I. Basic authority and attribution
1. Access rights
READ: Allow viewing, displaying directory listings
Write: Allow modification, allow new, move, delete files or subdirectories in the directory
Executable: Allow to run programs, switch directories
2. View permissions for a file
# ls-l Install.log
-|rw-|r--|r--1 root root 26195 Dec 10:42 Install.log
①②③④⑤⑥⑦⑧⑨⑩
①. File type
-Representing ordinary documents
D Stands for Directory
L Stands for Connection
②. rw-: Permissions on behalf of the file owner (U)
R= Read =4
W= Write =2
x= Execution =1
③. r--: Permissions on behalf of the group to which the file belongs (g)
R= Read =4
W= Write =2
x= Execution =1
④. r--: Permissions for other users (O)
R= Read =4
W= Write =2
x= Execution =1
A=ugo
⑤. Number of hard links to files
Directory how many subdirectories are in this directory include. and.
⑥. File owner
⑦. Group to which the file belongs
⑧. File size
⑨. File modification Time
⑩. File name
3. Command (r = recursive)
chmod changing permissions
chmod Ugoa [+-=] [rwx] File
chmod Digital Files
Maximum file Permissions 666
Directory Maximum permissions 777
Default permissions to create files 644
Permissions to create a directory by default 755
Umask
rwx= default permissions for Rwx-umask with maximum permissions
Add:
No x permission for the directory, no RW, no access to the directory
Chown change owner and owning group
Chown owner: Owning Group object
CHGRP Group File change file genus
Second, additional permissions control
1. Introduction of special privileges
Set UID:4user+x
Set GID:2group+x
Sticky Bit:1other+x
2. Special permission function
Set UID:
Can only be set on the executable program, when other users execute the program with SUID tag, will use the identity of the program owner to execute
Set GID:
The executable can be set, and when other users execute a program with the sgid tag, they will use the identity of the group that the program belongs to perform
You can set the directory, and when you set Sgid to the directory, anyone who creates files and directories in that directory automatically inherits the group to which the directory belongs
Sticky Bit:
For directory settings, anyone who creates files and directories in this directory, only root and file creators have delete permissions
3. ACL policies
Getfacl file view ACL policy
Setfacl[options] u: User name: Permissions file
Setfacl[option] G: Group name: Permission file
- m defines an ACL policy
- x deletes the specified ACL policy
- b clears all ACL policies that have been set
- R recursive settings
- D Set default permissions for the directory
I. Basic authority and attribution
The company's technical department has a Linux development server, according to the composition of the project team within the Department, the need to establish a corresponding user account, and the development of data-related directories to configure access rights.
1. Folder/tech/nsdhome,/tech/jsdhome, respectively, belong to the NSD group, JSD Group, prohibit other users to enter.
2. Create departmental public directory/public, where all employees of the technical department (Tech group) are readable, writable, and executable, other users are forbidden to access this directory.
[Email protected]/]# mkdir-p/tech/nsdhome
[Email protected]/]# mkdir-p/tech/jsdhome
[Email protected]/]# Mkdir/public
[Email protected]/]# Groupadd NSD
[Email protected]/]# Groupadd JSD
[Email protected]/]# Groupadd Tech
[Email protected]/]# useradd-g NSD nsd01
[Email protected]/]# useradd-g NSD nsd02
[Email protected]/]# useradd-g jsd jsd01
[Email protected]/]# useradd-g jsd jsd02
[Email protected]/]# useradd-g Tech YG01
[Email protected]/]# Useradd yg02
[Email protected]/]# Chown:nsd/tech/nsdhome
[Email protected]/]# ls-l/tech/nsdhome
Total 0
[Email protected]/]# Ls-ld/tech/nsdhome
Drwxr-xr-x 2 root nsd 4096 07-30 11:36/tech/nsdhome
[Email protected]/]# chmod o-rx/tech/nsdhome
[Email protected]/]# Chown:jsd/tech/jsdhome
[Email protected]/]# Ls-ld/tech/jsdhome
Drwxr-xr-x 2 root jsd 4096 07-30 11:36/tech/jsdhome
[Email protected]/]# chmod o-rx/tech/jsdhome
[Email protected]/]# Chown:tech/public
