Linux Classification Notes (i) Rights management
Normal permissions for normal permissions files
After you use the LS-LL command for an ordinary file, you see the following output
And for each of the file permissions, it also represents the following meaning
The file types are in the following categories:
- [d]: Catalogue
- [-]: File
- [l]: Connection file
- [b]: storage-Ready Interface Device
- [C]: Serial port devices, such as keyboards and mice
Definition of permissions:
- R: Readable, the r of a normal file can read the actual contents of the file; R for the directory can read the permissions of the directory structure list
- W: writable, the ordinary file of the W representative can edit, add or modify the contents of the file, but not delete the file; The W of the directory can change the permissions of the directory structure list such as new, delete, rename, transfer files or directories in this directory
- X: Executable, the ordinary file x for the file can be executed by the system, the directory of X for the directory can become a working directory, that is, can CD into the directory
General Permission Change command
Note: The settings for various permissions are not valid for root
- CHGRP: Changing the user group to which the file belongs
- CHGRP [-R] GroupName Filename/dirname:-r is a recursive change directory file
- Chown: Change the file owner (you can also implement the CHGRP function)
- Chown [-R] Username Filename/dirname: Modify owner only
- Chown [-R] Username:groupname Filename/dirname: Modify both owner and user groups
- Chown [-R]. GroupName Filename/dirname: Modify only user groups
- chmod: Changing the permissions of a file
- Digital expression chmod [-r] Num filename/dirname
- R:4
- W:2
- X:1
- Set permissions for a file to-rwxr-xr-x: chmod 7555 file
Symbolic expression
Set permissions for a file to-rwxr-xr-x: chmod u=rwx,g=rx,o=rx file
Special permissions for special permissions files
In the previous figure, only rwx these three ordinary permissions, but by browsing the TMP directory and the/usr/bin/passwd file permissions, you can find some special permissions
When S appears on the owner tag of the file, instead of the X permission, it is called the set UID, which is referred to as the special permission of Suid, which has the following functions:
Suid only valid for binary programs
Performer must have X executable permission for the program
This permission is limited to the execution of the program in the process of effective
Performer will have permissions for the program owner
Example: an ordinary user to modify their own password, the password is to be written to the file/etc/shadow, and the/etc/shadow permission is
-R--------1 root root 1249 Nov 9 15:53/etc/shadow
It can be seen that only the root user has the ability to force the modification, and the normal user is able to modify their password by command passwd, because the suid of the/usr/bin/passwd file allows all users to have root privileges when executing this command.
When s appears on the user all group tag, instead of x permission, it is called set GID, referred to as Sgid. This permission has the following features:
Sgid Application on File:
Sgid Useful for binary programs
Program performer must have x permission for the program
The performer will receive support for the program's user group during execution
Sgid application on the directory:
Users can enter this directory if they have r and X permissions for this directory
The user's valid user group in this directory will become the user group for that directory
If the user has the W permission in this directory (can create a new file), then the user group of the new file created by the user is the same as the user group for this directory
Sgid is important for project development
For example: A and B two developers belong to different user groups, now need to use a common directory (/test), any files in this directory can be arbitrarily modified by both the content and properties, but do not allow others to modify. If you simply put A and B in the same user group (developer) and set the user group of the/test directory to developer, a file created under the test directory has the properties of:-rw-r--r--1 A 0 Nov 9 18:02 file
Visible, the user group of a newly created file is still only a, so B can not make any changes, but as long as the test directory set Sgid:chmod 2770/test, at this time whether it is a or B, in this directory, the new files are develper user Group, And both A and B are set Umask to 002 before creating a new file in this directory, so the files created by both parties in this directory can be arbitrarily modified by the other side and prevented from being modified by others.
