Linux Learning 8 Rights Management

Eighth chapter Rights Management8.1ACL Permissions8.2File Special Permissions8.3File System Properties chattr permissions8.4system commands sudo permissions8.1ACL Permissions8.1.1ACL permissions introduction and opening8.1.2View and set ACL permissions8.1.3maximum effective permissions and remove ACL permissions8.1.4default ACL permissions and recursive ACL permissions8.1.1ACL Permissions Introduction and opening the general default is to turn on ACLs. 1, ACL permissions Introduction//Manage Permissions In addition to three identities2, view partition ACL permissions open [[email protected]~]# dumpe2fs-h/dev/The SDA3#DUMPE2FS command is a command option that queries the specified partition detail file system Information:-h displays only the information in the Super block and does not show the details of the disk block group3, temporarily turn on partition ACL permissions//Restart Invalid[Email protected] ~]# Mount-o remount,acl/#重新挂载根分区, and Mount ACL permissions4, permanently turn on partition ACL permissions [[email protected]~]# vi/etc/Fstabuuid=C2CA6F57-B15C-43EA-BCA0-F239083D8BD2/ext4 defaults,acl #加入acl [[email protected]~]# Mount-o remount/#重新挂载文件系统或重启动系统 to make the changes effective8.1.2View and set ACL permissions1, view ACL command [[email protected]~]# Getfacl-e file name # view ACL permissions2, set ACL permissions command [[email protected]~]# setfacl option file name options:-m set ACL permissions-x Delete the specified ACL permissions-b Remove all ACL permissions-d set default ACL permissions. -k Remove default ACL permissions-R recursively sets ACL permissions. 3, set ACL permissions to users [[email protected]~]# useradd zhangsan[[email protected]~]# useradd lisi[[email protected]~]# useradd st[[email protected]~]# groupadd tgroup[[email protected]~]# mkdir/Project[[email protected]~]# Chown root:tgroup/project/[[Email protected]~]# chmod770/project/[[Email protected]~]# setfacl-m u:st:rx/project/#给用户st赋予r-x permissions, using the "U: User name: Permissions" Format4, set ACL permissions for user groups [[email protected]/]# groupadd tgroup2[[email protected]/]# setfacl-m g:tgroup2:rwx project/#为组tgroup2分配ACl权限. Using the "G: Group Name: Permissions" Format8.1.3maximum effective permissions and remove ACL permissions1, the maximum effective permission mask?mask is used to specify the maximum effective permissions. If I give the user ACL permissions, it is necessary and mask permission "phase" to get the user's true permissions to modify the maximum effective permissions [[email protected]/]# setfacl-m m:r-x FileName # set mask permission to R-x. Using the "M: Permissions" format2, remove ACL permissions [[email protected]/]# Setfacl-x u: Username file name # Remove ACL permissions for the specified user [[email protected]/]# Setfacl-x G: Group name File name # Remove ACL permissions for the specified user group [email protected]/]# Setfacl-b file name # Removes all ACL permissions for the file8.1.4default ACL permissions and recursive ACL permissions1, recursive ACL permissions? Recursion is the parent directory when you set ACL permissions, all sub-files and subdirectories also have the same ACL permissions. Setfacl-M u: User name: Permissions-r file name//Note that the position of R is fixed2, default ACL permissions? The role of the default ACL permission is that if default ACL permissions are set for the parent directory, all new child files in the parent directory inherit ACL permissions from the parent directory. Setfacl-M D:u: User name: Permission file name//d:, default8.2File Special Permissions//chmod 7755 7 start with no meaning because each permission object is different//Do not set it casually and check periodically for special permissions that should not be available.8.2.1SetUID8.2.2SetGID8.3.3Sticky BIT8.2.1SetUID1, setuid function? Only binaries (files) can be executed to set SUID permissions? Does the command performer have X (execute) permission on the program? When executing the program, the command performer obtains the owner's identity of the program's Action object file (the owner of the file is possessed in the process of executing the program). Setuid permissions are only valid during the execution of the program, that is, the identity change is only valid during the execution of the program? passwd command has setuid permissions, so normal can modify their own password [[email protected]~]# Ll/usr/bin/passwd-rwsr-xr-x.1Root root25980February A  -/usr/bin/The Passwd?cat command does not have setuid permissions, so ordinary users cannot view/etc/shadow file contents [[Email protected] ~]# ll/bin/cat-rwxr-xr-x1Root root47976June A  -/bin/Cat2, the method of setting setuid//If the permission displays uppercase S, the command execution error is displayed, and the red file name indicates that the permission is too high or the error file? 4 represents Suid?chmod4755file name? chmod u+s file name3, Cancel the Setuid method? chmod755file name? chmod u-s file name4, Dangerous setuid? The key directory should have strict control over write permissions. such as "/","/usr ", etc.