linux--Rights Management

Basic concepts of permissions

When it comes to rights management, we need to know two points:

The user is divided into ordinary users and super users (administrators).

Linux for a directory or file, the operation of the object is also divided into three kinds: Owner: master, U; Group: genus, G; Other: Others, O.

Next, explain the four types of permissions, namely:

1. Read permission, r, denoted by a number is 4.

2. Write permission, W, denoted by a number is 2.

3. Execute permissions, x, denoted by a number is 1.

4. Special permissions.

For directories and files, however, R, W, and x represent different permissions.

File:

R: Use the File View class tool to get its contents

W: can modify its contents

X: This file can be brought to the kernel to start as a process

Directory:

R: You can use LS to view the list of files in this directory

W: You can create files in this directory or delete files in this directory

X: You can use Ls-l to view a list of files in this directory, and you can enter this directory by CD

x: Give directory x permission only, do not give file X permission

Now let's take a look at the different collocation of the basic three kinds of permissions, which need to be described in conjunction with the operands and the type of object being manipulated.

First here, the premise is the same file or directory, we use the LL command to view the permissions of the/etc/file.

You will find the file permissions in the following format:

[Email protected] bin]# ll/etc/
Total 2048
Drwxr-xr-x. 3 root root 4096 Jul 17:02 ABRT
Drwxr-xr-x. 4 root root 4096 Jul 17:07 ACPI
-rw-r--r--. 1 root root 09:40 adjtime
-rw-r--r--. 1 root root 1512 Jan aliases

Because the object is divided into three kinds, and the permission is three kinds, the permutation combination is nine kinds. A permission bit-the permission is not represented.

As you can see from the line of code, there are altogether 10 bits, except for the latter nine bits, the first bit is the file type, which is not discussed here.

For example, the ABRT file has a permission bit of: Rwxr-xr-x and a digital read of 755.

The explanation is that owner has read and write execution permissions, the group member reads, executes the permissions, and the other person's permissions are read and executed.

Therefore, the current user is superuser (root), whether it is a master, or not, depending on the type of operation object that is the current system user.

Whether you are a member of a group or for someone else, the permissions for the operation are different.

Second, we need to understand that permissions are different for files and directories.

Here, the premise is the same user, the directory and the permissions of the file are different:
To the file:
When only r permission is acting on a file, it indicates that the contents of the file can be read cat less
When only W permissions function on a file, it means that the contents of the file can be modified Gedit VI vim nano > >>
No effect when only X permission is acting on the file
When the RW permission is on the file, it means that the file can be read and written.
When the RX permission is acting on the file, it is readable and can execute the file
Permissions are equivalent to W permissions only when WX permissions are applied to the file at the same time
When the RWX permission is acting on a file, it means that the file can be read and written and executed
To the directory:
The contents of the directory (sub-file, subdirectory name) can be short listed when only R permission is used on the directory.
No effect when only w permission is acting on the directory
When only X permissions are on the directory, you can enter the directory
When RW works on the directory at the same time, the permissions are equivalent to R only
When Rx is acting on the directory at the same time, the indication can be long list, can enter
When WX works on the directory at the same time, you can create and delete files or directories.
When the rwx is in the directory at the same time, can be listed can be created delete can enter.

Basic Rights Management

After describing the basic concepts of permissions, we need to learn to understand how permissions are used. In fact, need to use a lot of permissions, such as post-learning scripts, the most basic need to give script execution permissions,

Or, there are some files we can set, modify permissions to protect the file security or some modification of the file and so on.

Permission settings

Here we need to learn a new command----chmod

Basic format: chmod [options] ... Permission file name

Option:-r: Indicates Modify permissions

As explained above, the permissions are divided into character mode, digital mode, relative. Chmod can also be divided into two situations when used.