[Email protected]/]# Ls-ld/public
Drwxr-xr-x 2 root tech 4096 07-30 11:36/public
[Email protected]/]# chmod g+w/public
[Email protected]/]# Ls-ld/public
Drwxrwxr-x 2 root tech 4096 07-30 11:36/public
[Email protected]/]# chmod o-rx/public
[Email protected]/]# Ls-ld/public
DRWXRWX---2 root tech 4096 07-30 11:36/public
[Email protected]/]# Ls-ld/tech/nsdhome
Drwxr-x---2 root nsd 4096 07-30 11:36/tech/nsdhome
[Email protected]/]# Ls-ld/tech/jsdhome
Drwxr-x---2 root jsd 4096 07-30 11:36/tech/jsdhome
[Email protected]/]#
Second, additional permissions control
1. SUID Experiment
Only for Program (command) settings, when anyone executes a command with SUID permission, the owner of the command is used to execute
[Email protected] ~]# ls-l/etc/shadow
[email protected] ~]# which passwd
[Email protected] ~]# ls-l/usr/bin/passwd
[Email protected] ~]# umask 022
[[email protected] ~]# which touch
[Email protected] ~]# Cp/bin/tosuuch/bin/suidtouch
[Email protected] ~]# ls-l/bin/*touch
[Email protected] ~]# Useradd Lily
[Email protected] ~]# su-lily
[Email protected] ~]$ Suidtouch suid-file1.txt
[Email protected] ~]$ ls-l suid-file1.txt
[[Email protected] ~]$ exit
[Email protected] ~]# ls-l/bin/suidtouch
[Email protected] ~]# chmod U+s/bin/suidtouch
[Email protected] ~]# ls-l/bin/suidtouch
[Email protected] ~]# su-lily
[Email protected] ~]$ Suidtouch suid-file2.txt
[Email protected] ~]$ ls-l suid-file*
[[Email protected] ~]$ exit
[Email protected] ~]# Rm-rf/bin/suidtouch
2. Sgid Experiment
Can be set to the program (command), you can also set the directory
When anyone executes a command that has Sgid permissions, it executes with the group that owns the command
[email protected] ~]# which mkdir
[Email protected] ~]# Cp/bin/mkdir/bin/sgidmkdir
[Email protected] ~]# ls-l/bin/*mkdir
[Email protected] ~]# su-lily
[Email protected] ~]$ Sgidmkdir test1
[Email protected] ~]$ ls-ld test1
[[Email protected] ~]$ exit
[Email protected] ~]# chmod g+s/bin/sgidmkdir
[Email protected] ~]# ls-l/bin/sgidmkdir
[Email protected] ~]# su-lily
[Email protected] ~]$ Sgidmkdir test2
[Email protected] ~]$ ls-ld test*
[[Email protected] ~]$ exit
[Email protected] ~]# Rm-rf/bin/sgidmkdir
For directory settings Sgid, the owning group of any file or subdirectory created by anyone in that directory automatically inherits the group that the directory itself belongs to
[Email protected] ~]# Mkdir/testgid
[Email protected] ~]# Ls-ld/testgid/
Drwxr-xr-x 2 root root 4096 Jan 6 16:53/testgid/
[Email protected] ~]# chmod 0757/testgid/
[Email protected] ~]# su-lily
[Email protected] ~]$ Mkdir/testgid/lilytest1
[Email protected] ~]$ Touch/testgid/lilyfile1.txt
[Email protected] ~]$ ls-l/testgid/
[[Email protected] ~]$ exit
[Email protected] ~]# chmod 2757/testgid/
[Email protected] ~]# Ls-ld/testgid/
[Email protected] ~]# su-lily
[Email protected] ~]$ Mkdir/testgid/lilytest2
[Email protected] ~]$ Touch/testgid/lilyfile2.txt
[Email protected] ~]$ ls-l/testgid/
3. T-bit permission echo
For common directory settings, after the directory sets the T-bit permissions, the files or subdirectories in that directory are only rooted and the file owner can delete
[Email protected] ~]# Mkdir/soft
[Email protected] ~]# ls-ld/soft/
[Email protected] ~]# chmod o+w/soft/
[Email protected] ~]# ls-ld/soft/
[Email protected] ~]# Useradd WBB
[Email protected] ~]# Useradd LHQ
[Email protected] ~]# SU-LHQ
[Email protected] ~]$ Cat/soft/lhq.txt
Hello,byebye
[[Email protected] ~]$ exit
[Email protected] ~]# SU-WBB
[Email protected] ~]$ ls-ld/soft/
[Email protected] ~]$ ls-l/soft/
[Email protected] ~]$ Rm-rf/soft/lhq.txt
[Email protected] ~]$ ls-l/soft/
[Email protected] ~]# chmod o+t/soft/
[Email protected] ~]# ls-ld/soft/
[Email protected] ~]# SU-LHQ
[Email protected] ~]$ Cat/soft/lhq.txt
Hello,byebye
[[Email protected] ~]$ exit
[Email protected] ~]# SU-WBB
[Email protected] ~]$ ls-l/soft/
[Email protected] ~]$ ls-ld/soft/
[Email protected] ~]$ Rm-rf/soft/lhq.txt
[[email protected] ~]# Find/-type f-a-perm +6000//Find the Suid/sgid program in the system
4. ACL Permissions settings
Create an account: Mike John Kaka