//!!!!!!? The user's password is set to strictly abide by the three principles of password? A list of files in the system that should have Setuid permissions, timed check if there are no files outside this set setuid permissions8.2.2SetGID1, setgid the role of files//very similar to setuid? Only executable binaries can set sgid permissions? The command performer wants to have X (execute) permission on the program? Command execution when executing a program, the group is promoted to the group of the program file? Setgid permissions are also valid only during the execution of the program, which means that group identity changes are only valid during program execution [[email protected]~]# ll/usr/bin/Locate-rwx--s--x1Root Slocate35612August -  ./usr/bin/Locate[[email protected]~]# LL/var/lib/mlocate/mlocate.db-rw-r-----1Root Slocate1838850January - Geneva: in/var/lib/mlocate/mlocate.db?/usr/bin/Locate is an executable binary program that can be given to Sgid? Execute user lamp on/usr/bin/Locate command has EXECUTE permission? ExecutionWhen the/usr/bin/locate command is set, the group identity is promoted to the Slocate group, and the Slocate groupvar/lib/mlocate/mlocate.db Database has R permissions, so ordinary users can use the Locate command to query the MLOCATE.DB database? command end, lamp user's group identity returned as lamp group2, the role of Setgid for the directory//not much to use.? Normal users must have R and X permissions on this directory to access this directory? The normal user's valid group in this directory becomes a group of this directory? If the normal user has W permission for this directory, the default genus of the new file is the genus of this directory [[email protected]~]# cd/tmp/[[email protected] tmp]# mkdir dtest[[email protected] tmp]# chmod g+s Dtest[[email protected] tmp]# ll-D dtest/[email protected] tmp]# chmod777dtest/[email protected] tmp]# Su–lamp[[email protected]~]$ cd/tmp/dtest/[[email protected] dtest]$ Touch Abc[[email protected] dtest]$ ll3, set setgid?2 representative Sgid?chmod2755file name? chmod g+s file name4, Cancel Setgid?chmod755file name? chmod g-s file name8.2.3Sticky BIT1, sbit adhesion role? Sticky bits are currently only valid for the directory? The normal user has W and x permissions to the directory, that is, the normal user can have write permission in this directory? If there is no sticky bit, because the normal user has W permissions, you can delete all files in this directory, including other user-created files. But given a sticky bit, in addition to root can delete all files, ordinary users even if they have W permissions, can only delete their own files, but can not delete other user-created files [email protected]~]# ll-d/tmp/DRWXRWXRWT.3Root root4096December -  One: A/tmp/2, set and cancel sticky bits? Set the sticky bit? chmod1755directory name? chmod o+t Directory Name//o other T-bit? Cancel the sticky position? chmod777directory name? chmod o-T Directory name8.3File System Properties chattr permissions1, chattr command format//can root user, Superman can control, but only to prevent misoperation, rather than limit[Email protected] ~]# chattr [+-=] [options] file or directory name+: Increase Permissions-: Delete Permissions=: Equals a permission? I: If the file is set I property, then the file is not allowed to delete, rename, and can not add and modify data; If you set the I property on the directory, you can only modify the data of the files in the directory, but do not allow the creation and deletion of files. A: If you set a property to a file, Then the data can only be added to the file, but cannot be deleted or modified;//You can only append data by using the Echo methodIf you set a property on the directory, only the files are allowed to be created and modified in the directory, but the deletion is not allowed2, view file System properties [[email protected]~]# lsattr option file name options:-a show all files and directories-D If the target is a directory, list only the properties of the directory itself, not the child files8.4system commands sudo permissions1, sudo permissions? Root gives a command that can only be executed by a superuser.? sudo is a system command2, sudo use [[email protected]~]# VI sudo# is actually modified by/etc/sudoers file root All=(All) #用户名 the address of the managed host= (can use Identity) Authorization command (absolute path)//Whereis Query#%wheel All=(All) all#% group name is the address of the managed host =(identity to use) Authorization command (absolute path)3, authorized SC user can restart server [email protected]~]# VI Sudosc all=/sbin/Shutdown–r Now4, ordinary users execute sudo-given commands [[email protected]~]# Su–sc[[email protected]~]$ sudo-l# View available sudo commands [[email protected]~]$ Sudo/sbin/shutdown-R now# Ordinary users to execute sudo-given commands

Linux Learning 8 Rights Management