Linux Rights Management

Today to talk about Linux inside the permissions of the problem, in the Linux system, there are so several kinds of permissions, r,w,x,s,t so several kinds of permissions, the system why should have permissions this thing, Linux all files, some files do not want to let some people see, Then this time you need to set the access permissions of the file, the file owner generally has the power to modify the deletion of files, but the owner is not necessarily able to delete the changes, this is to prevent the file was broken by strangers, say so much, today speaking about Linux rights Management related knowledge.

The information of a file has such a chassis, the owner of the file, the group, the number of file references, the file size, the file creation time and filename

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190510910474.jpg "title= "1470190510910474.jpg" alt= "20.jpg"/>

So how do we change the properties of a file when there are some files? First we change the owner of the file, and the information of the genus Group, the following describes the two commands chown,chgrp

Modify the owner of the file Chown, the purpose of this command is to change the owner of a file, there is such a scene, the enterprise has a personal turnover, then the new colleague to take over the job, then we need to change the owner of the file, the specific use of the command is as follows:

chown [OPTION] ... [OWNER] [: [GROUP]] FILE ... Modify the owner of a file

Owner: The user is represented

Chown hadoop/tmp/passwd
650) this.width=650; "style=" float:left; "src=" http://www.178linux.com/ueditor/php/upload/image/20160803/ 1470190554375658.jpg "title=" 1470190554375658.jpg "alt=" 21.jpg "/>

In fact, this chown command can also change both the owner and the group, in the middle: separate or use "." Separated

Owner:group or Owner.group

Chown Hadoop:xks/tmp/issue

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190606434116.jpg "title= "1470190606434116.jpg" alt= "22.jpg"/>

-R: Recursion, when we want to change the owner of a directory, but also want to change the directory of some files or directories need to use the-R to recursion

Chown-r hadoop/tmp/testdir/

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190629302526.jpg "title= "1470190629302526.jpg" alt= "23.jpg"/>

There is also a usage as described above, according to the permissions of a file to set the same permissions to the target file, that is, according to the permissions of a file for the template to set the same permissions to the target file, use the following:

chown [OPTION] ...--reference=rfile FILE ...

Chown--reference=/etc/shadow/tmp/passwd

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190664858562.jpg "title= "1470190664858562.jpg" alt= "24.jpg"/>

Chgrp Modify the genus group of files, that is, modify the group of files, some users are already in the Admins group, when those users do not have any permissions on the file, but they want to access this file, this time change the group of files belong to those groups of users, then these users can access the file

CHGRP [OPTION] ... GROUP FILE ...

Chgrp admins/tmp/passwd

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190706978120.jpg "title= "1470190706978120.jpg" alt= "25.jpg"/>

Chgrp and Chown also have the-r option here I will not elaborate on the use of the following

Chgrp-r groupname filename

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190721635496.jpg "title= "1470190721635496.jpg" alt= "26.jpg"/>

CHGRP [OPTION] ...--reference=rfile FILE ... This usage is the same as chown.

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190762105035.jpg "title= "1470190762105035.jpg" alt= "27.jpg"/>

File permissions

The permissions of the files in the Linux system are mainly defined for the three types of objects are owner: Master, U;group: Genus Group, G;other: Other, O, a total of 9 permission bits, three a group, respectively corresponding to the owner, belong to the group, other people, such as: RWXRW----means that the owner of the file has read and write permissions, the group has read and write permissions, and the other people do not have any permissions

Each file has three permissions defined for each type of visitor

R:readable, read-only

W:writable: Writable

X:excutable: Executable

These three kinds of permissions have different meanings to files and directories, and the contents are as follows:

File:

R: You can view the contents of a file by using a file View command such as Cat

W: You can edit or delete this file

X: Can be submitted to the kernel at the command prompt as a command to run

Directory:

R: You can perform LS on this directory to list files under directory, with General and X permissions

W: You can create, delete files in this directory, and use with X permissions

X: You can switch to the directory using the CD command, or you can use Ls-l to view the file details in the directory

Note: In a Linux system, you can have a single permission for a file, but for a directory, it is common to use X to execute permissions, otherwise it makes no sense.

