Linux Basics-Rights Management

1. Permission model

• Linux is all files, permissions are read (r), write (W), execute (x) the permissions of these files;

• At the same time, the permissions are inseparable from the user, the permission is the owner of a file, belong to the group (groups), and other users not within the group (other) has the operation rights of the file.

• In addition, the user in Linux all activities are done by the process, the process is the user's agent, in general, the process is performed by which user, the process will have which user's permissions.

Therefore, in the Linux permissions Model effective mechanism is to determine whether the process initiator is the owner of the file it wants to access, belong to the group or other users, which type of user to the permissions of this file to determine if you have the appropriate operation rights, have permission to take effect, no permission is denied. (a process that uses "su-c" to run, with the permissions of the user after the transformation of the identity.) )

2. General Permission r/w/x

This is relatively easy to understand, do not introduce here, you can refer to this [link].

3. Special permissions Suid/sgid/sticky bit

3.1 Suid/sgid

As is known to all,/etc/passwd files are stored in the account and basic information of all users, and the user password is encrypted stored in the/etc/shadow.

Files like this cannot write permissions to ordinary users, and/etc/shadow does not give any permissions, but each user can use the/BIN/PASSWD command to change their own password, which is implemented through SUID,-rwsr-xr-x S.

[Email protected] ~]$ ls-l/bin/passwd/etc/passwd/etc/shadow-rwsr-xr-x. 1 root root 27832 June 2014/bin/passwd-rw-r--r--1 root root 1763 Mar 8 07:32/etc/passwd----------1 root root 1 144 Mar 8 10:16/etc/shadow

SUID allows other users to run a process without having to change to their primary identity to have the owner of the process program file.

[[email protected] tmp]$ ls-l test test.sh-rw-------1 twoyang twoyang April 11:06 test-rwsr-xr-x 1 Twoyang Twoyang 3 2 Mar 11:10 test.sh[[email protected] tmp]$ cat testcat:test:Permission denied[[email protected] tmp]$ cat test.sh #! /bin/bashecho Test[[email protected] tmp]$./test.sh test[[email protected] tmp]$

Sgid in the same vein, but for groups. That is, to let other users do not have to transform into a group identity, you can run a process when you have the permissions of the process program files belong to the group.

3.2 Sticky bit

The/tmp directory is a temporary folder common to all users, and all users have read and write permissions. When the file owner in a folder can read and write, there is a problem that the file was mistakenly deleted by others. However, it is not possible to see this problem in/TMP, which is implemented by the sticky bit, and T in DRWXRWXRWT.

[Email protected] ~]# LS-DL/TMP/DRWXRWXRWT.  Root root 4096 Mar 11:19/tmp/[[email protected] ~]# su-mageedu[[email protected] tmp]$ ls-ltotal 1-rwxrwxrwx 1 Twoyang Twoyang 11:06 test[[email protected] tmp]$ rm-f testrm:cannot remove ' test ': Operation not Permitte D

Sticky bit except that the owner and root of the directory have permission to delete files in this directory, other users cannot delete files that are not owned by the owner. However, the modification is possible, as long as the file owner gives this file other users can modify the permissions.

3.3 Setting special permissions Suid/sgid/sticky bit

Add Special permissions:

Suid:chmod u+s xxxsgid:chmod g+s xxxsticky bit:chmod o+t xxx

Remove Special Permissions

Suid:chmod u-s xxxsgid:chmod g-s xxxsticky bit:chmod o-t xxx

The Suid/sgid/sticky bit makes up a set of permission bits, similar to r/w/x, so you can add special permissions as well.

Suid:chmod 4755 xxxsgid:chmod 2755 xxxsticky bit:chmod 1777 xxx

At this time, often think of umask set to four bits, such as 0022, that the first bit is also associated with special permissions, in fact, not, the first bit of 0 is to indicate that the next three bits are octal number.

[Email protected] ~]# umask 1022-bash:umask:1022:octal number out of range

Visible, 1002 is parsed into 10, 0, 23 digits, and 10 is not a 8 binary value, so the error shown above appears: Octal number out of range.

Finally, after some files have special permissions set, the letters are not lowercase s or T, but the uppercase S and T, which means that the special permissions on this file do not take effect because you have not given it the user's X permission.

[Email protected] tmp]$ ls-dl testdir/test.sh drwxr--r-t 2 twoyang twoyang 6 Mar 23:08 testdir/-rwsr--r--1 Twoyang Twoyang 0 Mar 23:09 test.sh[[email protected] tmp]$ chmod u+x test.sh [[email protected] tmp]$ chmod o+x Testdir/[[emai L protected] tmp]$ ls-dl testdir/test.sh drwxr--r-t 2 twoyang twoyang 6 Mar 23:08 testdir/-rwsr--r--1 Twoyang Twoyan G 0 Mar 23:09 test.sh

This article is from the "knfprex3a29" blog, make sure to keep this source http://knfprex3a29.blog.51cto.com/9761463/1750475

Linux Basics-Rights Management