Linux Classification Notes (i)-Rights management

Linux Classification Notes (i) Rights management

Normal permissions for normal permissions files

After you use the LS-LL command for an ordinary file, you see the following output

And for each of the file permissions, it also represents the following meaning

The file types are in the following categories:

• [d]: Catalogue
• [-]: File
• [l]: Connection file
• [b]: storage-Ready Interface Device
• [C]: Serial port devices, such as keyboards and mice

Definition of permissions:

• R: Readable, the r of a normal file can read the actual contents of the file; R for the directory can read the permissions of the directory structure list
• W: writable, the ordinary file of the W representative can edit, add or modify the contents of the file, but not delete the file; The W of the directory can change the permissions of the directory structure list such as new, delete, rename, transfer files or directories in this directory
• X: Executable, the ordinary file x for the file can be executed by the system, the directory of X for the directory can become a working directory, that is, can CD into the directory

General Permission Change command

Note: The settings for various permissions are not valid for root

• CHGRP: Changing the user group to which the file belongs
  • CHGRP [-R] GroupName Filename/dirname:-r is a recursive change directory file
• Chown: Change the file owner (you can also implement the CHGRP function)
• Chown [-R] Username Filename/dirname: Modify owner only
• Chown [-R] Username:groupname Filename/dirname: Modify both owner and user groups
• Chown [-R]. GroupName Filename/dirname: Modify only user groups
• chmod: Changing the permissions of a file
• Digital expression chmod [-r] Num filename/dirname
• R:4
• W:2
• X:1
• Set permissions for a file to-rwxr-xr-x: chmod 7555 file

Symbolic expression

Set permissions for a file to-rwxr-xr-x: chmod u=rwx,g=rx,o=rx file

Special permissions for special permissions files

In the previous figure, only rwx these three ordinary permissions, but by browsing the TMP directory and the/usr/bin/passwd file permissions, you can find some special permissions

When S appears on the owner tag of the file, instead of the X permission, it is called the set UID, which is referred to as the special permission of Suid, which has the following functions:

Suid only valid for binary programs

Performer must have X executable permission for the program

This permission is limited to the execution of the program in the process of effective

Performer will have permissions for the program owner

Example: an ordinary user to modify their own password, the password is to be written to the file/etc/shadow, and the/etc/shadow permission is

-R--------1 root root 1249 Nov 9 15:53/etc/shadow

It can be seen that only the root user has the ability to force the modification, and the normal user is able to modify their password by command passwd, because the suid of the/usr/bin/passwd file allows all users to have root privileges when executing this command.

When s appears on the user all group tag, instead of x permission, it is called set GID, referred to as Sgid. This permission has the following features:

Sgid Application on File:

Sgid Useful for binary programs

Program performer must have x permission for the program

The performer will receive support for the program's user group during execution

Sgid application on the directory:

Users can enter this directory if they have r and X permissions for this directory

The user's valid user group in this directory will become the user group for that directory

If the user has the W permission in this directory (can create a new file), then the user group of the new file created by the user is the same as the user group for this directory

Sgid is important for project development

For example: A and B two developers belong to different user groups, now need to use a common directory (/test), any files in this directory can be arbitrarily modified by both the content and properties, but do not allow others to modify. If you simply put A and B in the same user group (developer) and set the user group of the/test directory to developer, a file created under the test directory has the properties of:-rw-r--r--1 A 0 Nov 9 18:02 file

Visible, the user group of a newly created file is still only a, so B can not make any changes, but as long as the test directory set Sgid:chmod 2770/test, at this time whether it is a or B, in this directory, the new files are develper user Group, And both A and B are set Umask to 002 before creating a new file in this directory, so the files created by both parties in this directory can be arbitrarily modified by the other side and prevented from being modified by others.

