1. First of all, we want to manage user rights, we need to know how to view the permissions of a file, we can use the LL command or LS-L command to view the permissions of a file, such as:
We can see that using the LL command lists some information about the/app file under the total of 7 columns, and these 7 columns represent the details of the/app file:
? (1) The first column has a total of 11 characters, the first one shows the file type, the Linux file is divided into 7 categories:
1.- 普通文件 2.d 目录文件 3.b 块设备文件 4.c 字符设备 5.l 符号链接文件 6.p 管道文件 7.s 套件字文件
This is the Linux under 7 different file types, and then the next 9 bits is the permissions we are going to introduce, the 9-bit permissions are divided into 3 groups, each group of 3 bits, there are two cases on each bit, for example, the first group is RWX, which represents the readable writable executable, if, R is readable, if-it means unreadable, W is writable,-representative is not writable, X is executable,-the representative is not enforceable. The first group of these three sets of permissions represents the permissions of the file owner, the owner, and the second group represents the permissions of all the groups of the file, the group, and the third group represents the permissions of the other person, the other. The last one. Indicates that SELinux is enabled and is not mentioned here.
? (2) The second column has only one number, which indicates that the number of connections to the file, as above 3 means that the file has three links.
? (3) The third column represents the owner of the file, the name of owner, such as Root, which indicates that the file belongs to the user root.
? (4) The fourth column represents all the groups of the file, that is, the name of the group, as root indicates that the file belongs to the root group.
? (5) The fifth column represents the size of the file.
? (6) The sixth column indicates when the file was updated.
? (7) The Seventh column indicates the file name
??
2. Now we introduce a concept: the context of security
?? If we want to copy/etc/passwd to directory/app, what permissions do we need? What is the copy command?cp /etc/passwd /app
??
3. What is the specific permission to achieve the operation?
?? What we can do with the file is read, write, execute, and their combination of permissions: Create, delete, modify (can write natural can modify); 3-bit permission is nothing more than a combination of r,w,x,rw,rx,wx,rwx. Although there are 7 kinds of files, we distinguish the catalog files, and use directories instead of catalog files to represent other files.
?? For the file:
???? R Permission: Indicates that the contents of the file can be read, using cat or less.
???? W Permissions: Indicates that the contents of the file can be modified, using VIM,VI and so on.
???? X permission: no effect.
???? RW Permission: Indicates that the file can be read and written.
???? WX permissions: Equivalent to W permission, can only write.
???? Rx Permission: Indicates that the file can be read and can execute him.
???? RWX permissions: Indicates readable, writable, executable, and highest privilege.
??
?? For the directory:
???? R Permission: Indicates that the contents of the directory can be short listed (sub-file name, subdirectory name).
???? W Permission: no effect.
???? X permissions: You can enter the directory.
???? RW permissions: Equivalent to R permissions.
???? Rx Permissions: You can list the contents of a directory long, and you can enter the directory.
???? WX Permissions: You can create, delete files or directories.
???? RWX permissions: Can be listed, created, deleted, into the directory.
??
4. Then how to modify the permissions, who has the right to modify the file or directory permissions?
?? Modifying permissions is done through the chmod command.
对所有者权限修改 chmod u+/-r/x/w/rx/rw/wx/rwx +文件名对群组权限修改 chmod g+/-r/x/w/rx/rw/wx/rwx +文件名对其他用户权限修改 chmod o+/r/x/w/rx/rw/wx/rwx +文件名
?? We can also use a binary method to represent the permissions of a file. For each set of permissions, there are only two possible on each, that is, yes or no, we can use 1 to indicate yes, 0 for none. It would be the following:
r-- 100 =4\-w- 010 =2\--x 001 =1rw- 110 =6r-x 101 =5\-wx 011=3rwx 111=7\--- 000 =0
Because you can use numbers to represent permissions, we have an easier way to change the permissions of a file:
chmod 777 /app/house
Or the chmod number represents the permission plus file, so that you can change all the permissions of the file at once.
