Linux Rights Management and user and user groups

The first part: Linux Rights Management

I. Basic RIGHTS

Linux privilege mechanism adopts UGO mode. where u (user) indicates that the owning user, G (Group) indicates that the owning group, O (Other) is in addition to the owning user, the owning group.

U, G, o all have read, write, execute (excute) three permissions, so Ugo mode is the three types of nine basic permissions.

Use the command ls-l to list the permissions for the file, and the first column outputs explicitly the output later (the next column represents the Ugo permission). The first letter corresponds to the relationship:

"-" Ordinary file

"D" Directory

"L" symbolic link

"C" character device

"B" block devices

"S" sockets

"P" Pipeline

Modify the file or directory of the owning User: Chown file name | Directory name user

-r This parameter recursively modifies the owning user of all the files in the directory, and the parameters can be knocked Chown--help view.

Modify the owning group of a file or directory: Chgrp file name | Directory name Group name

-r This parameter modifies the owning group of all the files in the directory in a recursive manner.

Command chmod permissions to modify a file or directory: chmod-parameter schema file | Directory

Example: Modify the directory log under the permissions of all files 700

Chmod-r Log

Note: The origin of 700 is U g o

RWX rwx rwx

111 000 000

The permission mode for the chmod command, in addition to the numeric representation, can be represented by u, G, O, a plus +,-. The format is as follows: U, g, O represent user, group and others respectively, A is

All, can replace Ugo. +,-represents the addition or deletion of the corresponding permissions, R, W, X for three kinds of permissions, respectively, is read, write, execute.

Example: Increase the Read (R), execute (x) permissions of the owning Group (g) for all files under directory log (with permission 700).

Chmod-r G+RX Log

There may be a lot of similar commands, but here are just a few of the most basic and common examples. A lot of orders are used, and then you can check them. You can also refer to "Brother Bird's Linux private dishes".

Ii. Special Privileges

Linux has 3 special permissions, namely Setuid, setgid, and stick bit.

Setuid permission (S): Only the user can have the location where the Execute permission (x) appears.

Setuid permissions allow a user to execute an executable file with the privileges of its owner, even if the executable is run by another user.

Setgid Permission (S): Corresponds to the user group where the execution permission (x) appears.

Setgid permissions allow executables to be allowed with the same valid group permissions as the group that owns the directory owner. But this group and the user group that actually launched the command

Not necessarily the same.

Stick bit (t/t): aka Sticky bit, only permissions that the directory has, appear in other user Rights (O) in the execution location (x). When a directory has a sticky bit set, only

The user who created the directory can delete files in the directory, but other user groups and other users also have write permissions. Use T or T to represent. If not set

Execute permissions, but set the sticky bit, use T, if both execute permissions and sticky bits are set to use T. The typical sticky bit usage is the/tmp directory,

Sticky bits belong to a write protection.

To set special permissions:

Setuid:chmod u+s filename

Setgid:chmod G+s directoryname

Stick Bit:chmod o+t directoryname

A number represents a special permission, above a basic permission. Turbid clumsy cheek is not clear, see example:

Example: Set the log log directory (with permission 700) permission in the above example to 755. Special permissions are valid for the stick bit like the/tmp directory.

Special Permissions Basic Permissions

Setuid setgid Stick bit user group other

0 0 1 rwx rwx rwx

111 000 000

So, the command to set special permissions (stick bit) should be: chmod 1755 log

After you set special permissions, LS-DL view the directory: DRWXR-XR-T 2 gg gg 4096 May 19:05 log (note that the X-bit of other is the letter t that represents the special permission)

command to cancel this special permission: chmod 755 log. The privilege of such a stick bit is gone.

Again LS-DL view this directory: drwxr-xr-x 2 gg gg 4096 May 19:15 log (note that the last one has become the letter x that represents the normal permission)

It is important to note that the first "1" is the special permission bit. The settings for the other two special permissions are similar. Setuid use is not unrestricted. For security purposes, it can only be applied to

Linux elf format binaries, but not for script files.

