Programs used:
Chmod setfacl getfacl stat chattr lsattr
Chmod: Set File Permissions
Setfacl: access control list)
Getfacl: view the access control list
Stat: displays inode content (a | m | c) time content
Chattr: sets the list file attribute system of the second extended file.
Lsattr: view the list file attribute system of the second extension fileSetuid: Make the file have the same x permissions as the file owner
Setgid: Make the folder have the same x permissions as the file group
Sticky: Make files unavailable
Test:
[root@nagios test]# touch setuid setgid sticky
[root@nagios test]# chown -R nagios.nagios ./
[root@nagios test]# chmod u+s setuid && chmod g+s setgid && chmod o+t sticky
[root@nagios test]# ll
total 0
-rw-r-Sr-- 1 nagios nagios 0 Mar 2800:41 setgid
-rwSr--r-- 1 nagios nagios 0 Mar 2800:41 setuid
-rw-r--r-T 1 nagios nagios 0 Mar 2800:41 sticky
[root@nagios test]# su hello
[hello@nagios test]$ pwd
/root/test
[hello@nagios test]$ echo hello >> setuid
bash: setuid: Permission denied
[hello@nagios test]$ sh setuid
hello
[nagios@nagios test]$ exit
exit
[root@nagios test]# chmod o+w sticky
[root@nagios test]# su hello
[hello@nagios test]$ ll sticky
-rw-rw-rwT 1 nagios nagios 0 Mar 2800:45 sticky
[hello@nagios test]$ rm sticky
rm: cannot remove `sticky': Permission denied
[hello@nagios test]$ stat sticky
File: `sticky'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd00h/64768d Inode: 134198 Links: 1
Access: (1666/-rw-rw-rwT) Uid: ( 500/ nagios) Gid: ( 500/ nagios)
Access: 2013-03-2800:45:37.875928997 +0800
Modify: 2013-03-2800:45:37.875928997 +0800
Change: 2013-03-2800:46:28.050580800 +0800
# Setfacl and getfacl
User: owner permission ":" All are owners ":" special user
Group: group and Special group
Other: Others
Mask: All persons except owner and others
Common options:
-D: subdirectory inherits the special permissions of the parent directory.
-R: recursive permission
Check whether ACL is supported
[root@nagios heelo]# tune2fs -l /dev/sda1 | grep option
Default mount options: user_xattr acl
Test:
[root@nagios test]# touch setfacl
[root@nagios test]# setfacl -m user::r,user:hello:rw setfacl
[root@nagios test]# chown nagios.nagios setfacl
[root@nagios test]# ll setfacl
-r--rw-r--+ 1 nagios nagios 0 Mar 2800:52 setfacl
[root@nagios test]# su nagios
[nagios@nagios test]$ echo hello >> setfacl
bash: setfacl: Permission denied
[nagios@nagios test]$ exit
exit
[root@nagios test]# su hello
[hello@nagios test]$ echo hello >> setfacl
[hello@nagios test]$ cat setfacl
hello
[hello@nagios test]$ getfacl setfacl
# file: setfacl
# owner: nagios
# group: nagios
user::r--
user:hello:rw-
group::r--
mask::rw-
other::r--
#chattr and lsattr
Chattr +-= [acdeijstuADST].
A: Atime: Tell the system not to modify the last access time of this file.
S: Sync. Once the application writes the file, the system immediately writes the Modification result to the disk.
A: Append Only. The system Only allows data to be appended to this file. No process is allowed to overwrite or intercept this file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files.
I: Immutable. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify the files under the Directory and cannot create or delete files.
D: Check for errors in the compressed file.
D: No dump. During file system backup, the dump program ignores this file.
C: Compress. The system compresses the file transparently. When reading from this file, the returned data is extracted. When writing data to this file, the data is first compressed before being written to the disk.
S: Secure Delete. The system will use 0 to fill in the region where the file is located when deleting the file.
U: Undelete: When an application requests to delete this file, the system will keep its data block so that the file can be deleted in the future.
Test:
[root@nagios test]# mkdir chattr
[root@nagios test]# chattr +i chattr/
[root@nagios test]# touch chattr/hello
touch: cannot touch `chattr/hello': Permission denied
[root@nagios test]# chattr -i +a chattr/
[root@nagios test]# touch chattr/hello && echo hello >>chattr/hello && cat chattr/hello
hello
[root@nagios test]# rm chattr/hello
rm: remove regular file `chattr/hello'? y
rm: cannot remove `chattr/hello': Operation not permitted