Note in the/tmp directory has a T tag, which is called sbit, only valid for the directory, which has the following features:
When the user has w,x permissions for this directory, that is, the permission to write
When a user creates a file or directory under that directory, only himself and Root have the right to delete the file
Example: Any user can create files and directories in the/tmp directory, but each user can only delete their own files and directories in the/tmp directory, but not the other users ' files and directories. But the root account can delete all
Special Permission Change command
You can also modify special permissions by chmod commands by using a number representation:
Suid:4
Sgid:2
Sbit:1
Just add one to the front of the normal permission, for example, to set a normal permission of 755 and suid, use the command: chmod 4755 filename
File default Permissions
When you create a new file or directory, the default permissions are generated based on the umask, the Direct input command umask or umask-s can view the current settings, and note that the Umask score refers to the "permissions that the default value needs to be lost."
In the default case:
If the user creates the file, the file does not have execute permissions, so the maximum value is 666, which is-rw-rw-rw-
If the user creates the directory, the directory has all permissions, so the maximum value is 777, which is drwxrwxrwx
The default value for Umask is 0022, the first 0 represents special permissions, and the next three bits represent normal permissions
So:
When a user creates a new file: (-rw-rw-rw-)-(-----w--w-) =-rw-r--r--(644)
When the user creates a new directory: (DRWXRWXRWX)-(d----w--w-) = drwxr-xr-x (755)
If you want to make the new file default permissions to 664, using the command umask 002, note: In the calculation of the default permissions do not use the subtraction of the number of operations, if Umask is set to 003, at this time 666-003=663, there will be no more than a non-existent X permission, So it's best to use symbolic expression arithmetic
Acl
ACLs are abbreviations for access Control list, which provide more granular permission settings, and ACLs can be set for R, W, X for a single user, a single file or directory, and are useful for usage situations that require special permissions.
ACLs must be supported by the file system, and most of the file systems currently support ACL functionality, especially if CentOS is supported by default with ACLs.
GETFACL command: Get ACL settings item for a file/directory
The effective permission in the user or group must be within the scope of the mask's permission setting to be valid, i.e. it cannot exceed the permissions set by mask
SETFACL command: Set ACL rules for a directory/file
Usage: setfacl [-BKRD] [{-M |-x}] ACL parameter filename
Parameters:
-M: Set subsequent ACL parameters for file use and cannot be combined with-X
-x: Remove subsequent ACL parameters, not with-m
-B: Remove all ACL parameters
-K: Remove default ACL parameters
-R: Recursively sets ACLs, subdirectories are also set
-D: Sets the default ACL parameter, which is valid only for the directory, and the new data in that directory will reference the value
Example: Several programmers have full access to the same directory (/home/project), but only allow the project manager (manager) to access the directory (no one else is allowed to enter the directory, and the project manager cannot modify anything). You will use the ACL at this point:
Setfacl-m U:manager:rx/home/project
The status of the/home/project at this time is:
Drwxrws---+ 2 root develop 6 Nov 11:41 project
SELinux
SELINUX is the acronym for Security Enhanced Linux, which literally means secure, hardened Linux, which is used to prevent misuse of resources.
The traditional file system uses a DAC (autonomous access Control) for access control, which determines whether the process has access capability based on the RWX permissions of the process owner and the file resource, and the DAC has several key points:
1.root has the highest authority and is not subject to any restrictions;
2. If you accidentally set the directory to 777, it will allow anyone to access and change the directory arbitrarily
While SELinux uses Mac (mandatory access control) for access control, you can control permissions for specific processes and specific file resources! That is, even if you are root, when you use a different process, the permissions you can get are not necessarily root, but depending on the settings of the process at that time. As a result, we turn the subject of control into a process rather than a user, and the principal process cannot use the System file resource arbitrarily, because each file resource also has permission to set up for that principal process, SELinux provides some default policies, and provides multiple rules within the policy. Lets you choose whether to enable the control rule.
