Linux operation and Maintenance management UNIT6

file permissions:
ls-ld/mnt/
Drwxr-xr-x. 2 root root 6 Mar 2014/mnt/
-|rwxr-xr-x.| 2|root|root|6| Mar 2014|/mnt
— —————————— — ———— ———— — ——————————— ———
1 2 3 4 5 7 8 9
1: File type, non-modifiable
-: File
D: catalog (directory)
L: Linked file (link)
B: Storage-ready Interface Device (Block: block) in the device file
C: Serial port device in device file (keyboard mouse and other disposable reading device) (character: character)
S: Socket (sockets)
P: Pipe (Fifo,pipe)
2: File permissions, can be modified
3: Number of sub-directories
4: File owner, can modify
5: All groups of files can be modified
6: File size, that is, the facts cannot be modified
7: Last modified time of file
8: File name, can be modified

Q: After executing rm-fr/mnt/*, look at the properties of that/mnt/directory, why is the number of sub-files still 2?
A: Ls-a/mnt/will find two hidden directories in the/mnt/directory. and.

. Represents the current directory
.. Represents the parent directory of the current directory


Chown username File|dir # #更改文件或目录的所有人 # #
Chown username:roupname File|dir # #更改文件或目录的所有人以及所有组 # #
Chown-r username dir # #更改目录本身及里面所有内容的所有人 (change first) # #
Chgrp-r GroupName dir # #更改目录本身及里面所有内容的所有组 (change first) # #



permissions for a file or directory:
R (4):
To file: Can read the contents of a file
For directories: You can view the name of a file or subdirectory in a directory
W (2):
To file: Can write to file contents
For directories: You can add files or subdirectories in the deleted directory
X (1):
To file: You can allow the system to run programs in the file
To directory: can go to directory

Modify Permissions: (-r = modified)
CHGRP: Changing the user group to which the file belongs
Chown: Changing the file owner
chmod: Changing the permissions of a file

If you change the/mnt/westos/directory permission to 000,root user can enter/mnt/westos, modify/mnt/westos owner for student, use user student to enter/mnt/westos failed. Student the user as a directory cannot enter because the directory does not have open access to its owner, the root user can enter the directory because the root user is the system administrator, the supremacy.

From the point of view of system existence, the greater the power of open system, the higher the system existence meaning, from the system security point of view, the smaller the power of system openness, the higher the security of the system. So the system will remove some permissions when setting up a new file or directory.
system default reserved Permissions umask=022
The file default permission is 644 (the system kernel thinks that the file has executable power is not normal, so the system will go to the point of the file executable power)
Directory default permission is 755

Settings for system default permissions:
Temporary settings:
Umask # #查看系统保留权限 # #
Umask 077 # #更改系统保留权限为077 # #
Permanent setting:
VIM/ETC/BASHRC # #shell程序的配置文件
If [$UID-gt 199] && ["' id-gn '" = "' Id-un '"]; Then
Umask 002 # #普通用户umask # #
Else
Umask 022 # #超级用户umask # #
The fi
75
Vim/etc/profile # #系统程序的配置文件 # #
If [$UID-gt 199] && ["' id-gn '" = "' Id-un '"]; Then
Umask 002 # #普通用户umask # #
All else
Umask 022 # #超级用户umask # #
+ fi
64
SOURCE/ETC/BASHRC # #使配置文件/ETC/BASHRC Effective # #
Source/etc/profile # #使配置文件/etc/profile Effective # #
Note: The umask of two configuration files must be unified when permanently set


Now there is a full permission directory/pub, any user can delete files in this directory at will, for file security, this is unreasonable,
t permission (sticky: Sticky bit):Only for directories, so that users can only delete files or directories that belong to their own directory
How to add a permission: chmod o+t/directory
(t=1) chmod 1777/directory
Note that the Directory property with the T permission is "DRWXRWXRWT" when the directory is full permissions, each user can establish their own directory files in this directory, it is necessary to ensure that each user can only delete their own directory files, so the directory with the T permission is also full permissions.


Changing the owner of a binary executable is student, the process is root when running the order with the root user, but the process is student when the root user executes the command by adding the S permission to the binary executable file.
s Permission (suid: Adventure bit):For binary executables only, the owner of the process generated by the documented program in the file is the file owner, regardless of the process's initiator
How to add the S permission: chmod u+s file
(suid=4) chmod 4xxx file
Application: Enables all users in the system to create files in any location
Create a file using the command touch----> Touch command of the binary file for/bin/touch (execute which touch command to know where the touch command's binary executable is)----> execute chmod u+s/bin/ Touch command; When you add the S permission to a touch binary executable, any user who executes the touch command will execute as root


s Permission (sgid: Force bit):
Files: only for binary executables, so that all groups of processes generated by the program within the file are all groups of files, regardless of the initiator group of the process
Directory: When a directory has Sgid permissions, users of any user group create files or directories at the end of all groups that belong to that directory
How to add Sgid: chmod g+s file|/directory
(sgid=2) chmod 2xxx file|/firectory
Personal feeling sgid is a very offensive authority, who do not dare to create directories or files in this directory, and finally all of me!

This article is from the "12449513" blog, please be sure to keep this source http://12459513.blog.51cto.com/12449513/1910162

Linux operation and Maintenance management UNIT6