Linux Learning Notes: User Rights Management

During the Qingming Festival last week, we are still in a tense study, today we learn the user's rights management, the user's rights management as the name implies that the user in the use of the operating system can use the rights and administrative users to use the appropriate command for the user to add the appropriate permissions, where the user's permissions are divided into ordinary permissions, Special permissions and special permissions for files.

The following is a record of what we have learned in this lecture:

Normal permissions:

Process Security Context:

1. Determine whether the owner of the process is the master of the file you want to manipulate, and if so, authorize it according to the Master's authority;

If not, go to the 2nd article;

2. Determine whether the owner of the process is a member of the group of files that you want to manipulate, and if so, authorize it in accordance with the permissions of the group; if not, go to article III;

3. Authorization according to other users ' privileges;

The composition of the permissions:

MODE (Permission): Use right

R:readable, readable

W:writable, writable

X:executable, executable

Directory:

R: You can use the LS command to get a list of all the filenames in it; the ls-l command to get detailed property information for a file in the directory is also not accessible using the CD command, nor can it refer to the directory in the path;

W: You can modify the file name or file list in this directory, that is, you can create, modify, or delete the file name in this directory;

X: You can use the Ls-l command to get detailed property information about the file in it, or you can refer to the directory in the path, or you can use the CD command to enter it;

x permissions are the basic permissions of the directory, and any directory must have X permissions open to any user, otherwise the user will not be able to do anything.

File:

R: You can view or get the data stored in the file;

W: can modify the data stored in the file;

X: This file can be initiated to run as a process;

Ls-l <--> LL

rw-r--r--: Three privilege bits-owner, group, other user

Master privileges: rw-

Genus Group: r--

Other user rights: r--

Permissions Identify triples:

---000 0

--x 001 1

-w-010 2

-WX 011 3

r--100 4

R-x 101 5

RW-110 6

RWX 111 7

Note: Only the owner of a file can modify the use of the file (except root);

To modify the use rights of a file:

chmod--mode;chmod-change file mode bits

chmod [OPTION] ... mode [, Mode] ... FILE

MODE: Symbolic Permission Identification method

U,g,o,a represents ownership;

+,-,= represents the authorization method:

+: Add new permissions on the basis of the original permissions;

-: Remove certain privileges on the basis of the original privileges;

=: Do not consider and have permissions, directly set permissions to target permissions;

R,w,x express the specific permission content;

Note: The file execution permission, the Linux file system, is very important security identity, because once the file has the Execute permission, means that the file can initiate execution as a process, so, by default, the file does not have the Execute permission.

chmod [OPTION] ... Octal-mode FILE ...

If the octal digital ID method is used, the full permission bit must be given every time;

If the given permission bit is incomplete, the file system will be automatically replenished, the given permission is placed on the right side, and the left uses the margin;

chmod 640 File

chmod [Option]...--reference=rfile FILE ...

chmod--reference=/path/to/somefile Des_file

chmod--reference=a b

Options:

-r,--recursive: Uniform setting of files and subdirectories in the target directory to the specified permission ID;

OWNERSHIP: Ownership

Owner: A specific user under the control of the resource;

Group: Specific users of the resource control; group, G

Other users: Those who have not mastered the resources; other,o

All Users: All,a

Chown: The owners and genera of the files can be modified;

chown [OPTION] ...

Install: Installing, copying files, assigning execute permissions to files

Multi-source replication:

Install [OPTION] ... SOURCE ... DIRECTORY

Install [OPTION] ...-t DIRECTORY SOURCE ...

To create a directory:

Install [OPTION] ...-d DIRECTORY ...

Common options:

-m,--mode=mode: Specifies the permissions for the directory file, which defaults to 755

-o,--owner=owner: The owner of the set file; only root is available;

-g,--group=group: Sets the group of target files, only root is available.

Note: The install command cannot copy the directory, that is, its source cannot be a directory, and if its source is a directory, the install goes through the directory and copies all of its non-directory files to the destination.

Mktemp command:

In general, temporary files are created in the/TMP or/VAR/TMP directories, and the files in both directories are automatically purged periodically without manual deletion

Options:

-d,--directory: can create temporary directory;

Example: Mktemp [-d]/path/to/tmp. Xxxxxxxxx

Special permissions:

SUID, SGID, STICKY

By default, a user initiates a process whose owner is the initiator, that is, the process is running as its initiator.

SUID:

Function: When the user initiates the execution of a process, if the program file has the SUID permission, the process initiated by the program is the owner of the program file, not its initiator;

The location displayed by the SUID permission: The execution permission bit in the master permission of the file, or the display as S if the owner has execute permission;

To manage Suid permissions for a file:

chmod u+|-s FILE ...

