Linux 20180412 Hidden Permissions lsattr_chattr etc.

Hide Permissions lsattr_chattr

The file can be protected to a large extent, as opposed to ls-l hiding the permissions and will not see them at the same time depending on the permissions to decide whether they can be changed.

The use of the scene is full protection, do not let anyone touch the time to use Chattr +i

Thechattr command cannot protect/,/dev,/tmp,/var directories. The lsattr command is a file property that displays the Chattr command settings. "

"Some of the relevant option permissions:

A: That is, append, after setting this parameter, can only append/Add data to the file, but cannot delete, cannot change the name, cannot change the content, can alter the time information. More for server log file security, only root can set this property.
C: Compresse, set whether the file is compressed and then stored. An automatic decompression operation is required for reading.
D: No dump, the settings file cannot be the backup target of the dump program.
I: The settings file cannot be deleted, renamed, linked, and cannot be written or added. The I parameter is useful for file system security settings. "

Can find that there is an I permission, this I permission to do nothing, even the name can not be changed. VI is used when a temporary file will be generated, the actual changes are on the temporary file, save the exit time, the temporary file will overwrite the original file.

I will not be able to move anything, so if you want to change, the use of chattr-i is to remove I, this can be modified.

HEAD-N2 file1 >>file2

is to append the file 1 first two lines to the file 2 > is to write in, replace

Lsattr can view the directory itself-D if no option is to find subdirectories under the directory and permissions for sub-files

Chattr can also add permissions to the directory +i (Nothing) can also add a (append) permission, so that you can create a new file in the directory

Lsattr also has an option-R to view subdirectories and file permissions under subdirectories-R recursion

Summarize

Chattr +i +a-i-A

Lsattr-r-A (hidden can be seen)-D view Directory

Special Permissions Set_uid Ordinary users temporarily owning the identity of the owner U

1. Red

2. Front RWS S is set_uid permissions

Even Root does not have any permissions in the password file, but Root is a super admin so you can have it. But how do ordinary users change their own passwords? This requires a permission, Set_uid can let ordinary users in the execution of passwd will temporarily have root identity, so you can temporarily change the password. The premise is that binary files such as LS cat

How do I grant set_uid permissions to a file?

For example, a user does not have permission to view the root folder, that is, the LS command is not sufficient

This time, we need to give him a temporary permission to view root.

chmod u+s/usr/bin/ls

After you have changed the permissions of LS, you can see the root directory.

It's easy to get rid of this privilege.

chmod u-s/usr/bin/ls

This mode can also be used to write

chmod u = RWS But this is because there is no X permission, so the display is s plus x permission chmod u+x can display normally s

Can the directory Add Set_uid permissions?

Yes, but it doesn't make much sense.

Special permissions Set_gid normal users to get permissions for all groups temporarily

The effect on the group permission bit, relative to the set_uid difference, is that the UID is acting on the user. Do an experiment, put G plus s to see what the color becomes, and s in the group

Because the directory itself to this group of permissions is readable can be entered so once the G assigned to the rights of S, other users have temporary access to the same group of permissions

Try to get the s right out of the way, you can't see it right away.

Under normal circumstances, the directory created by Root and the group to which the file belongs are root, but when using G+s, when Set_gid creates sub-files under the directory, the owning group is consistent with the parent directory.

Set_gid can not only function files can also function in the directory, when the role of the file is the same as the role of Set_uid, you can let ordinary users temporarily owning the identity of the group.

When acting on a directory, the owning group that creates subdirectories and sub-files is consistent with the owning group for that directory.

Special permissions stick_bit prevent others from deleting their own files except root

Note that its permissions are the RWT anti-delete bit

TMP is a directory in which users can access it, but who is in charge of the file. Permissions are determined by the parent directory

" to delete a file, you don't have to have write permission for this file, but you must have write permission to the parent directory of this file." That is, even if you do not have a file to write permissions, but you have this file of the parent directory of Write permissions, you can also delete this file, and if there is no write permission to a directory, you will not be able to create files in this directory. "

As an example:

Bill user-created files that other users can access modify but cannot delete

Linux 20180412 Hidden Permissions lsattr_chattr etc.