Permission collation of Centos File System

Programs used:

Chmod setfacl getfacl stat chattr lsattr
Chmod: Set File Permissions
Setfacl: access control list)
Getfacl: view the access control list
Stat: displays inode content (a | m | c) time content
Chattr: sets the list file attribute system of the second extended file.
Lsattr: view the list file attribute system of the second extension fileSetuid: Make the file have the same x permissions as the file owner
Setgid: Make the folder have the same x permissions as the file group
Sticky: Make files unavailable

Test:

 
 

  
  
[root@nagios test]# touch setuid setgid sticky
  
  
[root@nagios test]# chown -R nagios.nagios ./
  
  
[root@nagios test]# chmod u+s setuid && chmod g+s setgid && chmod o+t sticky
  
  
[root@nagios test]# ll
  
  
total 0
  
  
-rw-r-Sr-- 1 nagios nagios 0 Mar 2800:41 setgid 
  
  
-rwSr--r-- 1 nagios nagios 0 Mar 2800:41 setuid 
  
  
-rw-r--r-T 1 nagios nagios 0 Mar 2800:41 sticky 
  
  
[root@nagios test]# su hello
  
  
[hello@nagios test]$ pwd 
  
  
/root/test 
  
  
[hello@nagios test]$ echo hello >> setuid 
  
  
bash: setuid: Permission denied 
  
  
[hello@nagios test]$ sh setuid 
  
  
hello 
  
  
[nagios@nagios test]$ exit 
  
  
exit 
  
  
[root@nagios test]# chmod o+w sticky
  
  
[root@nagios test]# su hello
  
  
[hello@nagios test]$ ll sticky 
  
  
-rw-rw-rwT 1 nagios nagios 0 Mar 2800:45 sticky 
  
  
[hello@nagios test]$ rm sticky 
  
  
rm: cannot remove `sticky': Permission denied 
  
  
[hello@nagios test]$ stat sticky 
  
  
 File: `sticky' 
  
  
 Size: 0 Blocks: 0 IO Block: 4096 regular empty file 
  
  
Device: fd00h/64768d Inode: 134198 Links: 1
  
  
Access: (1666/-rw-rw-rwT) Uid: ( 500/ nagios) Gid: ( 500/ nagios) 
  
  
Access: 2013-03-2800:45:37.875928997 +0800
  
  
Modify: 2013-03-2800:45:37.875928997 +0800
  
  
Change: 2013-03-2800:46:28.050580800 +0800
 
 

# Setfacl and getfacl

User: owner permission ":" All are owners ":" special user
Group: group and Special group
Other: Others
Mask: All persons except owner and others
Common options:
-D: subdirectory inherits the special permissions of the parent directory.
-R: recursive permission

Check whether ACL is supported

 
 

  
  
[root@nagios heelo]# tune2fs -l /dev/sda1 | grep option
  
  
Default mount options: user_xattr acl 
 
 

Test:

 
 

  
  
[root@nagios test]# touch setfacl
  
  
[root@nagios test]# setfacl -m user::r,user:hello:rw setfacl
  
  
[root@nagios test]# chown nagios.nagios setfacl
  
  
[root@nagios test]# ll setfacl
  
  
-r--rw-r--+ 1 nagios nagios 0 Mar 2800:52 setfacl 
  
  
[root@nagios test]# su nagios
  
  
[nagios@nagios test]$ echo hello >> setfacl 
  
  
bash: setfacl: Permission denied 
  
  
[nagios@nagios test]$ exit 
  
  
exit 
  
  
[root@nagios test]# su hello
  
  
[hello@nagios test]$ echo hello >> setfacl 
  
  
[hello@nagios test]$ cat setfacl 
  
  
hello 
  
  
[hello@nagios test]$ getfacl setfacl 
  
  
# file: setfacl
  
  
# owner: nagios
  
  
# group: nagios
  
  
user::r-- 
  
  
user:hello:rw- 
  
  
group::r-- 
  
  
mask::rw- 
  
  
other::r-- 
 
 

#chattr and lsattr

Chattr +-= [acdeijstuADST].
A: Atime: Tell the system not to modify the last access time of this file.
S: Sync. Once the application writes the file, the system immediately writes the Modification result to the disk.
A: Append Only. The system Only allows data to be appended to this file. No process is allowed to overwrite or intercept this file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files.
I: Immutable. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify the files under the Directory and cannot create or delete files.
D: Check for errors in the compressed file.
D: No dump. During file system backup, the dump program ignores this file.
C: Compress. The system compresses the file transparently. When reading from this file, the returned data is extracted. When writing data to this file, the data is first compressed before being written to the disk.
S: Secure Delete. The system will use 0 to fill in the region where the file is located when deleting the file.
U: Undelete: When an application requests to delete this file, the system will keep its data block so that the file can be deleted in the future.

Test:

 
 

  
  
[root@nagios test]# mkdir chattr
  
  
[root@nagios test]# chattr +i chattr/
  
  
[root@nagios test]# touch chattr/hello
  
  
touch: cannot touch `chattr/hello': Permission denied 
  
  
[root@nagios test]# chattr -i +a chattr/
  
  
[root@nagios test]# touch chattr/hello && echo hello >>chattr/hello && cat chattr/hello
  
  
hello 
  
  
[root@nagios test]# rm chattr/hello
  
  
rm: remove regular file `chattr/hello'? y 
  
  
rm: cannot remove `chattr/hello': Operation not permitted