The experiment to see who can modify the permissions of the file, root user is Superuser, can modify all permissions, here no longer experiment .
?? Now in Create User Liubei,guanyu,zhangfei,caocao, create group Shuguo, set group administrator to Guanyu, set group member to Liubei,guanyu,caocao, create directory test under App, Modify the permissions to 777, modify the group is Shuguo, switch users for Liu Bei, under/test create a test.file, command as follows:
useradd liubeiuseradd guanyuuseradd zhangfeiuseradd caocaogroupadd shuguogpasswd -A guanyu shuguogpasswd -M liubei,guanyu,zhangfeicd /appmkdir testchmod 777 testsu - liubeicd /app/testtouch test.filell
Results such as:
?? Now Liubei is Test.file Owne,guanyu is the administrator of the group Sanguo, Liubei,zhangfei,guanyu is a group member of Shuguo, Caocao is the other now test owner, group members, Group admins, Can other people modify the permissions of the Test.file.
Liubei is owner:
Guanyu is the group management of Shuguo
Zhangfei is a member of the Shuguo group.
Caocao is not a group member of Shuguo.
So only Root and the owner of the file can modify the file permissions, no one else can modify.
????
5. If the owner of the file belongs to a group, but the owner does not have permission to read the file, but the group has permission to read, then the user can read it? At the same time a person belongs to the group, but the group does not have Read permission, other people have Read permission, then can read? (experiment when a user accesses a file, goes to and applies permissions.) )
?? The permission to modify the file Test.file is 070 and the command is as follows
chmod 070 test.file
?? Liubei is the owner of Test.file.
?? The permission to modify the file Test.file is 007 and the command is as follows
chmod 007 test.file
?? Zhangfei is a member of Shuguo.
It can be seen that when a user accesses a file, it will first determine whether the user is owner, if so, the owner of the permissions, that is, the group is a member, do not apply the group bit permissions, if not owner, then determine whether the group members, if yes, apply group bit permissions, The other bit permission is not applied, and if not, the other bit permission is applied.
6.umask
We can create several files and directories in test as follows, and look at their permissions, then go back to/app and create several files and directories as follows:
touch {1..5}mkdir -p /a/bllcd ..mkdir -p /1/2/3llcd 2llcd 3ll
??
??
??
??
??
We can find that the permissions of the file are 660, directory permissions are 771, this is why, in Linux, when creating a file, when the default can not be performed, so the highest permission is 666, the highest permission of the directory is 777, we use 777-771=006; 666-660 = 006; Run Umask, you can see Umask value is 006;
The default permission for a file is 666-umask, and the default permission for the directory is 777-umask.
??
Now set the value of Umask to 011, the command is as follows:
umask 011
Create a directory can, create a file CA, and then view the permissions with the following command:
mkdir cantouch call
??
?? You can see that the permissions for the file are 666, and the permissions for the directory are 766; we'll find out, 666-011=655, what is this? 655 of the permissions is Rw-r-xr-x, is an executable file, and the file is created is not allowed to be executed, so when Umask is 1, 3,5, the corresponding bit, should be added 1, so as to ensure that the file is not executable.
??
7. Special privilege bit S
?? The special permission bit S can act on the ower bit, namely Sgid, also can function in group, namely Sgid.
?? suid: After an executable file has suid permissions, anyone who executes the file temporarily has the permissions of its owner.
We experiment with Command touch: first check that touch permission is 755, then switch to Liubei, create a file liubei1.file, then modify the permissions to 750, switch to Liubei, create a file liubei2.file, and then modify the permissions, plus U+s , switch to Liubei, create Liubei3.file, modify the permissions to 751, and add suid permissions, switch to Liubei, create liubei4.file, and finally modify the permissions to 755, remove the suid permissions; Part of the code is as follows:
Ll/bin/touch
su - liubeitouch liubei1.filesuchmod 750 /bin/touchsu - liubeitouch liubei2.filesuchmod u+s /bin/touchsu - liubeitouch liubei3.filesuchmod 751 /bin/touchchmod u+s /bin/touchsu - liubeitouch liubei4.file
The
results are as follows:
????
