Linux system Permissions Daquan
I. Attribution of documents:File owner (owner), user group, others (others)
second, view Linux file permissions and attribution
ls command ls-al view file detail permissions and properties
Permissions R W x
Third, set the permissions of the file directory
1. Commands to modify permissions
With chmod chown chgrp
iv. Default Permissions
1. View default Permissions Umask umask-s
2, change the default permissions umask XXX direct access to numbers
v. Hidden properties of a file or directory
1. Set the hidden properties of the file:
Chattr [-R] [+-=] [A, I] file
- RRecursively change the hidden properties of a directory
aAfter this parameter is added, the data can be added in a way that cannot be modified.
ICannot modify delete add data, equivalent to write protection
2. Display the hidden properties of the file:
lsattr [-rda] File
- RThe properties of subdirectories are also displayed
- DThat's the directory.
-AThe properties of the hidden file are also displayed.
vi. Special permissions for Files
1.SetUIDThe---premise must be
Binary executable file, the performer has binary executable permissions on the file, and the performer will temporarily
permission to have the owner of the file, which is the equivalent of the executor having root user permissions on the file, which allows any user to bind the file owner's permissions when executing the file. All-powerful root users can of course arbitrarily setuid and setgid, ordinary users can only give their own files configured setuid or Setgid
2.SetGID---premise must be a binary executable, the performer has binary executable permissions on the file, and the performer will temporarily
Has the permissions of the file user group, allowing any consumer to bind the permissions of all groups of files when the file is executed
3.Sticky bit----Sticky bit permissions,
primarily for directory entry, when the directory sticky bit is set, only root or file owner
To delete or move it
The octal bits of the setuid,setgid,sticky are 4, 2, 1, and mnemonics are denoted as u+s,g+s,o+t, (delete marker bit is u-s,g-s,o-t)
SetUIDSettings for:
chmod u+s test.sh or chmod 4755 test.sh #增加setuid权限
chmod u-s test.sh or chmod 755 test.sh #删除setuid权限, the catalogue needs
u-s
Binary executable file with setuid permission background color isRed
SetGIDSettings for:
chmod g+s test.sh or chmod 2755 test.sh
chmod g-s test.sh or chmod 755 test.sh
Binary executable file with setgid permission background color isYellow
set setuid and setgid at the same timeis to add the values of the setuid and Setgid two octets (4000+2000=6000), which is 6755
chmod 6755 test.sh or chmod u+s,g+s test.sh #同时增加setuid和setgid权限
chmod 755 test.sh orchmod u-s,g-s test.sh#同时删除setuid和setgid权限, the directory needs the latter
Both the owner and the group bits of the file have execute permissions of s
If the owner of the file does not have execute permission, the permission is displayed as
Big S, Setgid
setuid Instances:
Ordinary users can modify their passwords because the passwd command sets setuid permissions:
#su命令也一样.
Allows normal users to delete files under the root directory (very dangerous, only test)
chmod u+s/bin/rm #给rm这个命令加上setuid权限即可.
Sticky bitSticky bit permission settings:
chmod o+t stdir/or chmod 1755 stdir/#增加
Sticky bitPermissions
chmod o-t stdir/or chmod 755 stdir/#删除
Sticky bitPermissions
Has
Sticky bitThe directory color of the permission is blue, and the other person's execution permission X is
T
Example: Under Linux,/tmp is a directory that holds temporary files that are writable to all users,
But each user can only delete files that they own. In this case, you can add a sticky bit to the directory.
rwt=== can enter the directory, you can list the files in that directory, you can add files to the directory, but you cannot delete
Other users ' files can be deleted by their own files.
Vii. ACLS
(Access control List)
In the Linux system, we divide the user who accesses the file into three categories, user,group,other. If a user in the system wants to have write permission to a file, but the user belongs to other, if so, only the other's permissions can be opened. But once the other's permissions are open, everyone has permission to write to the file. The ACL permission of the file solves this problem very well, it can set the specific permission of a specific file to a user or group
classification of ACLs:
Access type: Can be used for files and directories
Pre-set: only for the directory, whose subdirectories inherit the ACL permissions of the home directory,
the settings command for the ACL:
SetfaclOption Rule File
Options:
-M adding or modifying rules in ACLs
-D Set Default ACL setting information (only valid for directory)
-X removes an extended ACL setting information
-B Remove all extended ACL settings information
Rules:
U: User name or User id: Permission to set permissions for a user
G: User group or group ID: Permissions set permissions for a user group
Other:: Permissions specify permissions for other owners
Mask:: Permission to set a valid permission mask
GetfaclOption file
Options:
-e View file's Mask effective permissions
storage ACL permission settings:
Setup specification:
setfacl-m u: User name or User id: Permission to set permissions for a user
Setfacl-m g: User group or group ID: Permissions set permissions for a user group
To set an instance:
Setfacl-m u:feng:rwx ting/#设置允许用户feng对ting这个目录有rwx权限
Setfacl-m g:feng:rwx ting/#设置允许用户组feng对ting这个目录有rwx权限
Setfacl-x U:feng ting/#删除用户feng对ting这个目录的rwx权限
Note: Permission writing must be rwx cannot be a number, or error invalid operation.
The directory or file where the ACL is set, the last digit of the attribute will appear with a
"+"Numbers, such as:
Pre-set ACL permission settings:
Setup specification:
Setfacl-d-M [UG]: list: [rwx] Directory (note: the-d parameter must be first.) )
Setfacl-d--set [UG]: list: [rwx] Directory (note: the-d parameter must be first.) )
SETFAC l-m D:[ug]: list: [rwx] Directory
To set an instance:
Setfacl-d-M u:feng:rwx acldir/
setfacl-d--set u:feng:rwx acldir/
Setfacl-m d:u:feng:rwx acldir/
Setfacl-m d:g:feng:rwx acldir/#设置用户组feng对acldir目录有读写权限
Setfacl-b acldir/#删除所有关于acldir目录下的扩展权限.
GETFACL-E acldir/#查看权限
Note: Set thePre-set ACL permissionsdirectory, the file before setting permissions does not inherit ACL permissions, only after setting
The re-created file inherits ACL permissions.
settings for the effective permission mask
This is a permission mask. Use to control the extended ACL permissions you have set. You set the permissions must be stored in the mask specified in the scope to take effect, that is, the so-called "Effective permissions (effective permission), set the final permissions by the mask control, you set the permissions must be in the mask, or the relative mask more out of the permissions are invalid, You can use the GETFACL-E command to view effective permissions:
Note: If the user account is not filled in, the default is the owner of the file. Default is the user group to which the file belongs when the user group is not populated
Note: If the SETFACL command does not specify an action user, then it is an operation for the default owner (such as the acl_test/directory, owner:root,group:root), and the Setfacl command is the same as the traditional chmod. For example Setfacl u::rwx,g::rwx,o::rwx acl_test/is equivalent to chmod 777 acl_test/. is to set the default settings information to all RWX permissions.
Linux system Permissions Daquan