Example: WWW Server Software implementation program for HTTPD this process, by default, httpd can only access files in/var/www directory, if httpd this process to other directories to access data, in addition to the rules set to open, The target directory also has to be set to httpd readable mode, so even if httpd was accidentally taken control by the hacker, he did not have access to the/etc/shadows and other important configuration files
SELinux start-Up and shutdown
SELinux supports three modes:
Enforcing: Mandatory mode, which represents SELinux running, and enforces restricted resource access
Permissive: tolerant mode, on behalf of SELinux is running, but only a warning message does not actually restrict access to resources to debug the use of
Disabled: Off
The current mode can be obtained using the command Getenforce, and once the mode is changed, there are two modes of switching:
If you are already in enforcing mode, but because some settings cause SELinux to prevent some services from running, you can switch the mode between Setenforce to permissive by command, which only allows SELinux to warn you that the connection is not successful. Instead of directly resisting the Read permission of the main process, switch from permissive to enforcing mode via Setenforce 1
If you want to switch from disabled to startup mode, modify the configuration file/etc/selinux/config, change selinux=disabled to Selinux=enforcing, instead, turn off SELinux to selinux= Enforcing modify to selinux=disabled and restart.
Note that when swapping from disabled to enforcing, the boot process becomes lengthy because the SELinux security context is being re-written
The SELinux decision-making process
Process can rely on the decision-making process through SELinux, it is known that the main program must pass the rules within the SELinux policy after the release of the target resource can be a security context (the value of the "security in this article") comparison, if the comparison fails to access the target, If successful, you can start to access the target, the question is whether the final access to the target is related to the RWX permission setting of the file system, so that when there is a problem with permissions not met, it is necessary to analyze the problem by step-by-step basis.
So what exactly is the security context?
It can be viewed using the command ls-z, as shown in this security context consisting primarily of three parts
So how does the/usr/sbin/httpd process in the/var/www/html/access the files in the directory through SELinux decisions?
First of all,/usr/sbin/httpd this file has httpd_exec_t this type, when executing this file, will let the main process of this file has httpd this domain, and SELinux policy has made a lot of rules for this domain, One of the rules is to allow the domain to read the target file of the httpd_sys_content_t type, so as long as the page is placed in the/var/www/html directory, it can be read by the httpd process
However, the limit of the final read file is because the normal permission contains the RX
For more detailed information about SELinux policy and rule management, here:
http://vbird.dic.ksu.edu.tw/linux_basic/0440processcontrol.php
Example of SELinux operation
Success
Create a new file and write the content in the/var/www/html directory:
echo "First page" >/var/www/html/index.html
Then, in the browser input URL http://192.168.1.112, you can see the page display first pages
This is because the permissions for the new index.html file under the/var/www/html directory are as follows:
-rw-r--r--. Root root Unconfined_u:object_r:httpd_sys_content_t:s0 index.html
Failed
Delete the new index.html file that you just created in the/var/www/html directory
Rm-f/var/www/html/index.html
Then create a new file and write the content in the/tmp directory:
echo "Second page" >/var/www/html/index.html
MV Index.html/var/www/html
Then enter the URL in the browser http://192.168.1.112/index.html (remember to specify index.html otherwise will become the Welcome page), pop up the error message: "You do not have the permission to access/ Index1.html on the this server.
Because the permissions of index1.html at this time are as follows:
-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 index1.html
Be aware of the different places (gray fonts) than the index.html file above, because the httpd process cannot read the user_tmp_t type of destination file. This is where SELinux is powerful.
Installing Setroubleshoot
You can actually analyze selinux without using tools, you can open the log file/var/log/audit/ Audit.log to directly find, but this log file format so you can hardly read, so use Setroubleshoot to deal with the problems caused by selinux, directly using Yum installation:
Yum Install Setroubleshoot setools-y
After the installation is complete, you can use a command called Sealert to parse the log, which scans the entire log file and identifies the SELinux portion, running the command:
Sealert-a/var/log/audit/audit.log
In the previous example, a selinux problem has been created, so I can scan the content here:
The workaround that runs in the results will solve the selinux problem
Linux Classification Notes (i)-Rights management