Create Liubei1.file
Create Liubei2.file
Create Liubei3.file
Create Liubei4.file
?? From this we can see that Liubei1.file, with Liubei4.file was created successfully, Liubei3.file,liubei.2file was not created successfully, Liubei1.file because Liubei is the other to touch has 5 permissions, can read the touch content, also can execute, so Can create Liubei2.file is not successful because other is 0 permissions, Liubei is the other identity, nature can not create; Liubei3.file is not successful because Liubei is the other identity, we described the security context earlier, want to create, first can read touch, here is suid permissions, Liubei temporarily get root permissions, so you can read the Touch command, and then to see if there is no permission to the destination, finally see if you can read the touch write, here Liubei only 0 permissions, although read touch, but do not have permission to execute, so cannot create Liubei4.file has root Read permission and can perform touch, so the creation is successful.
?? Sgid: 1. When Sgid is performed on an executable binary file, anyone who executes the file temporarily has permissions for all of its groups.
????? 2. When Sgid permissions are in effect on a directory, the group of files that anyone creates in the directory is the same as the owning group for that directory.
??????
?? 1 and Suid same, here no longer repeat, we directly experiment 2; under/app, create a directory house, modify the permissions of the directory is 777, and then add Sgid, permissions, respectively, switch to Liubei,guanyu,zhangfei, Create a file Liubeitest1,guanyutest,zhangfeitest1 under House, create a directory liubeitest1,guanyutest1,zhangfeitest1, and view the owning group. The code is as follows:
cd /appmkdir housechmod g+s housesu - liubeicd /app/housemkdir liubeitest1touch liubeitest2su - guanyucd /app/housemkdir guanyutest1touch guanyutest2su - zhangfeicd /app/housemkdir zhangfeitest1touch zhangfeitest2sull /app/house
The results are as follows:
All created files and directories do not inherit their owner's primary group, but instead inherit the house's owning group root.
????
8. Special privilege bit T
?? Stisky: Stisky permissions are used on a directory, and the files in that directory are deleted only by the owner and root of their owners and directories.
?? Delete all previously created files, create the test directory under/app, modify the permissions to 777, and then Liu to create the directory liubei1,guanyu1,zhangfei1, file Liubei2,guanyu2,zhangfei2, and then switch to Liu Bei , delete all, then create back, modify test permission to o+t, then switch to Zhang Fei, delete all. Some of the code is below.
chmod 777 /app/test切换用户,创建文件目录;su - liubei rm -rf /app/test/*切换用户,创建文件目录;chmod o+t /app/testsu - zhangfeirm -rf /app/test/*注:将目录文件权限全改为754
The results are as follows:
To create a file:
Other users cannot access other people's directories:
Zhangfei Delete
Re-build back:
Modify permissions and other bits plus t
Guan Yu Delete:
????
We can see that when you do not add t permission, even if you can not enter the other people's directory, but it is possible to delete other people's files, but with T, can only remove their own files, can not delete other people's files. But as the owner of the directory, you can change the permissions of the directory, so that he can remove the T permission, all can modify other people's files.
??
9.attr Permissions
attr permissions are special permissions that root users set to restrict their rights, but they can be modified;
???? Chattr +a means cannot be deleted, cannot be overwritten, can be appended
??? Chattr+i indicates that cannot be deleted, cannot be overwritten, cannot be appended
Lsattr Viewing attr permissions
Remove attr Permissions
???? Chattr-i
???? Chattr-a
Because work rarely uses root, no longer validates.
General permissions and several special permissions under Linux systems
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
