Linux permission management
Linux has many types of permissions, which can be divided into three types: User Permissions On files, user permissions on system commands, and special permissions on files. The following is a detailed description. This article describes the significance and functions of setting permissions. 1. The user's permissions on files refer to the addition, deletion, modification, and query operations on Files Owned by the user. It can be subdivided into basic permissions (ugo), umask permissions, and ACL permissions. 1. Basic permissions 1). the Linux File Permission has a total of 10 permissions. The first mark indicates the file type, and then each three mark the permissions of the owner, owner group, and others. The owner, group, and others have the rwx (read/write execution) permission, which is represented by numbers 4, 2, and 1, respectively. First: indicates the file type. Common file types include-common text file d directory l soft link B block device file c character Device File s socket p after each of the nine digits after the pipe is one component is the owner, the group, and others as for the permissions of a person, some people think it is the Terminator and some people think it is the security label of SELinux. No distinction is made here. 2) Permission description permissions restrict the user's operations on files, but the permissions for directories and files are different. ① Permission indicates the meaning of a file: in Linux, everything is a file, and the file here is no longer a file in the broad sense, it is a file that basically contains data content. ☆R: indicates the data that can be read from the file. ☆w: indicates that the data content in the file can be edited and modified. ☆x: indicates that the file can be executed. Whether the file is correctly executed or not. ② Permission indicates the directory. For a directory, "data content" is the file name. ☆R: query which files are contained in the directory. ☆w: Edit and delete files in the directory. ☆x: indicates that files can be entered to the directory. 3) related commands★Chown -- both the owner group and owner chown user1: user aa % can be modified to change the owner of file aa to user1 at the same time.★Chgrp -- modify the file group chgrp user1 aa % change the file aa group to user1★Chmod -- modify the File Permission chmod 755 aa % set the file aa permission to 755 (rwxr-xr-x) 2, umask permission 1), umask is the command to set the file default permission. The usage is as follows: [root @ localhost/] # umask-S % displays the default permissions for new files in the form of rwx [root @ localhost/] # umask 022% sets the default permissions for files or directories. Note: the modifications here take effect temporarily and will expire after the shutdown and restart. To take effect permanently, You need to modify the configuration file/etc/profile. The umask section in the file is cut as follows: file Content: if the user's UID is greater than 199 and the UID group name is the same as the user name, the default permission is 002; otherwise, it is 022. In general, the umask permission of a common user is 002, And the umask permission of a root user is 022. Because the UID of the root user is 0 by default (the definitions of 002 and 022 are described below) 2). Permission setting is an important means to ensure system security. For files, the execution permission is the highest permission. Because of some viruses, Trojans are executable files. If the execution permission is directly granted, the consequences are unimaginable. There is no restriction on directories. Therefore, the maximum default permission for a file is 666, and the maximum permission for a directory is 777. The permission to create a file or directory in the system is obtained by subtracting the highest permission from the umask value. Therefore, the permissions of default files and directories are as follows: file directory root 644 755 664 common user 775. In addition, ugo permissions should be decreased during permission settings, the permission of others is not allowed to be greater than the owner's permission. For example, some 111,751,654 permissions are unreasonable. Reasonable permissions not only meet the principle of permission reduction of ugo, it can only be a combination of 0, 5, and 7. 3. ACL permission 1). The meaning of ACL permission and the effect of ACL permission can meet the user's lack of file identity. If you want to restrict a user to have different permissions on the file than ugo, you must add the ACL permission. The user only applies to files with ACL permissions added. Other files are still executed in ugo mode. 2) ACL permission settings related commands ☆view ACL [root @ localhost ~] # Getfacl file name ☆set ACL [root @ localhost ~] # Setfacl option file name options: -m sets ACL permission-x deletes the specified ACL permission-B deletes all ACL permissions-d sets the default ACL permission-k deletes the default ACL permission-R recursively sets the ACL permission example: setfacl-m u: user1: rx aa % set the ACL permission value for user user1 on file aa to read and execute permissions setfacl-m u: user1: rx-R/perm % recursively create an ACL permission value for user user1 in the directory perm to read and execute setfacl-x u: user1 aa % delete user user1 ACL permission on file aa setfacl-B aa % Delete All ACL permissions on file aa setfacl-m d: user1: rx/perm % create the default ACL permission for user user1 in the directory perm. Note: recursive ACL permission refers to the permission for the specified directory and files in the directory; the default ACL permission refers to the user's After the file or directory executes the specified ACL permission on the file, the File Permission bit is changed to +, as shown in. Ii. User Permissions On system commands the user's permissions on system commands are mainly about sudo. Sudo is a command that grants some administrator functions to common users. After authorization, common users can execute commands specified by the Administrator. Sudo usage: run the cmddo command to open the sudo configuration file: ALL = (ALL) ALL user name managed host address = (user identity) Authorization command example: authorize normal user user1 to restart the server ...... user1 ALL =/bin/shutdown-r now ...... log on to user1, and run [user1 @ localhost ~]. $ Sudo shutdown-r now 3. Special permissions for a file (SetUID, SetGID, and SetBIT): SetUID, SetGID, and SBIT are represented by numbers 4, 2, and 1, respectively, for basic permissions, there are a total of four permissions. 1. SetUID: ☆executable files; ☆the command executor obtains the identity of the file owner when executing the program; ☆the user identity is changed only when the execution process effectively sets and cancels SetUID: chmod 4755/bin/cat or chmod u + s/bin/cat % set the SetUID permission to view the cat command. The figure SUID shows that after the SUID permission is added, the command owner's x is changed to s chmod u-s/bin/cat or chmod 755/bin/cat % to cancel the SetUID permission. 2. SetGID is assigned the condition: ☆executable file ☆the command executor becomes the group of the program during execution ☆the user identity is changed only when SetGID is effectively set and canceled during execution: chmod 2755 file name or chmod g + s file name % set SetGID permission chmod 755 file name or chmod g-s file name % cancel SetGID permission 3. SBIT is also called Sticky bits can only be used for directories. Common users have w and x permissions for directories. After sticky bits are granted, common users cannot delete files in directories even if they have write permissions, normal users can only delete their own files. However, you must set the directory permission to 777 when setting the adhesion bit. However, this operation violates the permission granting principle. The security risk caused by permission setting is greater than the benefit. Set and cancel SBIT: chmod 1777 directory name or chmod o + t directory name % set SBIT chmod 777 directory name or chmod o-t directory name % cancel SBIT note: it is not recommended to use SetUID, SetGID, or SBIT. You can manually grant special permissions to files or directories. In case of server problems, it is hard to think of permission issues for files or directories, in addition, setting special file permissions poses security risks. Iv. File System attributes (chattr) You can directly set attributes for directories or permissions through chattr. The commands are as follows: # chattr [+-=] [Option] file or directory name +: add permission-: delete permission =: equal to a permission option: I attributes cannot delete or rename a file, nor add or modify data to or from a directory, only the data of files in the directory can be modified, but files cannot be created or deleted. A: attribute a can add data to a file, but cannot delete or modify data. For a directory, you can create and modify files in the directory, but cannot delete e: e attribute default attributes of most files in linux. This file is stored using the ext file system and cannot be canceled using the chattr-e command. View File System attributes [root @ localhost] # lsattr option file or directory name % view file or directory attributes options: -a -- display all files and directories-d -- display directory properties 5. SELinux Permissions