[RedHat Notes] permission management and how to use hidden attributes.

========================================================== ==========
Extension of File Permission management:
File Management permission Model
File: Owner, Group
Each type of user has permissions. Read/write execution rwx, 9 digits in combination
These permissions have a special permission.
As a common user, to change the password, you need to modify/etc/shadow. However, the shadow file has 400 permissions, and the owner group is root. How does one save the password?

S: SUID: set UID: if a file has the s execution permission, when a common user executes the file, it is not executed as a user, it runs according to the identity of the file owner. Temporary switch, only when the command is run.

SUID allows some users to have administrator privileges when executing a command. However, this function is a double-edged sword.
SGID: Set GID: when a user executes a command, it runs as a file group instead of a user group.

Hypothesis: There is a development team in the company. Everyone belongs to a group. To develop a program, all the programs are in/project/. After all others are added to that group, they can be accessed. If one of the users creates a file, the owner of the new file is the user who created the file, and no one else can enter the file. To solve this problem.

If the sgid bit is set for a directory, it usually means that if a user's directory is in the group, the owner Group of the files created by the user is not in the basic group, the group to which the directory belongs.

-----------------------------------------------------

How can an object have s-bit?
Chmod U + S/etc/AAA. Sh
You can change/etc/AAA. Sh to a file with the SUID attribute.
----------------------------
If the original user has the execution permission, it is S.
If the original user does not have the execution permission, it is S.
----------------------------
How to make the Directory have s-bit?
Chmod g + S/project/
You can set the/project/directory to have the sgid permission.
----------------------------------------------------

Sticky:
T bit: sticky Sticky Bit. For a public place that everyone can write, every user can write and delete permissions, we have limited that everyone can only delete their own. This function is
T-bit. /Tmp
Is the directory with special attribute T.
T-bit is placed on O, and others.

Chmod o + T/project/

-----------------------------------------------------
SUID, SGID, sticky
They also use a three-digit, two-digit representation.
4 2
1

000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7

Therefore, the permission settings are changed to four digits:
Chmod 7755/a.txt
The first parameter indicates the various settings of S.
The last three digits indicate the owner.
Other persons in the group
----------------------------------------------------
System Security Mechanism: umask (filter code)
Use the umask command to view the value of the current user
For common users, umask: 0002
Umask: 0022 for Administrators

So when
The Administrator created the folder at 777-umask = 755.
When the Administrator creates a file, 666-umask = 644
Therefore:
The default file creation permission of the Administrator is 644.
By default, the Administrator has the 755 permission to create a folder.
By default, the user creates a file with 664 permissions.
The default permission for creating folders is 775.
------------------------------------------------------------
Umask can be changed.
Umask N:
For example, umask 027

Assume that we allow the user to set 754 permissions: 777-754 = 023. Therefore, umask = 023
When creating a file, 666-023 = 643. However, the default file permission does not have the X permission, so 643 will automatically change it to 642

Umask settings are not persistent. Expired after re-Login
The command set by the umask command is only valid for the current shell of the current user.
----------------------------------------------------------------------
To make it always valid: You need to define umask in the startup configuration file.
Global:/etc/profile,/etc/profile. d/*/etc/bashre
User :~ /. Bash_profile ,~ /. Bashrc
Profile class for interactive Login Shell
Bashrc class, non-interactive login.

Interactive logon: Read order: (the higher the back priority)
/Etc/profile -->/etc/profile. d/* --> ~ /. Bash_profile --> ~ /. Bashrc -->/etc/bashrc
Non-interactive shell: the sequence in which a script system runs automatically upon startup.
~ /. Bashrc -->/etc/profile. d /*
------------------------------------------------------------------------
Therefore, if you want to modify umask, edit/etc/bashrc
If you want to modify a user separately, you only need to define the user's ~ /. Bashrc
-------------------------------------------------------------------------
How can I grant the write permission to centos for files created by Gentoo?
To complete such a task:
ACL: Access Control List!
The ACL of the file system. In addition to defining the owner group, you can also define the ACL to see who can access and who cannot access.
These are all extended attributes (hidden attributes ):
Lsattr: Command
View the extension attributes of a file.
------------------------------------------------------------
Getfacl: view the access control list
Getfacl + file name: view the hidden information of this file
Owner: Permission
GROUP: Permission
Others: Permission
------------------------------------------------------------
Setfacl: defines the Control List, such as ACL deletion...
Setfacl [Options] ID: operand

-M: Set permissions
Setfacl-m u: uid: perm filename
Set special permissions for a user
Setfacl-m g: GID: perm filename
Set Group Permissions
Setfacl-m u: RedHat: RW 1.txt
Set the special ACL of 1.txt to the write permission of the user RedHat.
Setfacl-m g: devgrp: RW-1.txt
The permission for setting the group name to devgr to the file in 1.txt has the RW-permission.
After setting, the ll permission will end with a "+" credential, which has the hidden permission.

D: used to set the default permission bits (the permission can only be set on the directory so that all files in the directory inherit the hidden permission of the Directory)
Setfacl-m d: U: RedHat: r --/mydata/

User settings
G indicates group settings
M indicates that the forward mask is set (△valid △of the forward permission)
Setfacl-M: r -- 1.txt
Then, the positive permission defined by mask is set to r --. Therefore, no matter what the permissions of other users are, it can only be r --
O indicates setting for other users



-X: revoke the permissions of one user, group, or other users.
Setfacl-x u: RedHat 1.txt
The special permissions of the user who sets the user as redhats for 1.txt disappear.
-B: Remove all ACL permissions for a file.
-K: deletes the default access control list.