Linux Operations Phase II (v) Rights Management
I. Rights management (to address the problem of user and lack of identity)
#dumpe2fs-H/dev/sda2 ( command to query the specified partition detail file system information,-H shows only the details in the Super block )
#mount-o remount,acl/( re-mount the root partition, add ACL permissions )
"ACL basic command:
#getfacl file name (ACL permissions for the query file )
#setfacl-M u: user name : permission file name
#setfacl-M G: Group name : permission file name
#setfacl-M u: user name : permission –r/test ( gives recursive ACL permission, can only be assigned to directory )
#setfacl-M D:u: user name : permissions –r/test ( Add default permissions, default permissions can only be assigned to directory )
#setfacl-b/test ( remove ACL all permissions )
#setfacl-x U:AA (removes ACL permissions for the specified user and user groups )
Note: If you give ACL permissions to the directory, the following two commands are:
#setfacl-M u: user name : permission /test ( only valid for files that already exist )
#setfacl-M D:u: user name : permissions /test ( only for future files to be created )
The maximum effective permission mask(the actual set of permissions and the maximum permissions are the effective permissions,effective)
#setfacl-M M:rx project/( set mask permission to Rx, using "m: Permissions" format )
#getfacl project/
two,sudo authorization
#visudo ( as with Operation VI)
Root all= (All) all
User name of managed hosts IP= (can use identity) Authorization Command (absolute path)
%wheel all= (All) all
% Group name managed host IP= (can use identity) Authorization Command (absolute path)
username/ Group name: which user or group is given the command on behalf of root, note the "%" before the group name
of managed hosts IP: If write all represents the ability to manage any host, if a fixed IPis written, the specified server can be managed on behalf of the user. The IP here refers to the server to which the user can manage which IP address, if a separate server has the same write IP address and all. Writing to a network segment makes sense only for NIS users and servers that are centrally managed by the password. The IP address of the machine here, on behalf of the specified user can be from any source IP address to manage the current server, not only allow users of the local user to use the specified command.
Available Identities: Switch The source user to what identity to use, All means can be switched to any identity, this field can be omitted
Authorization command: on behalf of root what commands to the ordinary user, refinement to options and parameters, note that the command must be written absolute path
Example: Authorized user lamp can restart the server
#visudo
Lamp All=/sbin/shutdown-r Now
$sudo-L
Example: authorizing a user to manage your Web server in three places: you can use Apache Administration Scripts, you can modify the Apache configuration file, and you can update the Web page content.
Lamp all=/etc/rc.d/init.d/httpd Reload,/etc/rc.d/init.d/httpd configtest
Note: Re-reading the configuration file allows the changed settings to take effect (reload), detect Apache syntax errors (configtest), anddo not allow Stop/restart and other operations
Lamp all=/bin/vi/etc/httpd/conf/httpd.conf
Note: Authorization can be used to edit the configuration file using the root identity VI
#chmod lamp/var/www/html/
Note: Authorize lamp to have write access to this directory or to change the owner of this directory lamp
Example: Authorizing a AA user to create a new user
AA All=/usr/sbin/useradd
AA all=/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd "",!/usr/bin/passwd Root
Third, the special permissions of the file
1,setuid: Only the executable binary program can set suid permissions, the command executor to the program has the X permission, the command performer when executing the program to obtain the identity of the program file owner ; only valid during the execution of the program.
#ll/etc/shadwo
#ll/usr/bin/passwd-rwsr-xr-x
Dangerous suid:#chmod U+s/usr/bin/vim
Several suggestions: The key directory strictly control w permissions, such as:/,/usr, etc.; password strictly abide by the three principles; a list of files with setuid in the system by default. The timed check does not have this file outside the suid permission set.
2,setgid
for files: only the executable binary program can set the Sgid, thecommand executor will have the W permission to the program , the execution of the group identity upgrade to the genus Group of the file, in the program execution process is effective.
#ll/var/lib/mlocate/mlocate.db
#ll/usr/bin/locate
for directory: Ordinary users must have Rx for this directory ; The active group in this directory becomes a group of this directory, and when the normal user has w for this directory , thedefault genus for the new file is the genus of this directory.
3,sticky bit: sticky bit, only for the directory is valid; Ordinary users have WX for this directory, can have write permission in this directory, set the sbit, ordinary users have W, You can only delete files that you have created, and you cannot delete files created by other users.
SUID:4 SGID:2 sbit:1
#chmod 4755 Ftest
#chmod 2755 Ftest
#chmod 1755 Ftest
iv.chattr ( file system attribute permissions )
#chattr [+-=] i|a|e file or directory
I: To file: Do not allow deletion, renaming, can not add modified data, has been locked dead;
for directories: You can only modify the data of files in the directory, and do not allow the creation and deletion of files.
A: To file: Can add data, but can not delete and modify data;
for directories: Only the files are allowed to be created and modified in the directory, but they are not allowed to be deleted
E: Most of the files in Linux have the E attribute by default, which means that the file is stored using the Ext file system, and the E attribute cannot be canceled with #chattr-e .
#lsattr-a|-d file name (-a,all;-d,directory)
From Brother Lian Training
This article is from the "Linux Operational Difficulty Learning notes" blog, please be sure to keep this source http://jowin.blog.51cto.com/10090021/1641485
Linux Operations Phase II (v) Rights Management