File Permission Actions

File permissions can be expressed in English letters R,W,X, or in octal numbers.

R:4

W:2

X:1

rw-

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190783296955.jpg "title= "1470190783296955.jpg" alt= "28.jpg"/>

Octal digit representation

---000 0

---x 001 1

-w-010 2

-WX 011 3

r--100 4

R-x 101 5

RW-110 6

RWX 111 7

chmod Modify the file permissions, use this command to modify the owner of the file, the group, and other people's permissions

chmod [OPTION] ... Mode[,mode] ... FILE ...

Modify permissions for three categories of users

a+,a-, +,-

Modify a class of user or some class user rights

u=, g=, o=

To modify the permissions for a certain bit or some bit of a class of users

u+, u-,g+,g-,o+,o-

chmod [OPTION] ... Octal-mode FILE ...

chmod a+x/tmp/passwd,chmod a-r/tmp/passwd, chmod +x/tmp/passwd,chmod-w/tmp/passwd, tested in +w permissions when the three classes are not all +w permissions, but only belong to the main +w

chmod [OPTION] ...--reference=rfile FILE ... Usage Same as Chown usage

chmod--reference=/etc/shadow/tmp/passwd

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190809918595.jpg "title= "1470190809918595.jpg" alt= "29.jpg"/>

Default permissions for new files and directories

The Umask value can be used to retain the right to create a file, the default permissions for new files in a new file on a Linux system are 666, the new directory permission is 777, but the final actual permission of the file is to subtract the umask value, umask the appropriate permission from the maximum permission to derive the default permissions

Root umask is 022, not the privileged user is 002, we know umask, then how do we check the value of Umask?

Umask: Hit this command directly at the command line, will display the current umask value, if the umask followed by a value is temporarily set umask value

Umask 027

Umask-s mode display, that is, with specific permissions to display such as u=rwx,g=rx,o=

Umask-p output can be called

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190834190320.jpg "title= "1470190834190320.jpg" alt= "30.jpg"/>

If we want to set umask permanent effective then we can only go to the configuration file inside to set, respectively, there are two profiles/etc/profile global settings, for all users will be effective, user settings: ~/.BASHRC only for certain types of users

Special permissions

Special permissions are available in three categories: Suid,sgid,sticky

Three common permissions: R,w,x user, Group,other

Security context

There is a prerequisite process that must have a master and a group, the file has a host and a group, in the Linux follow such a law,

Whether any executable program file can be started as a process depends on whether the initiator has execute permissions on the program file

The owner of the process is initiated as a process, and the owning group of the process is the group to which the initiator belongs

When a process accesses a file's permissions, it depends on the initiator of the process

The initiator of the process, the owner of the same file: The application file belongs to the master permission

The initiator of the process, belonging to the genus Group of the file; Apply file group permissions

If the first two are not, then the other person's permissions are applied

SUID

Any executable program file can be started as a process, depending on whether the initiator has execute permissions on the program file, for example, we want to see the contents of a file, we can use the cat name, the path of the Cat command, its permissions are-rwxr-xr-x. 1 root root 48568 may 16:59/bin/cat, the master root of the file has execute permission on the cat, then root can use the Cat command, the file group and others have permissions, then these people can execute cat this command

After starting as a process, the owner of the process is the owner of the original program file.

SUID is only valid for binary executable programs, SUID settings in the directory is meaningless, the general directory will have execute permissions, mentioned earlier. So how to set suid? You can use the chmod command

chmod u+s filename Add suid permissions

chmod u-s filename Delete suid permissions

chmod u+s/tmp/passwd

chmod u-s/tmp/passwd

If the owner of the file does not have permission to execute, then the X-Permission bit of the owner after adding suid will be displayed as s, conversely, if there is execute permission, the S

SGID

Whether any executable program file can be started as a program: depending on whether the initiator has execute permissions on the program

When started as a process, the owner of its process is the genus of the original program file

How to set permissions

chmod g+s filename

chmod g-s filename

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470190861571643.jpg "title= "1470190861571643.jpg" alt= "31.jpg"/>

