Linux Rights Management Summary

Permissions for a file or directory

Directory and file ownership: Read R, write W, perform x permissions.

// 使用 ls -l命令查看当前目录的文件权限信息#ll-rw-r--r--1 root root  1612020:39 test.// test文件所有者拥有读写权限、所属组和其他用户拥有读权限drw-r--r--1 root root  2482321:03 download

The role of permissions on files

R: Read file contents (cat, more, head, tail)
W: Edit, add, modify file contents (vi, ECHO), but do not include delete files
X: Executable
For files: The highest privilege is the Execute permission (x), so the file should be given less execute permission.

The role of permissions on the directory

R: You can query the directory under the file name (LS).
W: has permission to modify the directory structure. such as creating new files and directories, deleting files and directories under this directory, renaming files and directories under this directory, and cutting files or directories under this directory. (Touch, RM, MV, CP).
X: You can enter the directory (CD).
for the directory: the highest privilege is Write permission (W), so the directory should be given less write permission.
Note: 0 does not have any permissions, 5 (RX) can be viewed and entered, 7 (RWX) has the highest permissions; 1, 4, 6 permissions are not meaningful for the directory.

When assigning basic permissions to a file, the core principle is that the requirements can be fulfilled in the case of minimum permissions!

chmod permissions to modify a file or directory

/*使用[u、g、o、a][+、-、=]来设置文件或目录的权限[r、w、x]u:user 所有者g:group 所属组o:other 其他a:all 所有用户，包括所有者、所属组、其他+:增加权限-:减少权限=:设置权限*/// 给test的拥有者u，文件增加某权限#chmod u+x,g+r test#chmod a+w test#chmod u-x test#chmod g=rwx test/*使用数字设置文件或目录的权限rwx在Linux下分别对应十进制4、2、1 即3bit二进制的111*/// 设置dir目录的所有者拥有所有权限，所属组和其他用户拥有读和执行的权限#chmod 755 dir/

Chown changing the owner of a file or directory

Format: chown newuser file name
A best practice for others to have the highest privileges is to use Chown to change the owner of the file.

// 同时改变文件的所有者和所属组chown user:group 文件名

CHGRP changing the owning group of a file or directory

Format: chgrp newuser file name
Note: When Linux creates a file, the default owner is the current user, and its owning group is the same as the current user name.

/ * Use case * * The current user creates a test directory * * Create a new user XM, and let him have all the permissions of the test directory to allow group users to have View privileges * * Other people do not have any permissions for this directory * *//Create test directory#mkdir Test//Add user xm and password#useradd XM#passwd XM//create user user1, User2#useradd user1#useradd User2//Create user group#groupadd User//Add User1, user2 to user group#gpasswd-a User1 user#gpasswd-a user2 user//Change the owner and group of the test directory#chown xm:user Test//Change Test directory Permissions#chmod User

Default permissions umask View default permissions

#umask0022// 第一位0是特殊权限

Modification of the Umask value

Temporary Modification
Umask 0033
permanently modified
Vi/etc/profile

Default permissions for Files

The file cannot be created by default to execute the file and must be manually assigned EXECUTE permission
Therefore, the file default permissions maximum is 666
Default permissions need to be converted into letters and then subtracted
Default permissions after the file is established, minus the umask value for 666
For example:
666-022 (umask value)
-rw-rw-rw-minus-–w–w-equals-rw-r–r–.
666-033 (umask value)
-rw-rw-rw-minus-–wx-wx equals-rw-r–r– (note: Empty minus a permission is still empty)

Default Permissions for Directories

Directory default permissions Max 777
Default permissions need to be converted into letters and then subtracted
Default permissions after the file is established, minus the umask value for 777

Introduction to ACL Permissions ACL permissions

Linux basic Rights Management is divided into the user owner, the group and other people, if someone wants to have and the basic permissions of any permissions are not the same, the basic permissions can not meet this requirement, you may consider using ACL permissions.

For example:
There is a test directory in Linux, its owner is xiaoming, has all permissions, the folder is in the same group as Stu, and the other person does not have any permissions. However, to give a new user Xiaowang read and Execute permissions to the test directory, the basic permissions meet the inability to allocate the requirements.

ACL permissions are used to resolve situations where the user's identity is insufficient. When the Windows system assigns permissions to files, regardless of the owner of the file and the group to which it belongs, you can assign permissions to any user, and ACL permissions, like Windows systems, can assign any user the appropriate permissions regardless of the permissions of the file owner and the owning group. This resolves a problem where basic permissions cannot be assigned complex permissions.

