Special Linux permissions and advanced commands-song yicong

Special Permissions

We have learned the basic permissions of Linux before, but if you only have the basic permissions, you may not be able to meet all kinds of requirements.

 

For example, anyone who creates a public directory can create their own files in the directory, but can only delete their own files. In this case, the basic permissions are powerless.

If you want to fulfill this requirement, you must use special Linux permissions. special permissions can be used to define file permissions more precisely;

The UMASK we saw earlier is 0022, and the first 0 is the special permission described in.

 

There are three types of special permissions;

Suid sgid sticky: before learning about the special permission function, let's review the basic permission acquisition process.

Start ---> [root] ---> [grant all permissions] ---/

[User] ---> [Assign the user bit permission] ----/

[Group] ---> [Assign group bit permission] ----/end

[Other] ---> [delegate the other bit permission] ---/

 

Now let's take a look.First Special Permission SUID

Limitation: it can only be set on a binary executable program, and the Directory and text are invalid.

Function: No matter who executes the program, Linux enters the permission acquisition process as the program owner to determine the access permission.

Feature: X at the uesr bit is displayed as s or S,SRepresentativeContainsX permission,SRepresentativeNot includedX permission

Demonstration:

Test 1: using the root identity to change the password

# Ll/usr/bin/passwd

-RWSR-XR-x 1 Root/usr/bin/passwd

# Ll/etc/shadow

-R -------- 1 Root/etc/shadow

# Chmod U-S/usr/bin/passwd

# Ll/usr/bin/passwd

-Rwxr-XR-x 1 Root/usr/bin/passwd

# Su-Seker

$ Passwd

Changing password for user Seker.

Changing password for Seker

(Current) UNIX password:

Passwd: authentication token manipulation Error

$

Test 2: you cannot read/etc/shadow. You can use the cat command as the root user.

# Su-Seker

$ CAT/etc/shadow

Cat:/etc/shadow: insufficient Permissions

$ Exit

Logout

 

# ChmodU + S/Bin/CAT User Permissions add execution Permissions

# Su-Seker

$ CAT/etc/shadow

Root: $1 $ eV/a2bnk $ prn0q1_qlf8zvpk8w1mft.: 14360: 0: 99999: 7 :::

 

 

After learning about SUID, weLet's take a look at SGID.

Limitation: SGID can act on both binary files and directories, but they have different meanings.

Function:

First, on a binary file, it is similar to the SUID mentioned earlier: No matter who executes the command, the permissions are determined by the group ID of the file.

Test by yourself

Apply to the directory: by default, when a user creates a file, the file group belongs to the user's main group. If a file is created under the sgid directory, the group to which the file belongs is an inherited directory.

And the newly created directory also inheritsG + SPermission group permission add execution permission

Feature: X in the group bit is displayed as s or S,SIndicates that the X permission is included,SIndicates that X permission is not included.

 

Test 1:

# Mkdir/home/Public

# Chmod g + S! $

# Su-Seker

$ CD ../Public

$ Touch sgid_yes

$ Ll sgid_yes

-RW-r -- 1 Seker root sgid_yes

Specifically, there are four types of uid gids,

One is what we learned earlier and is also common for users.UID and GIDThey are actually namedReal uidAndReal GID

The other two types are calledEUID EGIDThat isValid UID and valid GID. The valid group exists for the process to access the file.

Most of our commands generate processes. The system uses euid egid to determine whether files can be accessed.

Before set, EUID = uid EGID = GID; after set, EUID is independent of each other;

• Set UID will change EUID;

• Set GID will change EGID;

 

[Seker @ stu254 ~] $ Id Zorro

Uid = 501 (Zorro) gid = 501 (Zorro) groups = 501 (Zorro)

[Seker @ stu254 ~] $

[Seker @ stu254 ~] $ ID

Uid = 500 (Seker) gid = 500 (Seker) groups = 500 (Seker)

[Seker @ stu254 ~] $ Ll/bin/cat

--- S ----- x 1 Zorro zorro 23100 2006-11-28/bin/cat

[Seker @ stu254 ~] $ Ll/opt/File

---- R ----- 1 root Seker 7 06-15 19:19/opt/File

[Seker @ stu254 ~] $ CAT/opt/File

Sdfsdf

 

When the cat file is set UID, This set is valid when the Seker user executes the command as follows: EUID = 501 (Zorro) EGID = 500 (Seker)

Access the/opt/File PermissionPermission matching process

1. Is it root --> NO

2. Whether it is user --> NO

3. Whether it is a group --> is the result of obtaining the r -- permission, so you can view the/opt/file content.

 

Now Modify/opt/file.

[Root @ stu254 opt] # chown: Zorro/Opt/File

[Seker @ stu254 ~] $ Ll/opt/File

---- R ----- 1 root Zorro 7 06-15 19:19/opt/File

[Seker @ stu254 ~] $

[Root @ stu254 opt] # Cat/opt/File

Cat:/opt/file: insufficient Permissions

[Root @ stu254 opt] #

 

Is it root --> NO

Whether it is user --> NO

Whether it is group --> NO

Therefore, you cannot view the/opt/file content because you have the permission of others ---.