Create file:/data/file1.txt
Mike has read and write access to the file, and John only has access to it. Other users do not have any permissions
Kaka has the same permissions as John
• Create lily,lily to file1.txt with read Execute permission, no other user has any permissions
[Email protected] ~]# Tune2fs-l/dev/sda2 | grep ACL
Default Mount Options:user_xattr ACL
[Email protected] ~]# Tune2fs-l/dev/sda1 | grep ACL
Default Mount Options:user_xattr ACL
[Email protected] ~]# ls-ld/data/
DRWXRWXRWX 3 root root 4096 12-09 16:21/data/
[Email protected] ~]# rm-rf/data/
[Email protected] ~]# Mkdir/data
[Email protected] ~]# getfacl/data/
Getfacl:removing leading '/' from absolute path names
# File:data
# Owner:root
# Group:root
User::rwx
Group::r-x
Other::r-x
[Email protected] ~]# ls-ld/data/
Drwxr-xr-x 2 root root 4096 12-09 16:27/data/
[Email protected] ~]# setfacl-m u:mike:rwx/data/
[Email protected] ~]# ls-ld/data/
drwxrwxr-x+ 2 root root 4096 12-09 16:27/data/
[Email protected] ~]# getfacl/data/
Getfacl:removing leading '/' from absolute path names
# File:data
# Owner:root
# Group:root
User::rwx
User:mike:rwx
Group::r-x
Mask::rwx
Other::r-x
[Email protected] ~]# setfacl-m u:john:r--/data/
[Email protected] ~]# setfacl-m u:kaka:r--/data/
[Email protected] ~]# setfacl-m u:lily:r-x/data/
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F2/wKiom1PY9y_xyI_7AAX4XkJDzFk155.jpg "style=" float: none; "title=" Sogou 20140730192438.jpg "alt=" Wkiom1py9y_xyi_7aax4xkjdzfk155.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKioL1PY-ErglQTVAAJ9qB1Ry9c419.jpg "style=" float: none; "title=" Sogou 20140730192810.jpg "alt=" Wkiol1py-erglqtvaaj9qb1ry9c419.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKioL1PY-EvTdZlWAAOjYMs4Lpw549.jpg "style=" float: none; "title=" Sogou 20140730193038.jpg "alt=" Wkiol1py-evtdzlwaaojyms4lpw549.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKioL1PY-E2hzGj_AAKuYdIBx-Y636.jpg "style=" float: none; "title=" Sogou 20140730193223.jpg "alt=" Wkiol1py-e2hzgj_aakuydibx-y636.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKioL1PY-E7g1bJYAAJlRbqKH2o564.jpg "style=" float: none; "title=" Sogou 20140730193534.jpg "alt=" Wkiol1py-e7g1bjyaajlrbqkh2o564.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKiom1PY9zWRFJuSAAHPRTcjumY105.jpg "style=" float: none; "title=" Sogou 20140730193650.jpg "alt=" Wkiom1py9zwrfjusaahprtcjumy105.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKiom1PY9zfxuGiSAAK_yrVtCMU079.jpg "style=" float: none; "title=" Sogou 20140730193903.jpg "alt=" Wkiom1py9zfxugisaak_yrvtcmu079.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKioL1PY-FKQF02-AALrSHqF6Ck345.jpg "style=" float: none; "title=" Sogou 20140730194058.jpg "alt=" Wkiol1py-fkqf02-aalrshqf6ck345.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKiom1PY9zrA4p8gAAKivHESxc8693.jpg "style=" float: none; "title=" Sogou 20140730195116.jpg "alt=" Wkiom1py9zra4p8gaakivhesxc8693.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/42/F3/wKiom1PY9zrTca20AAGFVgYo02U630.jpg "style=" float: none; "title=" Sogou 20140730195222.jpg "alt=" Wkiom1py9zrtca20aagfvgyo02u630.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKioL1PY-FWAt-6vAAFedESh2ww161.jpg "style=" float: none; "title=" Sogou 20140730195350.jpg "alt=" Wkiol1py-fwat-6vaafedesh2ww161.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKiom1PY9zzx_FLxAAGaF5GXSRs767.jpg "style=" float: none; "title=" Sogou 20140730195439.jpg "alt=" Wkiom1py9zzx_flxaagaf5gxsrs767.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKiom1PY9z6T-DvWAATNJNv8zLs566.jpg "style=" float: none; "title=" Sogou 20140730200317.jpg "alt=" Wkiom1py9z6t-dvwaatnjnv8zls566.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/42/F3/wKiom1PY90DAbbAEAAOS5GqnxKo436.jpg "style=" float: none; "title=" Sogou 20140730200355.jpg "alt=" Wkiom1py90dabbaeaaos5gqnxko436.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/42/F3/wKioL1PY-FvTiFCnAANYOLh-6bE112.jpg "style=" float: none; "title=" Sogou 20140730200430.jpg "alt=" Wkiol1py-fvtifcnaanyolh-6be112.jpg "/>
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