Character mode:
Ugo +-= rwx: Indicates to the owner, group, other person plus or minus read and write execution permissions
A=ugo or = Left omitted: Represents permissions to the left of everyone's users
When = right omits to indicate---, that is, what permissions are not

Digital mode
1:x
2:w
3:wx
4:r
5:rx
6:rw
7:rwx

Special privileges 1.SUID, SGID, STICKY

Suid: When SUID is executed for an executable binary, anyone who executes the file temporarily has the permissions of its owner
How to use: chmod u+s

Sgid to divide the situation: How to use: chmod g+s
1. When a sgid is executed for an executable binary, anyone who executes the file temporarily has permission for all of its groups

2. When Sgid permissions are in effect for a directory, the owning group of the files created by anyone in that directory is the same as the owning group for that directory

Sticky: For a directory to function sticky permissions, the files in the directory only its owner and the directory owner and Root can be deleted.

directories with Write permissions typically users can delete any file in that directory, regardless of the permissions or ownership of the file

Sticky settings are not meaningful on the file

Similarly, special permission representations are divided into two types:

(1) Suid:4
Sgid:2
Sticky:1

SUID SGID STICKY

000 0: No special permissions

001 1:sticky

010 2:sgid

011 3:sgid + Sticky

4:suid

101 5:suid + Sticky

6:suid + Sgid

111 7:suid +sgid +sticky

chmod 4777/tmp/a.txt: represents Suid + rwx

(2) Suid:user, occupying the owner's execution privilege bit

S: Owner has x permission

S: Owner does not have X permission

Sgid:group, occupying a group's execution permission bit

S:group has x permissions

S:group no x permission

Sticky:other, occupying other's execution permission bit

T:other has x permissions

T:other no x permission

But sometimes we find that even if the root user still has some files or directories that cannot be manipulated, the new commands are involved:

Chattr and lsattr These two commands are used to view and change the file, directory properties, and chmod this command, compared to the chmod just change the file read and write, execute permissions,

The lower-level attribute control is changed by Chattr.

Related usage:

Chattr: Property Modification of the specified file
+a means cannot be deleted, cannot be overwritten, can be appended
+i means cannot be deleted, cannot be overwritten, cannot be appended
Lsattr Viewing attr permissions

2.acl

ACLs allow for flexible permissions management, with the exception of the owner of the file, the group and others, who can set permissions on more users

Its effective order: Owner, custom user, custom group, others

(1) How to turn on ACLs
Centos7 default ACL support
CENTOS6 and before, the operating system installation of the file system created by default support ACL, and operation after installation using MKFS formatted file system default ACL is not turned on, you need to manually open the method as follows:
1.tune2fs-o Acl/dev/sda5
2.mount-o Acl/dev/sda5/app need to be mounted before opening

(2) Set ACL
Setfacl-m u:liubei:rwx TestDir

Using files to set ACLs
1.cat Acl.txt
U:liubei:rwx
G:shuguo:---
G:weiguo:r-x
2.setfacl-m Acl.txt testdir/

(3) Set default permissions
SETFACL-RM u:liubei:rwx testdir/to set current permissions
SETFACL-RM d:u:liubei:rwx testdir/setting permissions for future files

(4) Delete permissions
[Email protected] (Nanyibo) app]# setfacl-x U:liubei testdir/
[Email protected] (Nanyibo) app]# setfacl-x U:guanyu testdir/
[Email protected] (Nanyibo) app]# setfacl-x G:weiguo testdir/

(5) Remove all permissions and clear ACL properties
Setfacl-b TestDir

Bulk Delete ACL permissions
1.cat Aclrm.txt
U:liubei
G:shuguo
G:weiguo
2.setfacl-x Acl.txt testdir/

Remove default Permissions
Setfacl-k TestDir

Remove all permissions, empty the ACL structure
Setfacl-b TestDir

3.umask

Mask is the threshold of permission, which is the upper limit of permissions.

The group permission on the ACL file is the mask value (custom user, custom group, with maximum permissions for the group), not traditional group permissions.

Mask only affects the maximum permissions for people and groups other than the owner and other masks need to be logical and operational with the user's permissions,

To become limited permissions (effective Permission) The settings of the user or group must exist within the Mask permission setting to take effect

For example: setfacl-m mask::rx file--set option will remove the original ACL entries, with a new alternative, it is important to note that it is necessary to include the Ugo settings, not just like-m to add ACLs.

linux--Rights Management