Linux Privilege control mechanism

Linux has a very strict constraint on the allocation of user rights, and the concept of everything in Linux is rooted in the idea that it controls access to files by defining their owner and group of users in different files. In Linux stand in the perspective of the file, the system role is roughly divided into four kinds, the first super-user, the second file or directory of the owner of the file, the third role is the owners of the same group, the fourth is other people, this is Linux based on Ugo rights control model, U generation user , G represents group,o on behalf of other, and each file's permissions are set based on Ugo. Permissions three a group (RWX), corresponding Ugo set each file to have a owning user and owning group, corresponding to the UG permission, does not belong to the file belongs to the user or group of the use O permission. It sounds more difficult to understand, the following according to the example of the scenario introduced, I believe we can see the understanding.

If you are a Linux small white, now get the command, need to change the server to the Linux operating system (for example, CentOS), then the first step you need to do now is to install the Linux operating system. Well, now the installation of Linux cloud Server is very convenient, do not introduce too much here, it is necessary to note that just after the installation of the system may encounter ordinary users also do not allow SSH login, the official website solution is simple, click here to view . Okay, now the system is finished, but user rights control can be considered a big problem, after all, it involves server security, not anyone can log in, even if you can log in also must now ordinary users access. After the system installed only a root user, this user is the system's Super administrator, has all users and files of the power to kill, nature is not able to login via ssh, restrict the root user only through the console remote login method is also very convenient, modify/etc/ssh/sshd_ Config file, open the comment to change permitrootlogin yes to Permitrootlogin No. Now root can not be logged into the server via SSH, then only through the normal user to SSH management of daily file upload download, OK, immediately into the topic.

1. Create a user.

The process of creating a normal user is a simple process, and if you create a regular user and want to prevent it from logging in via Telnet, you can use this command: useradd-d/home/user1-m-s/sbin/nologin U1, This creates a U1 user who has its own home directory,/home/user1, and can only log on via SSH. While creating a user, a user group is created by default, with the user group having the same name as the user name. We can create user U2 in the same way.

2. Create a public folder Ceshi and specify the owner of the file.

After switching to the root user, create the folder with the mkdir command and create the Ceshi.txt file under the folder. At this time to switch to U1 users and U2 users, found that the normal user for root created Ceshi folder and its sub-files are only Read permissions, then how to let two users of the Ceshi folder and its sub-files have read and write access to it? A total of two ways, the first is to specify the owner of the file, for example, the owner of the Ceshi folder is defined as U1, the command is: Chown U1 Ceshi, so modified the Ceshi folder is the owner of U1, and then switch to U1 users, found that the U1 user has read and write permissions to the file, However, the owner of the file can only have one, or belong to the user U1 or user U2, how to let these two users have the same permissions to the file, which need to be described in the second way, the user group to define permissions.

3. Settings for user group permissions.

To allow users in the same user group to have the same permissions on a file, we first create a user group. The command created is also very simple, Groupadd-g 101 users_1, this command created the Users_1 user group, the user group GID is 101. After creating the user group, what we need to do is to include both U1 and U2 in the user group, Gpasswd–a U1 users, but the light is not possible, previously only Ceshi belong to U1 users, If you want to reach other users with U1 in the same user group with the same permissions to the Ceshi file, we also need to specify that the Ceshi file belongs to the user group Users_1,chgrp users_1 Ceshi, This will require authorization of user rights through the UGO model after the designation is complete.

The 4.UGO model is licensed to the user.

Ugo Mode authorization also has two kinds of representations, one is the literal notation, the other is the numeral notation. Say Linux permissions, roughly to understand the Linux three basic permissions are: Read, write, execute, explained as follows:

R Read permissions can read the contents of a file lists the files in the directory
W Write permission can be modified, truncated files can be created in this directory, delete files
X Execute permissions can be executed the file can be entered into the directory using the CD command

1. There is only execute permission on the directory, which means that you can enter or cross him into a deeper subdirectory.
2. Only execute permissions on the directory, to access files with Read permissions in the directory, you must know the file name to access
3. Only execute permissions on the directory, cannot list directory lists, and cannot delete the directory
4. A combination of execute and Read permissions on the directory, indicating access to the directory and list of directories
5. A combination of execute and Write permissions on the directory, indicating that files can be created, deleted, and renamed in the Directory

If we want to see the permissions for a file or directory, you can use the Ls-l command, as shown in the columns listed below:

lrwxrwxrwx 1 Osmond Osmond 13:40 2006-05-19 Examples/usr/share/example-content
DRWX------2 Osmond Osmond 2006-07-01 04:14 Mail
-rw-r--r--1 Osmond Osmond 9418746 2006-04-05 09:13 webmin-1.270.tar.gz
-rw-r--r--1 Osmond Osmond 97582 2005-10-25 21:00 zsync_0.4.2-1_i386.deb

The data represents the permissions of the file, the file type, the owner of the file, the group to which the file belongs, the size and creation time of the file, and the filename.

Here we focus on permissions, that is, the first column. Permission descriptions can be expressed either as a character or as a 8-digit representation of their corresponding relationship as shown:

After understanding the basic knowledge of permissions, we need to do is based on these permissions characters (or numbers), the use of authorization commands to authorize the file, and in the case above, I want to U1 and U2 to Ceshi file has the same permissions, the first step is to let the Ceshi this file belongs to the users _1 user group, and developed his owner for U1, then the next authorization command is to let U1 the same group of people have read and write permissions, the specific command is as follows: chmod UG+WR Ceshi, so that after switching to U2 users, U2 also found that Ceshi files have read and write permissions, At this time if we want to create new user U3, and want to let U3 and U1 like the Ceshi have read and write permissions, we only need to add U3 users to the Users_1 user group, it is very convenient.

Since the above mentioned both the character representation and the number representation two ways, then we briefly introduce the numerical representation, R = 4,w=2,x=1,ugo Each role corresponds to these three permissions, and their total permissions are the sum of the three numbers. For example, the master has read and write and execute permissions, then the owner of the permissions constitute 4+2+1=7, the same group of users have read and write permissions, then its permissions constitute 4+2=6, others do not have any permissions, then their permissions constitute 0+0+0=0, so we want to implement the permission problem of the above example, The chmod 760 Ceshi is represented by a numerical method, so the effect is identical. I like what kind of look at your taste.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Linux Privilege control mechanism