Third, advanced permissions

ACL (Access control list), which is an advanced permission mechanism under Linux, allows for flexible permissions control of files and directories. ACLs allow for different users,

Different groups set permissions on the same target file and directory without Ugo restrictions.

Using ACLs on a file system requires that the ACL function be turned on when the file system is mounted. The ACL is supported when the root partition (root) is mounted by default.

Command: Mount-o ACL/mount Path

Example: Mount-o acl/dev/sdb1/mnt

To view the ACL settings for a file command: Getfacl file

A command that sets the permissions of a specified user (for a user) for a file: setfacl-m u:username:rwx filename

A command that sets the permissions of a specified group (for a group) for a file: setfacl-m g:groupname:r-x filename

command to delete an ACL setting: setfacl-x u:username filename

Part II: User and user groups

----Several profiles involving users and user groups (refer to Ubuntu 12.04)

/ETC/PASSWD: Save user information, default permission is 644.

/etc/group: Save user group information, default permission is 644.

/etc/shadow: Save user information (save all user information with/etc/passwd,/etc/shadow contains encrypted user password), default permission is 640.

/etc/gshadow: Save user group information, default permission is 640.

Format and the meaning of each field:

1./etc/passwd

Example: Woo user information obtained through the grep woo/etc/passwd command: Woo:x:1000:1000:woo. User,,,,:/home/woo:/bin/bash

Format and Meaning:

Login name (Woo): Password (x): User's UID (1000): User's GID (1000): Full name (woo. User): Home directory (/home/woo): Used Shell (/bin/bash)

Note: The UID and GID of the system root user are all 0. When/etc/passwd is modified, you can synchronize users to/etc/shadow from/etc/passwd using the Pwconv command.

2./etc/group

Example: DCMTK user group information: DCMTK:X:125:GG

Format and Meaning:

Group name (DCMTK): group password (x): GID (125): User list for this group (GG)

Note: Some uid is reserved for the system. In Ubuntu, the GID for the new user group starts at 1000. The UID is also starting from 1000.

The reserved uid, GID resources are assigned to the pseudo user, pseudo user group of the system. These pseudo-users are not allowed to log in, but just to

Use them to complete or perform certain system tasks (this design is similar to Windows).

When/etc/group is modified, you can synchronize users to/etc/gshadow from/etc/group using the Grpconv command.

3./etc/shadow

Example: Gg:$1$0kwxx:14765:0:99999:7:::

Format and Meaning:

User name (GG): Password ($1$0KWXX): The last time the password was modified (14765): two times the number of days to modify the password interval (0): two times the number of days to modify the password interval (99999):

How many days in advance warning user password will expire (7): Number of days after password expiration disable this user (): User expiration date (): Reserved Field ()

4./etc/gshadow

Example: MySQL group information: mysql:!::gg

Format and Meaning:

User group name (mysql): User group password (!) : User group Manager list (): Group member list (GG)

Add: You can set the properties of/etc/passwd,/etc/group files through the chattr command. Specific as follows:

chattr command syntax: chattr [-RV] [-v version] [mode] File|directory

The most important mode part: +-=[asacddiijsttu]

The most commonly used parameters are: I (the settings file is not modifiable), a (the settings file can only be modified by appending)

However, the CHATTR command cannot set the/,/dev,/tmp,/var directories.

Amendment:

1. Part of the knowledge and related understandings on special competences were amended on April 6, 2014.

2. Bug fix:chmod-r g+r log chmod-r g+rx log Red Callout command is invalid for log directory with permission 700. Read permission (r) for the directory

is set with the Execute permission (x). That is, the directory execution permission refers to whether the user can enter the directory. The Read permission (r) of the directory refers to the permission to browse the directory (view the contents of the directory).

Reference:

Note:

The benefits of blogging: On the one hand, the knowledge is combed. After writing the article, the understanding of this part of the knowledge is also very clear. On the other hand, brainstorm and talk a lot. Through discussion, to ensure that their knowledge of the

Understanding is correct, profound, but also can refer to other people's good learning methods, and constantly improve themselves.

Linux Rights Management and user and user groups