Linux file permissions; acl;setuid, Setgid, Stick bit special permissions

Related learning materials

http://blog.sina.com.cn/s/blog_4e2e6d6a0100g47o.htmlhttp://  blog.csdn.net/aegoose/article/details/25439649

Directory

1 . Linux file system permissions 2. Security configuration for Linux directory file permissions

1. linux File system permissions

Files and/or directories are specific representations of the file system, and in the Linux System Management section, file and directory management maps important aspects of the Linux file System management strategy

0x1: Default permissions for the file system (umask)

When we create a new file or directory in the system, the system automatically gives the file or directory an initial access (value), which we call the default, and the default permissions are related to the Umask value of the file system. You can enter umask directly under Terminal to view the Umask value of the current system. For example:

umask 0022

Linux will be the default file system policy based on the default permissions minus Umask to get the final permissions

/* assuming the default, Umask is 0022 */ 1. The title of the new " file " is-rw-rw-rw-, and the permission value is 666. The final default permission for the new file is -rw-r--r--2. The new " directory " is drwxrwxrwx, the permission value is 777 The total default permissions of the new directory but drwxr-xr-x

0x2:linux the representation of system permissions and convention permissions for files and directories

Permissions for files and directories

[-dcbps] [U:RWX] [G:RWX] [A:RWX]1. Type1) D:dir2) -: File3) L:symbolic Link4) P:pipe5) c:character Device6) b=Block Device7) S:socket2. U (master owner)1) R:4    2) W:2    3) x:12. G (Group)1) R:4    2) W:2    3) x:12. O (Other person ohters)1) R:4    2) W:2    3) x:1

There are two ways to represent a file system's permissions

1 directly using R, W, X to represent the owner of the file (U owner), user Group (G Group), other user (o other) read, write, execute (x) permissions on a file or directory, called character notation, such as LL-rw-rw-rw-2    777 Test NOTE: The so-called digital notation refers to Reading (R), writing (w) and Execution (x) divided by 4 (read),2 (write), L (execute) to represent,  Without a grant, the value is 0, and then the granted permissions are added

0x:3 modification of File System Properties

The chmod command can be represented by the following regular
chmod [Ugoa]* ([-+=] ([rwxxst]*|[ Ugo]) +
Example

1 777 /dir/filesettings files for read-write execution (  x)2. chmod-x/dir/fileDelete files U (owner) G (Group) A (all) executable (x )  3. chmod ga-w/dir/file deletes the writable permission (W) 4 of the Files G (Group) A (all). chmod u=rx/dir/file re-set U (owner) for read (R) and execute (x)  5

2. Special permissions for Linux file systems

Conceptually, this part of the so-called "special permissions" should also belong to the first part of the file system permissions, but because this kind of permissions are special, we usually use LS, LL instructions are also not seen, and this kind of special permissions if misconfigured, may also cause some security risks, so separate out to learn

0x1: Hidden Permissions for file systems

In addition to setting the Read (R), write (W), execute (x) permissions for a file or directory, you can also append settings for hidden permissions to certain files that have special requirements, such as server logs. Most attributes play an important role in the security management of file systems

Lsattr: Display File/all hidden properties of the directory chattr: modifying files/the hidden property of the directory usage:chattr [-RVF] [-+=AACDDEIJSSU] [-v version] files.1. The Atime (access time) of a file or directory cannot be modified (modified), which effectively prevents hackers from erasing access to sensitive files in order to hide Webshell or hide the intrusion process2. A is append, after setting this parameter, can only add data to the file, not delete, more for the server log file security, only root can set this property3. C is Compresse, setting whether the file is compressed and then stored. Automatic decompression required when reading4. D is no dump, the settings file cannot be the backup target of the dump program5the. I settings file cannot be deleted, renamed, linked, and cannot be written or added. The I parameter is very helpful for file system security settings6. J is journal, set this parameter so that when passing the Mount parameter: Data=ordered or Data=writeback mounted file system, the file will be recorded (in journal) when it is written. If the filesystem parameter is set to Data=Journal, the parameter is automatically invalidated7. s privacy to delete files or directories, that is, hard disk space is fully recovered8. s HDD I/o sync option, function like Sync9. U and S, in contrast, when set to U, the data content actually exists in the disk and can be used for undeletion.//It is worth noting that:Only Superuser (root) or processes with cap_linux_immutable processing power (identity) can apply these hidden options

0X2: Special privileges related to the right to mention

Next, let's talk about the special permissions specification in the Linux file system, which includes the Suid/sgid/sticky Bit

1. Set UID

SUID represents the ability to "temporarily" have access to the file by the owner of the program when the request executes a program that contains SUID special permissions. After the set UID, the-x bit in the permission combination is replaced by-s
Assuming that normal user a updates their password through the passwd command, and that the owner of/USR/BIN/PASSWD is root (root,root), that is, when a request executes the passwd command, it is actually temporarily rooted to/usr/bin/ passwd, and further update the contents of the/etc/shadow
Let's summarize the process.

 1 . Root user settings-s-bit permissions chmod u  +< Span style= "color: #000000;" >s file This means that other users can    temporary   "   2  . The non-root user uses the temporary power command  1  ) directly using the sudo directive  Span style= "color: #800080;" >2 ) Use setuid (0   /*   */ 

2. Set GID

Sgid is conceptually similar to suid, which forms the set GID permission setting when the executable bit (x) is superseded by s (for example,---RWS---) when the user group (groups) of the owner is in a combination of permissions. The user group where the request performer resides temporarily gets access to the user group ID (group ID) to which the program belongs

chmod g+s dir

3. Sticky Bit

When the executable bit (x) in the file system "other (others)" Permission combination is replaced by T (for example,------RWT), it constitutes the sticky bit's permission setting
Sbit, as the name implies, can play a role in restricting access, is easy to understand and useful settings, it is only valid for the directory. When the Sbit setting is applied to a directory A, and the user has W and x permissions on the A directory, the personal documents (including directories) created by the user under the A directory can be deleted, renamed, moved, and so on by the user itself or root (whether it is readable according to the actual permission R)

chmod o+-R dir:error  

2. Security configuration of Linux directory file permissions

0x1: Recommended umask Security Configuration

The Umask command is used to set read and write permissions for files created by the process, with the most insured value being 0077, which is to close the read and write permissions of all processes except the process that created the file (owner owner), represented as-RW-------
In ~/.bash_profile, adding a line of command Umask 0077 guarantees that the Umask permissions of the process can be set correctly each time the shell is started

Copyright (c) Littlehann All rights reserved