To open, view, and set ACL permissions

//See if partition ACL permissions are turned on//DF View partition statusthe//DUMPE2FS command is to query the specified partition detail file system Information command;-h displays only the information in the Super block, not the details of the disk block group#dumpe2fs-H/dev/sda5//Temporary mount root partition/ACL permissions#mount-o remount,acl///Permanently turn on partition ACL permissions#vi/etc/fstabthe///defaults permissions include mount ACL permissions by default, and if you do not have ACL permissions, add them after defaultsUuid=6634633e-001D- +ba-8fab-202F1DF93339/EXT4 defaults,barrier=0Acl1 1//re-mount the file system or reboot the system for the changes to take effect#mount-o remount///view ACL permissions#getfacl file name//Set ACL permissionssetfacl [option] file name options:-m set ACL permissions to give the user ACL permissions on the file (or directory), using"u: User name: Permissions"Format example: give the user LW to give the file test read Execute permission: setfacl-m U:LW:RX Test Assign ACL permissions to the group use"G: Group Name: Permissions"Format-x removes the specified ACL permission-B to remove all ACL permissions-D to set the default ACL permissions-K to remove the default ACL permissions-r recursively set ACL permissions

// 解决上面提到的问题#useradd xiaoming#groupadd stu#mkdir /home/test#chmod 770 /home/test#chown xiaoming:stu /home/test#useradd xiaowang// 设置acl权限#setfacl -m u:xiaowang:rx /home/test// 查看acl权限#getfacl /home/test# file: /home/test# owner: xiaoming# group: stuuser::rwxuser:xiaowang:r-xgroup::rwxmask:rwx  //????other::---

Maximum effective permissions and delete ACL permissions maximum effective permissions mask

Mask is used to specify the maximum effective permissions. If I give the user ACL permissions, it is necessary and mask permission "phase" to get the user's true permissions.

user::xiangwang:r-xmask::rwx// xiaowang的权限与mask值相与，得到xiaowang的真实权限// r-x 与 rwx得到有效权限r-x

Remove ACL permissions

// 删除指定用户的acl权限#setfacl -x u:用户名 文件名// 删除指定用户组的acl权限#setfacl -x g:组名 文件名// 删除指定文件的所有的acl权限#setfacl -b 文件名

Default ACL permissions and recursive ACL permissions recursive ACL permissions

Recursion is the parent directory when you set ACL permissions, all of the current sub-files and subdirectories also have the same ACL permissions. Recursive ACL permissions give the file an error.

// 格式：setfacl -m u:用户名:权限 -R 目录名#cd test#touch file1#touch file2// 赋予用户lw拥有test目和test目录下文件的rx权限// 使用 -R 参数设置递归权限,lw用户对file1和file2文件拥有了x权限，造成了权限溢出#setfacl -m u:lw:rx -R test/ #touch file3 // 新建file3，没有acl权限#getfacl file3 

Default ACL permissions

The default ACL privilege is that if you set default ACL permissions to the parent directory, all new child files in the parent directory inherit the ACL permissions of the parent directory.

// 格式：setfacl -m d:u:用户名:权限 -R 目录名

sudo permissions sudo the concept of permissions

Root commands a command that can only be executed by a superuser to a normal user.
sudo is a system command for manipulating objects.

Use of sudo permissions

//View sudo configuration file//man 5 sudoers View configuration file Details#visudo //The/etc/sudoers file is actually modified//User name managed host address = (can use Identity) Authorization command (absolute path)Root All=( All) All//Group name the address of the managed host = (the identity that can be used) Authorization command (absolute path)%Wheel All=( All) All//Normal user cannot execute shutdown command#visudo/* Edit/etc/sudoers file 1 Add User1 all= (All)/sbin/shutdown-r now configuration. Note: The simpler the command is written, the more permissions The User1 user gets, the more detailed the command writes, and the smaller the User1 user gets; The system command is written as an absolute path to be compatible with other versions. 2 Save exit * ///Login to normal user account User1, execute system command#su -User1$sudo - L //require entering User1 password to view executable system commands$sudo/sbin/shutdown- HNow//Execute shutdown command is not allowed$sudo/sbin/shutdown- RNow//Execute restart command

// 给普通用户执行添加用户和密码的权限# visudo// 添加 user1  ALL=/usr/sbin/useradd 配置// 添加 user1 ALL=/usr/bin/passwd 配置注：这使user1可以更改root的密码// user1 ALL=/usr/bin/passwd [A-Za-z]*, !/usr/binpasswd "", !/usr/bin/passwd root，则user1无法更改root密码// 添加 user1 ALL=/bin/vi 注：这使user1可以编辑/etc/shadow文件，更改root用户等密码

File Special Permissions Setuid permissions

• Only executable binaries can set SUID permissions

• Command performer to have X (execute) permission on the program

• Order that the traveler obtain the identity of the program file in the execution of the change procedure.