Note in the/tmp directory has a T tag, which is called sbit, only valid for the directory, which has the following features:

When the user has w,x permissions for this directory, that is, the permission to write

When a user creates a file or directory under that directory, only himself and Root have the right to delete the file

Example: Any user can create files and directories in the/tmp directory, but each user can only delete their own files and directories in the/tmp directory, but not the other users ' files and directories. But the root account can delete all

Special Permission Change command

You can also modify special permissions by chmod commands by using a number representation:

Suid:4

Sgid:2

Sbit:1

Just add one to the front of the normal permission, for example, to set a normal permission of 755 and suid, use the command: chmod 4755 filename

File default Permissions

When you create a new file or directory, the default permissions are generated based on the umask, the Direct input command umask or umask-s can view the current settings, and note that the Umask score refers to the "permissions that the default value needs to be lost."

In the default case:

If the user creates the file, the file does not have execute permissions, so the maximum value is 666, which is-rw-rw-rw-

If the user creates the directory, the directory has all permissions, so the maximum value is 777, which is drwxrwxrwx

The default value for Umask is 0022, the first 0 represents special permissions, and the next three bits represent normal permissions

So:

When a user creates a new file: (-rw-rw-rw-)-(-----w--w-) =-rw-r--r--(644)

When the user creates a new directory: (DRWXRWXRWX)-(d----w--w-) = drwxr-xr-x (755)

If you want to make the new file default permissions to 664, using the command umask 002, note: In the calculation of the default permissions do not use the subtraction of the number of operations, if Umask is set to 003, at this time 666-003=663, there will be no more than a non-existent X permission, So it's best to use symbolic expression arithmetic

Acl

ACLs are abbreviations for access Control list, which provide more granular permission settings, and ACLs can be set for R, W, X for a single user, a single file or directory, and are useful for usage situations that require special permissions.

ACLs must be supported by the file system, and most of the file systems currently support ACL functionality, especially if CentOS is supported by default with ACLs.

GETFACL command: Get ACL settings item for a file/directory

The effective permission in the user or group must be within the scope of the mask's permission setting to be valid, i.e. it cannot exceed the permissions set by mask

SETFACL command: Set ACL rules for a directory/file

Usage: setfacl [-BKRD] [{-M |-x}] ACL parameter filename

Parameters:

-M: Set subsequent ACL parameters for file use and cannot be combined with-X

-x: Remove subsequent ACL parameters, not with-m

-B: Remove all ACL parameters

-K: Remove default ACL parameters

-R: Recursively sets ACLs, subdirectories are also set

-D: Sets the default ACL parameter, which is valid only for the directory, and the new data in that directory will reference the value

Example: Several programmers have full access to the same directory (/home/project), but only allow the project manager (manager) to access the directory (no one else is allowed to enter the directory, and the project manager cannot modify anything). You will use the ACL at this point:

Setfacl-m U:manager:rx/home/project

The status of the/home/project at this time is:

Drwxrws---+ 2 root develop 6 Nov 11:41 project

SELinux

SELINUX is the acronym for Security Enhanced Linux, which literally means secure, hardened Linux, which is used to prevent misuse of resources.

The traditional file system uses a DAC (autonomous access Control) for access control, which determines whether the process has access capability based on the RWX permissions of the process owner and the file resource, and the DAC has several key points:

1.root has the highest authority and is not subject to any restrictions;

2. If you accidentally set the directory to 777, it will allow anyone to access and change the directory arbitrarily

While SELinux uses Mac (mandatory access control) for access control, you can control permissions for specific processes and specific file resources! That is, even if you are root, when you use a different process, the permissions you can get are not necessarily root, but depending on the settings of the process at that time. As a result, we turn the subject of control into a process rather than a user, and the principal process cannot use the System file resource arbitrarily, because each file resource also has permission to set up for that principal process, SELinux provides some default policies, and provides multiple rules within the policy. Lets you choose whether to enable the control rule.