SGID:

If a directory has write permissions for some users and the Sgid permission is set, then all users who have write access to this directory will create new files or directories, and the group of new files is no longer the base group to create the user, but inherits the genus of that directory;

Sgid Permissions Display Location: The file's group permissions in the execution of the permission bit, if the group is the implementation of the permissions, displayed as S, otherwise displayed as s;

Sticky:sticky (sticky): Sticky bit

If more than one user in a directory can have write permissions, the user can create, modify, and delete filenames in that directory;

function of Sticky:

If sticky permissions are set for a similar directory, then each user can still create and modify the file name, but each user can delete only those file names that belong to them.

Sticky where permissions are displayed: The execution permission bit of other users in the file permissions, or T if the original execution permission is present;

To manage sticky permissions for a file:

chmod o+|-t FILE ...

Suid Sgid Sticky

---000 0

--T 001 1

-s-010 2

-st 011 3

s--100 4

S-T 101 5

SS-110 6

SST 111 7

Another way to modify special permissions:

The octal digits corresponding to the special permission are placed in front of the octal digits of normal permissions.

For example, to add a sticky bit to a directory:

chmod 1755 DIRECTORY ...

Umask the permission generation standard;

root:0022

Do not consider special permission bits

For the newly created file or directory, do not obscure the owner of any permissions, masking the group of write permissions and other users write permission;

The default permissions for files are: 666-umask

The default permissions for the directory are: 777-umask

Understanding Masking Code:

Permissions masking code default when creating a file or directory

The value of the mask code becomes binary, which has 1 of the location, and its permissions are not set when the file is created;

0033 000011011---110100100 644

---111100100 744

By default, the file's mask code already has a 0111, and on that basis again apply umask to mask permissions

Special properties of the file:

To view special properties for a file:

Lsattr-list file attributes on a Linux second extended file system

lsattr [-RVADV] [files ...]

Modify the special properties of the settings file;

Chattr:change file attributes on a Linux file system

chattr [-RVF] [-v version] [mode] files ...

Mode: It will be set using +-=;

The most critical and core setting of the entire chattr command is the [mode] section;

[Aaccddeijssttu] are the required attributes;

+: On the basis of the original property setting, add the new attribute;

-: Removes the specified attribute from the original property setting;

=: Regardless of the original property settings, the file's properties are updated directly to the specified attribute content;

A:append, set this property of the file, its contents can not be changed and deleted, can only be appended to the file to write data; Most of the server log class files are set to this property;

A:atime, the access timestamp of the file, the IO bottleneck, setting the A property, can make the file not change the access timestamp of the file when it is accessed, which can effectively prevent the IO bottleneck.

C: Set whether the file is automatically compressed after the row storage;

C: Sets whether the file opens the realistic copy property.

D: The settings file is not called a backup target when it is backed up using dump.

D: Sets the file's asynchronous write operation in the file system.

I: The settings file cannot be deleted, modified, and set up a connection relationship.

S: Set the file's privacy delete, once the file setting s property is deleted, the usage space in the corresponding storage device will be recovered.

U: In contrast to the S property, if such a file is deleted, the data stored in the storage device will be retained;

Most commonly used properties: I and a

Chattr +i File

Common options:

-R: Recursive setting specifies the properties of all files and subdirectories in the directory;

Assigning additional permission mechanisms to files: Facl:file access Conterol list, file access control lists

Additional weighting mechanisms for documents:

In addition to the original U,g,o permission bit, allows the ordinary user to control the authority to give additional users and groups of a empowerment mechanism;

It is generally in the release version of CentOS or RHEL7 that it matures.

Commands related to Facl:

Getfacl-get File access Control lists

Getfacl [-ACEESRLPTPNDVH] File ...

User:USERNAME:MODE

Group:GROUPNAME:MODE

Other::mode

Setfacl:set File access Control lists

Setfacl [-BKNDRLPVH] [{-m|-x} Acl_spec] [{-m|-x} Acl_file] File ...

Acl_spec:acl_specification, the specified access control list

U:username:mode

G:groupname:mode

MODE: General use of symbolic permission identification method;

To give the user additional privileges:

Setfacl-m U:username:mode FILE ...

To assign additional permissions to a group:

Setfacl-m G:groupname:mode FILE ...

Revoke additional permissions given to the user:

Setfacl-x U:username

Revoke extra privileges for group affluence:

Setfacl-x G:groupname

Note: If you modify the use rights of the target file after setting the FACL, the entries set in the Facl may be affected and do not conform to the requirements, so if you really need to set up the Facl, you will have to set the target file after the use of the permission;

Linux Learning Notes: User Rights Management