Files/directories under Linux have three types of permissions: General, special, hidden
Understanding of authority and attribution (three pictures)
access Rights/general permissions: R W x
1. What is the meaning of rwx for the catalogue?
R: means that you have permission to read the list of directory structures. That can use the LS command
$ LLDR --------.2Lyj01 lyj014096July7 the: -test1$ CD test1/------> #只有r权限是没有办法cd进入目录的bash:cd:test1/: Insufficient Permissions $lstest1/ls: Unable to access test1/2. txt: Insufficient permissionsls: Unable to access test1/1. txt: Insufficient permissions1. txt2. txt------> #有r权限我们可以看到目录下的内容
W: This means that you have permission to change the list of directory structures. That can:
New (Touch/vim) files and directories;
Delete (RM) files and directories (regardless of the file and directory permissions);
Renaming (MV) files and directories;
Mobile (CP) files and directories;
$ LLDrwx ------.2Lyj01 lyj014096July7 Ten:Genevatest1$ CD test1/ $ ls1. txt2. txt$RM 1. txt ------> #可以删除$Touch 3. txt ------> #可以新建$MV 3. txt1. txt ------> #可以重命名$CP 1. txt/test/------> #可以移动
$ cd test1$ LLDr --------.2Lyj01 lyj014096July7 Ten: -test2-r--------.1Lyj01 lyj010July7 Ten: -test3
------> #虽然这个目录中的文件 (TEST3) and directory (TEST2) only R permissions $RMTest2-RRM: Delete a write-protected directory"test2"? Y $RMTest3-RRM: Delete plain empty files with write protection"test3"? Y
------> #但是无论test1目录下的 "File/directory Permissions" because the parent directory Test1 has the W permission, the file/directory under it can perform the appropriate action
------> #我们得知道这意味着什么? $ pwd/home/lyj01$ ll-d/home/lyj01drwx------.3Lyj01 lyj011024x768July7 the: Wu/home/lyj01------> #对一个用户的家目录来说, the owner of this family directory belongs to this user, and the master permission is 755$Touch 1. txt$sudo ChownRoot:root1. txt $sudo chmod the 1. txt------> #我们尝试着在这个家目录下创建一个属主属组为root且权限为700的文件$ ll-RWX------.1Root root0July7 Ten: - 1. txt------> #照这个权限设置来说, the user lyj01 belongs to others and does not have any permissions on this file $RM 1. txt-f------> But we can delete it, why? Think about the permissions of this home directory?------> #所以说用户在它用户家目录里面具有如同 "root" status
------> #另外必须强调的一点是, if the directory does not have X permissions to let you have permission to switch to that directory, then W permission is meaningless $ lldrw 2 4096 July 7: test1$ cd test1/bash:cd:test1/ Touch test1/3.txttouch: Unable to create "test1/3.txt ": Insufficient permissions
x: means that you have permission to enter the directory as the working directory. That is, you can use the CD command
$ LLDR - x------.2Lyj01 lyj014096July7 Ten:Genevatest1$ CD test1/ ;ls ------> #能够cd进入目录1. txt2. txt$RM 1. txtRM: Cannot delete"1.txt": Insufficient Permissions------> #但是因为没有w权限, so you can't do anything after you enter the directory Touch 3. txtTouch: Could not create"3.txt": Insufficient Permissions
2. What is the meaning of rwx for a document?
R: means that you have permission to read the contents of the file
$ ll-r--1 lyj01 lyj01 July 7: 1 cat1. TxthelloWorld!
W: means the right to edit, add, and modify files
x: If a script file means that this can be performed by the system
Note: for a file, its R, m, x permissions are for the contents of the file, and for the operation of the "file name" itself (for example, delete, rename, etc.) permissions are meaningless. This combination of the above permissions for the directory meaning is very good understanding
Special privileges: SUID, SGID, SBTI
1.suid/sgid
#看一下这三个文件的权限
#ls-l/usr/bin/passwd/etc/shadow/etc/passwd-rw-r--r-- 1Root root1470June A +: -/etc/passwd---------- 1Root root902June A +: -/etc/Shadow-rwsr-xr-x.1Root root30768Feb A -/usr/bin/passwd
We know that/etc/passwd and/etc/shadow store the user's account and password information. From their permissions, ordinary users (others) do not have permission to modify them.
But in fact, the normal user login state, it is possible to/usr/bin/passwd this command to modify their own password. What is this for?
We can see that the root permission of the/usr/bin/passwd file is set to RWS, which has suid permissions. Ordinary users can execute the passwd command, temporary root permissions, to modify the/etc/passwd file
So, in summary:
If the normal user has execute permission (x) for the file ;
SUID is: Let ordinary users have the ability to perform "only root permission to execute" Special permissions , sgid refers to "group";
SUID can only be used on binaries (binary program) and is not valid for directories.
Query the Suid/sgid file for the entire system?
Find / -perm +6000
2.SBTI (Sticky bit) sticky bit permissions
mkdir /chmod1777 /test/ ------> #使该目录对所有用户可读写, and add SBTI permissions -d/test/drwxrwxrw24096:/test /
Assuming that the/test directory is open to all users, and that all users have read and write permissions,
If a user created a file in the/test, B users who do not want it to have permission to delete the file, this is certainly not good.
However, this problem does not occur after the sticky bit permission is set.
#suLyj------> #切换普通用户lyj$TouchLyj1.txt------> #创建一个文件$ ll lyj1.txt-rw-rw-r--1 Lyj Lyj 0Jul One at: thelyj1.txt#suLyj2------> #切换普通用户lyj2$lslyj1.txt$RMLyj1.txt-f------> #lyj2有权删掉这个lyj创建的文件吗? RM: Cannot remove ' lyj1.txt': Operation not permitted #显然不能$Touchlyj2.txt$RMLyj2.txt-f------> #它只能删除自己创建的
So, in summary:
If the ordinary user for the directory has W, x permission , under the premise;
Sbti means that when the normal user creates a file/directory under that directory, only its own and root users can delete/rename/move it, and other users do not have the authority to do so ;
SBTI only valid for directory
Hide Permissions: attrt
I: can make the file cannot be deleted, renamed, cannot write, add data, cannot create hard link; Note Only the root user is authorized to set this permission
#Touchattrtest#chattr+i Attrtest------> #给文件添加隐藏权限i#lsattrAttrtest------> #查看文件的隐藏权限----I--------e-attrtest#WhoAmIroot#RMAttrtest-FRM: Cannot delete"attrtest": Operations not allowed------> #哪怕root用户都不能删除#Echo "Hello"> Attrtest------> #不能写入/Modification-bash:attrtest: Insufficient Permissions #MVAttrtest Attrtest2------> #不能重命名MV: Unable to"attrtest"Move to"Attrtest2": Operations not allowed #LNAttrtest2 ------> #不能创建硬链接LN: Create a hard link"2"="attrtest": Operations not allowed #LN-S Attrtest1. txt #CatAttrtest------> View and create soft links Yes
A: Let this file only add data, cannot delete, modify data; Note Only the root user has permission to set this right
#chattr+a Attrtest #lsattrattrtest-----a-------E-attrtest#Echo "Hello">attrtest-Bash:attrtest: Disallowed operation #Echo "Hello">>attrtest------> #注意体会 > and >> different #Catattrtest hello#RMAttrtest-FRM: Cannot delete"attrtest": Operations not allowed
[Rights Management]--general permissions, special permissions, hidden permissions