file to change the owner of the target file to owners while modifying the group as the owner's base group

Chown owner:group file modifies the owner and primary group of the target files to ower group

chown [OPTION] ...--reference=rfile FILE:

-R,--recursive: unifies all files in the target directory and subdirectories and subdirectories to the specified ownership

Modify ownership operation only Super user can complete;

CHGRP: Can only modify the genus Group of a file

Chgrp GROUP FILE

Options

-R

Install command

Installation: copying files; Assigning Execute permissions to files

Install [OPTION] ... [-T] SOURCE DEST Single Source replication

Install [OPTION] ... SOURCE ... DIRECTORY multiple

Install [OPTION] ...-t DIRECTORY SOURCE ...

Install [OPTION] ...-d DIRECTORY ... Create a Directory

Options

-M,--mode=mode specifies the permissions for the target file, which defaults to 755

-O,--owner=owner set target file owner, only the root user is available

-G,--group=group set target file group, only the root user is available

Note: The install command cannot replicate the directory, that is, its source cannot be a directory, and if its source is a directory, the install will go to the directory, copying all non-directory files in the directory file to the target location.

Mktemp:

In general, temporary files are created in the/TMP or/var/tmp files without manual deletion, and the system automatically cleans up periodically

Options

-D,--Directory: Create a temp directory

Second, special permissions:

SUID SGID STICKY

By default, a user initiates a process whose owner is the initiator, which means that the process is run as its initiator.

SUID: function: The user initiates an execution process, if the program file has the SUID permission, then the process initiated by the process is the owner of the program file, not its initiator;

The location displayed by the SUID permission: The execution permission bit in the master permission of the file, or the display as S if the owner has execute permission;

Suid permissions for managing files: CHOMD u+|-s file

SGID: If a directory has write permission for some users and set Sugid, all users who have write permission to this directory after creating a new file or directory, the group of the new file is no longer the base group to create the user, but inherits the genus of the directory;

Sgid Display Location: The execution permission bit in the group permission of the file, if the group has EXECUTE permission, display as S, otherwise display as s;

Sticky:sticky (Nianxingde): Sticky bit

If more than one user can have write permissions in a directory, these users can create, modify, and delete file names at random in that directory.

Sticky function: If you set the sticky permission for the above directory, each user can still create and modify the file name, but each user can only delete the file name that belongs to the owner itself

Sticky where permissions are displayed: Other users in the file permissions execute the permission bit, or T if the previous execution permission is present;

Sticky permissions for managing files: CHOMD o+|-t file

Suid Sgid Sticky

---000 0

--T 001 1

-s-010 2

-st 011 3

s--100 4

S-T 101 5

SS-110 6

SST 111 7

Another way to modify special permissions:

The octal digits corresponding to the special permission are placed in front of the octal digits of normal permissions.

For example: CHOMD 1755 DIRECTORY ...

umask; permission mask code, the default permission generation standard when creating a file or directory;

Root User Default mask code is "0022" can be modified

Do not consider special permission bits

For newly created files or directories, do not obscure any permissions that belong to the master, masking the write permissions of the group and other users

Masking code for ordinary users: 0002, can be modified

Understanding Masking Code:

Change the value of the mask code to binary, where there is a location where the permission is not set when it is created

By default, the file's mask code already has a 0111, on this basis again apply Umask to mask permissions

Iii. Special attributes of the file

Lsatter: Viewing special properties of a file

To modify the special properties of a settings file:

Chattr:change file attributes on a Linux file system

chattr [-RVF] [-v version] [mode] files ...

Mode: +-= is used to set the

The most critical core of the entire CHATTR command is the mode part;

[Aaccddeijssttu] are required properties

+: Add a new attribute based on the original property setting

-: Remove the specified property from the original property setting

=: Update the properties of the file directly to the specified property content, regardless of the original property setting

A:append, set this property of the file, its contents cannot be changed and deleted, can only be appended to the file to write data; Most server day tear files are set to this attribute;

A:atime: File access timestamp, IO bottleneck, set a property, can make the file is accessed without changing the file access timestamp, which can effectively prevent the occurrence of IO bottleneck;

C: Set whether the file is automatically compressed after it is stored

C: Set whether the file opens the Write on Assignment property

D: Setup file does not become a backup target when using dump for backup

D: Set the file's asynchronous write operation in the file system (preferably not used)

I: Settings file can not be deleted, modified, linked relationship

S: Set the file's privacy delete, once the file setting s property is deleted, the usage space in the corresponding storage device will be recovered.

U: In contrast to the S property, if such a file is deleted, the data stored on the storage device is retained

Chattr + Properties FILE

Common options

-R: Recursive settings specify all files and subdirectory properties in the directory

Four: Facl

Assigning additional permission mechanisms to files: Facl:file Acess contral list file access control lists

Additional weighting mechanisms for documents:

An empowering mechanism that allows ordinary users to control permissions given to other users and groups beyond the original U,g,o permissions

Generally mature in the release version of CentOS or RHEL7

Commands related to Facl:

Getfacl:get File access Control lists

Getfacl [-ACEESRLPTPNDVH] File ...

Getfacl [-ACEESRLPTPNDVH]-

Setfacl Set File access control lists

Setfacl [-BKNDRLPVH] [{-m|-x} Acl_spec] [{-m|-x} Acl_file] File ...

Acl_spec:acl_specification, the specified access control list

U:username:mode

G:groupname:mode

MODE: General use of symbolic permission identification method

Assigning additional permissions to users: Setfacl-m u:username:mode FILE

Assigning additional permissions to a group: Setfacl-m G:groupname:mode

Revoke additional privileges given by the user: Setfacl-x u:username

Additional permissions granted by the Undo group: Setfacl-x G:groupname

Setfacl--restore=file

Note: If you set a facl and then modify the target file's usage rights, the entries set in Facl may be affected, resulting in a mismatch with the requirements. Therefore, if you really need to set up the Facl, you will have to set the target file after you have determined the use rights

Linux Beginner--rights management