Example: WWW Server Software implementation program for HTTPD this process, by default, httpd can only access files in/var/www directory, if httpd this process to other directories to access data, in addition to the rules set to open, The target directory also has to be set to httpd readable mode, so even if httpd was accidentally taken control by the hacker, he did not have access to the/etc/shadows and other important configuration files

SELinux start-Up and shutdown

SELinux supports three modes:

Enforcing: Mandatory mode, which represents SELinux running, and enforces restricted resource access

Permissive: tolerant mode, on behalf of SELinux is running, but only a warning message does not actually restrict access to resources to debug the use of

Disabled: Off

The current mode can be obtained using the command Getenforce, and once the mode is changed, there are two modes of switching:

If you are already in enforcing mode, but because some settings cause SELinux to prevent some services from running, you can switch the mode between Setenforce to permissive by command, which only allows SELinux to warn you that the connection is not successful. Instead of directly resisting the Read permission of the main process, switch from permissive to enforcing mode via Setenforce 1

If you want to switch from disabled to startup mode, modify the configuration file/etc/selinux/config, change selinux=disabled to Selinux=enforcing, instead, turn off SELinux to selinux= Enforcing modify to selinux=disabled and restart.

Note that when swapping from disabled to enforcing, the boot process becomes lengthy because the SELinux security context is being re-written

The SELinux decision-making process

Process can rely on the decision-making process through SELinux, it is known that the main program must pass the rules within the SELinux policy after the release of the target resource can be a security context (the value of the "security in this article") comparison, if the comparison fails to access the target, If successful, you can start to access the target, the question is whether the final access to the target is related to the RWX permission setting of the file system, so that when there is a problem with permissions not met, it is necessary to analyze the problem by step-by-step basis.

So what exactly is the security context?

It can be viewed using the command ls-z, as shown in this security context consisting primarily of three parts

So how does the/usr/sbin/httpd process in the/var/www/html/access the files in the directory through SELinux decisions?

First of all,/usr/sbin/httpd this file has httpd_exec_t this type, when executing this file, will let the main process of this file has httpd this domain, and SELinux policy has made a lot of rules for this domain, One of the rules is to allow the domain to read the target file of the httpd_sys_content_t type, so as long as the page is placed in the/var/www/html directory, it can be read by the httpd process

However, the limit of the final read file is because the normal permission contains the RX

For more detailed information about SELinux policy and rule management, here:

http://vbird.dic.ksu.edu.tw/linux_basic/0440processcontrol.php

Example of SELinux operation

Success

Create a new file and write the content in the/var/www/html directory:

echo "First page" >/var/www/html/index.html

Then, in the browser input URL http://192.168.1.112, you can see the page display first pages

This is because the permissions for the new index.html file under the/var/www/html directory are as follows:

-rw-r--r--. Root root Unconfined_u:object_r:httpd_sys_content_t:s0 index.html

Failed

Delete the new index.html file that you just created in the/var/www/html directory

Rm-f/var/www/html/index.html

Then create a new file and write the content in the/tmp directory:

echo "Second page" >/var/www/html/index.html

MV Index.html/var/www/html

Then enter the URL in the browser http://192.168.1.112/index.html (remember to specify index.html otherwise will become the Welcome page), pop up the error message: "You do not have the permission to access/ Index1.html on the this server.

Because the permissions of index1.html at this time are as follows:

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 index1.html

Be aware of the different places (gray fonts) than the index.html file above, because the httpd process cannot read the user_tmp_t type of destination file. This is where SELinux is powerful.

Installing Setroubleshoot

You can actually analyze selinux without using tools, you can open the log file/var/log/audit/ Audit.log to directly find, but this log file format so you can hardly read, so use Setroubleshoot to deal with the problems caused by selinux, directly using Yum installation:

Yum Install Setroubleshoot setools-y

After the installation is complete, you can use a command called Sealert to parse the log, which scans the entire log file and identifies the SELinux portion, running the command:

Sealert-a/var/log/audit/audit.log

In the previous example, a selinux problem has been created, so I can scan the content here:

The workaround that runs in the results will solve the selinux problem

Linux Classification Notes (i)-Rights management