Linux Rights Management Summary (2)--Special permissions

1. Special permission Facl (Access control list support)

The standard Linux file System (EXT2/3/4) supports the use of POSIX ACLs to set multiple complex file permissions, provided that the file system is mounted using the ACL option.

In red Hat Enterprise Linux, if the last character of the permission string displayed through Ls-l is +, the file or directory is set with an ACL.

Getfacl file for displaying ACLs on files

u:willis:rw--#适用于用户willis

U:500:---#适用于UID为500的用户

u::rwx#适用于file文件的拥有者

g:willis:rwx#适用于组willis

G:l0:r-x#适用于GID为10的组

g::rw-#适用于file所属组

o::rwx#适用于其他所有人

Setfacl AC for setting or modifying a file L

# setfacl-m U:WILLIS:RW filename# Grant user Willis Read and Write permissions

# setfacl-m G:WESTOS:RW filename# Grant Group Westos read and Write permissions

# setfacl-m g:redhat:r filename# Grant Group Redhat Read permissions

# setfacl-x u:bob filename# Remove ACL permissions for user Bob

# setfacl-m o::-filename# Modify the permissions of everyone else to be empty

Privilege Priority

When you determine whether a process (that is, a running program) has access to a file, you apply file permissions and ACLs as follows:

1. If you are running the process as the user who owns the file, the user right to apply the file

2. In addition, if the process is run as a user who is listed in the user ACL entry, the user ACL is applied (as long as mask is allowed)

3. Also, if the process is run as a group that matches the group that owns the file or as a group with an explicit group ACL entry, the permission is applied if the permission is granted by any matching group (as long as the Mask license)

4. Otherwise, apply additional permissions to the file

ACL Mask

A file with ACLs has a "mask" that restricts the maximum permissions for the group that owns the file, and has the ability to limit the maximum permissions that the supplemental users and groups in the ACL have.

Getfacl file Displays the current mask as mask::p ermissions.

The group permissions displayed by the Ls-ld file also reflect the current mask (not the permissions of the owning group!). ）

default ACL (inheritance )

The directory can have a "default ACL" entry, and the system automatically sets these entries for new files created in the directory setfacl-m D:U:BOB:RW directory will set the default ACL entries, Grants user Bob Read and write access to all new files created in directory.

This is similar to the Setgid permission method (for a directory), so that new files created in that directory are owned by the group that owns the directory.

ACL mount options

After the file system is mounted, support for POSIX ACL entries must be enabled.

The installer configures all the Ext4 file systems it creates to automatically enable ACL support.

# tune2fs-l/dev/sda1 |grep "Default Mount"

Default Mount Options:user_xattr ACL

If you manually format the file system, you need to mount the system using the ACL mount option.

You can set the manually formatted EXT4 file system to automatically enable support on Mount by using TUNE2FS to set the default

Mount options: # Tune2fs-o USER_XATTR,ACL/DEV/SDA1

2. Other special privileges

Security Context:

The resources or files that the process is able to access at run time, not depending on the owner of the process file, but rather on the uid/gid of the user who runs the command, to obtain various system resources as that identity.

suid # # #冒险位

U+s # # #针对文件, the file record action is executed when the file owner is executed, regardless of who initiated it

chmod u+s filechmod 4777 file

Sgid # # #粘制位

G+s # #针对目录, files created in the directory are automatically attributed to the group in which the directory is located. For binary files, programs that are logged within a file do not have a relationship with the performer's group identity at execution time, but rather as the identity of all the groups in the binary file.

chmod g+s File|directory

chmod 2777 File|directory

1.touch Command user group is root

2. New directory change user group to student

3. G+s permissions to the directory

4. Create a new file in the directory. The group of files is not related to the Touch command group and is the same as the directory group

Stickyid # # #强制位

O+t # # #一般只用在目录上, can be understood as anti-delete bit, when a directory is set sticky bit, then the files in this directory can only be by:

First, the Super Administrator delete;

Second, the owner of the directory is deleted;

Third, the owner of the file is deleted.

This means that even if the directory is writable by anyone, only the owner of the file can delete the file. To delete a file, you do not have to have write permission for the file, but you must have write permission to the parent directory of this file. That is, even if you do not have a file to write permissions, but you have this file of the parent directory of Write permissions, you can also delete this file, and if there is no write permission to a directory, you will not be able to create files in this directory. How can you make a directory that allows any user to write to a file without letting the user delete files from someone else in the directory, sticky can play this role.

Stciky generally used only in the directory, used in the file does not play any role

chmod o+t directroychmod 1777 Directory

Because Suid and sgid work when executing a program (where the executable bit of the program is set), and the executable bit is only meaningful for normal and directory files, it does not make much sense to set the suid and sgid bits of other kinds of files.

For a master-rooted executable, if the SUID bit is set, all other ordinary users will be able to run the file as root and obtain the appropriate system resources. Of course, this is needed on some occasions, but abuse can cause security problems in the system.

For a global writable directory, if it belongs to the MYGRP group, a user belonging to the MYGRP group establishes a file after the group is its own private group, but with the Sgid bit of the folder, you can let the user create a file from belonging to the group that the directory belongs to, because it is created as a group of folders.

For a global writable directory, plus the sticky bit, normal users will only be able to delete their own files, but not other users ' files.

This article from the "Technology life, Simple not simple" blog, please be sure to keep this source http://willis.blog.51cto.com/11907152/1845984

Linux Rights Management Summary (2)--Special permissions