If the file belongs to a group that does not have permission to execute, then the X-Permission bit of the owner after adding suid will be displayed as s, conversely, if there is execute permission, the S

By default, when a user creates a file, the group that belongs to the primary group to which this user is a member once a directory has been set to Sgid, the user who has write permission to the directory that owns the file that is created in this directory belongs to the group of this directory is usually used to create a common directory, then how to set the method as follows:

Chmod-r G+s Directory

Chmod-r g-s Directory

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470191086927016.jpg "title= "1470191086927016.jpg" alt= "40.jpg"/>

Sticky permissions

A directory with Write permissions usually the user can delete any file in the directory, everyone can write data at the same time, but there is a problem, you can write the permission to write, then you can delete the files, their files deleted regardless, if you accidentally delete someone else's file is not a mess, So it is necessary to have a mechanism to show that only the root user and the owner of the file can delete their own files or directories, regardless of the permissions or ownership of the file in the directory settings sticky bit, only the file owner or root can delete the file, sticky settings on the file is meaningless, Because the file itself is only root and owner can delete, so do superfluous.

Permission Setting method

chmod o+t Directory

chmod o-t Directory

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470191201289005.jpg "title= "1470191201289005.jpg" alt= "32.jpg"/>

Special Permissions octal digital notation

SUID SGID STICKY
000 0 without any special privileges
001 1 Only Sticky permissions

010 2 with Sgid permissions
011 3 with Sgid and sticky privileges
100 4 with SUID permissions
101 5 with suid and sticky privileges
110 6 with Suid and Sgid privileges

111 73 people have

For example: chmod 6755/tmp/passwd means that the/TMP/PASSWD is set to have the Suid,sgid and the master has read and write execution permissions, belong to the group has the permission to execute, other people have read execution permissions.

If the owner of the file does not have permission to execute, then the X-Permission bit of the other person is displayed as t when the sticky is added, instead, if there is execute permission, the T

Setting specific properties

Chattr +i cannot delete, rename, change content, even if root can not be modified

Chattr-i Cancel permission settings

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470191340644986.jpg "title= "1470191340644986.jpg" alt= "41.jpg"/>

Chattr +a (Append) can only append content

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470191294585672.jpg "title= "1470191294585672.jpg" alt= "34.jpg"/>

Access Control List

ACL (access control List) for flexible rights management, in addition to the file owner, the owning group and others, can set permissions on more users, CENTOS7 is the default created file system is the ability to support ACLs, before the 6,5 is not supported by default needs to be manually opened, Here's how:

Tune2fs-o ACL/DEV/SDB1

Mount-o Acl/dev/sdb1/media

Order of ACL Entry: Owner, custom user, custom user, others

Getfacl viewing access control lists for files

Getfacl filename

Setfacl Setting up access control lists

Setfacl [-BKNDRLPVH] [{-m|-x} Acl_spec] [{-m|-x} Acl_file] File ...
-M: Set access control permissions

Setfacl-m u:hadoop:rwx filename

-X: Remove access control permissions

Setfacl-x u:hadoop filename needs to be emphasized is to re-remove access control right after the permission format does not need to have permission

-M: Write the format of the permissions to the file using the-M option to add access control permissions, the file content format u:hadoop:rwx

Setfacl-m 1.acl filename

-X: Contrary to the-M option, remove access control permission, file content format U:hadoop

Setfacl-x 2.acl filename

-RM: Recursively, set access control permissions for files and directories under directory

SETFACL-RM u:hadoop:rwx directory =setfacl-m d:u:wang:rx Directory

Setfacl-k Directory Delete default ACL permissions

Setfacl-b filename clears all ACL permissions

Mask only affects the maximum permissions for people and groups other than the owner and other, and mask needs to be logical and operational with the user's permissions before it becomes a limited permission (effective Permission)

Setfacl-m Mask::rx File

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20160803/1470191317547501.jpg "title= "1470191317547501.jpg" alt= "36.jpg"/>

This article is from the "Operation and maintenance Career" blog, please make sure to keep this source http://fszxxxks.blog.51cto.com/10122713/1833777

Linux Rights Management