• Setuid permissions are only valid during the execution of the program, which means that identity changes are only valid during program execution, such as the passwd command, where other users can change their passwords using passwd

Set and cancel Suid permissions

/* set setuid permissions, 4 for set suid, 2 for Setgid, 1 for Stickybit U+s : Delegate adds suid permissions to the file G+s: Delegate Sgid permissions to the directory O+s: Delegate to File plus stickbit permissions */  #ll  -rwxr  -XR  -x  Span class= "Hljs-attribute" > ...  Test #chmod  4755  test //or chmod u+s test  -RWSR  -XR  -x   ...  Test//if the file does not have execute permission, but when setting suid, the execution bit displays large s, which is meaningless.  //remove suid permissions   #chmod  U-s  test #chmod  0755  Test 

Dangerous suid Permissions

Key directory should strictly control write permissions, such as "/", "/usr" and so on
The user's password is set to strictly the three principles of password
A list of files that should have SUID permissions on the system by default should be checked to check that there are no files outside this set suid permissions

You cannot give suid permissions to an editor such as VI, so VI can edit the/etc/shadow file and change the root password.

Setgid permissions Setgid action against a file

• Only executable binaries can set Sgid permissions

• Command performer to have X (execute) permission on the program

• Command execution at the time of execution of the program, the group identity is upgraded to the genus Group of the program file

• The Setgid permission is also only valid in the process of program execution, that is, the group identity change is only valid in the program execution. Note: Similar to suid effect

// locate命令#ll /usr/bin/locate1...  /usr/bin/locate// locate 搜索数据库/var/lib/mlocate.db#ll /var/lib/mlocate.db1... /var/lib/mlocate.db // 普通用户时没有权限搜索这个数据库// locate属于slocate组且设置了SGID权限，slocate组拥有对mlocate.db读的权限，所以普通用户使用locate时组身份自动升级为slocate组则可以使用locate命令查询mlocate.db数据库。命令结束后，用户user身份返回user组身份。

The role of Setgid for directories

• Normal users must have R and X permissions on this directory in order to enter this directory

• A normal user's valid group in this directory becomes a group of this directory

• If a normal user has W permissions for this directory, the default genus for the newly created file is the genus Group of this directory

The root user creates the test directory in the/tmp directory and changes the directory permissions to777#cd/tmp#mkdir Test#llDrwxr-xr-x2Root root...Test#chmod 777 Test#llDrwxrwxrwx2Root root...test//user users create File1$cd/tmp/test$touch file1$ll-rw-rw-r--in the/tmp/test directory1User User...file1//root user changes the test directory to2777That is set Sgid#chmod 2777 Test#llDrwxrwsrwx2Root root...test//user users create File2$touch file2$ll-rw-rw-r--in the/tmp/test directory1User User...file1-rw-rw-r--1User root ... file2//new File2 file belongs to group root group

Set and Cancel Sgid permissions

// 设置SGID权限#chmod 2755 test/#chmod g+s test/// 取消SGID权限#chmod 0755 test/#chmod g-s test/

Sticky Bitsbit Adhesive Position function

• The adhesive bit is currently valid only for the catalog

• Ordinary users have W and x permissions on the directory, and if a normal user can have the W permission for this directory

• If the directory does not have an adhesive bit, the normal user can delete all the files of the directory, including the files created by other users because of all the permissions, and when the directory is given the mount, the normal user can only delete the files created by the user if they have the W permission of the directory, and the files created by other users cannot be deleted.

If the/tmp directory has an adhesive position

Set and cancel the adhesive bit

// 设置黏着位#chmod o+t dir#chmod 1777 dir// 取消黏着位#chmod o-t dir#chmod 0777 dir

Do not change bit permissions

chattr [+-=] [option] File name or directory name
+: Increase Permissions
-: Delete Permissions
=: equals a permission
Options
I: If the file is set I property, then the file is not allowed to be deleted, renamed, can not add and modify data, if the directory is set I property, you can only modify the file in the directory data, but do not allow the creation and deletion of files.

A: If you set a property on a file, you can only add data to the file, but you can't delete it or not. If you set the A property to a directory, only the file is allowed to be created and modified in the directory, but it is not allowed to be deleted. Note : VI is not allowed to add file data, because it is not possible to determine whether VI increases or modifies or deletes file data, so only echo data>> file can be used to append data.

Chattr takes effect on a file or directory

#chattr +i file#lsattr file----i-------e- file#vim abc // 不允许修改#rm -rf file //不允许删除// 删除i属性#chattr -i file

Reference

Course Network Tutorial Linux Rights Management

Linux Rights Management Summary