[Seker @ stu254 ~] $

[Seker @ stu254 ~] $ Id Seker

Uid = 500 (Seker) gid = 500 (Seker) groups = 500 (Seker)

[Seker @ stu254 ~] $ Ll/bin/cat

------ S -- X 1 Zorro zorro 23100 2006-11-28/bin/cat

[Seker @ stu254 ~] $ Ll/opt/File

---- R ----- 1 root Zorro 7 06-15 19:19/opt/File

[Seker @ stu254 ~] $ CAT/opt/File

Sdfsdf

[Seker @ stu254 ~] $

If set GID is set for Cat, this group is valid when the Seker user executes the command as follows: EUID = 500 (Seker) EGID = 501 (Zorro)

Is it root --> NO

Whether it is user --> NO

Whether it is a group --> is the result of obtaining the r -- permission, so you can view the/opt/file content.

 

Sticky adventure bits (pasting bits)

Limitation: only applies to directories

Function: Anyone can create a file in a directory, but only the root and creator can delete the file.

Feature: The X in the other bit is displayed as T or T. T indicates that the X permission is included, and t indicates that the X permission is not included.

 

# Ll/tmp-d

Drwxrwxrwt 5 root Root/tmp

# Su-Seker

$ CD/tmp

-RW ------- 1 Zorro zorro-File

$ Rm-RF Zorro-File

RM: cannot delete "r; Zorro-file": operation not allowed

Setting method:

Character Mode

Chmod U + S File

Chmod g + s dir/File

Chmod o + T dir

Digital mode:

Chmod 4755 File

Chmod 2755 DIR/File

Chmod 1777 dir

 

Advanced text processing commands

Input/Output redirection

Standard Input Device: keyboard file Tag: 0

Standard output device: screen terminal flag: 1

Error output device: screen terminal Tag: 2

 

Input/output process:

APP input <-- Keyboard

|

APP Processing

|

/1 standard output/

APP output --> ---> Screen

/2 error output/

If I want to store the output errors of a program in a single file, what should we do in this process?

In fact, it is very simple. It only uses a tag to control the Input Source and output target.

Test:

Ls> out. File: The standard output is directed to the file. If the file does not exist, it is created. If the file exists, it overwrites

Ls> out. File: The standard output is directed to the file. If the file does not exist, it is created. If the file exists, it is appended.

Ls 2> err. File: redirects the standard output to the file. If the file does not exist, it is created. If the file exists, it overwrites

Ls 2> err. File: redirects the standard output to the file. If the file does not exist, it is created. If the file exists, it is appended.

Ls> out. File 2> err. File directs the standard output and standard error to the file respectively.

Ls &> All. File combines standard errors and standard output to the file

Ls>/dev/null 2> & 1 standard errors and standard output merged and directed to system black hole

Cat <infile reads the file content as the input of the cat command

# Cat <EOF here document

> 123

> ABC

> EOF

123

ABC

#

Use here document to avoid interactive Input

# Passwd <EOF

> Linuxcom

> Linuxcom

> EOF

Changing password for user root.

Passwd: All authentication tokens updated successfully.

#

 

/Dev/null/dev/Zero Introduction

/Dev/null is the system black hole

/Dev/zero is the zero generator of the system.

Dd If =/dev/Zero of =./big_file BS = 10 COUNT = 1 m

 

 

Number of lines, words, and bytes of the WC computing File

# WC/etc/passwd

40 59 1800/etc/passwd

# WC-L/etc/passwd

40/etc/passwd

# WC-W/etc/passwd

59/etc/passwd

# WC-C/etc/passwd

1800/etc/passwd

#

 

Cut Extract files by Column

-D indicates the column separator-F selects the output region-C specifies the character position

# Cut-D:-F 1,7/etc/passwd | head-N 2

Root:/bin/bash

Bin:/sbin/nologin

# Cut-C 1-3, 6-9/etc/passwd | head-N 2

Delete and replace tr characters

-D Delete

# Tr-D: </etc/passwd | head-N 2

Replace

# Tr [A-Z] [A-Z] </etc/passwd | head-N 2

Sort sorting output

By default, it is sorted from start to end by the first character.

-R Reverse Order

-N: sort by numbers

-T indicates that the separator is used with-K

-K: sort by specified domain

Sort-T:-GK 3/etc/passwd

# Sort/etc/passwd-T:-GK 3

 

Difference between diff and two files

D. Deleted (delete)-A added (append)-C changed (change)

CP/etc/passwd.

Delete several rows and add several rows

Diff/etc/passwd

Explanations

 

| Wonderful use of pipelines

Pass the standard output of the previous command to the next command for standard input.

CAT/etc/passwd | head-N 3 | cut-D:-F, 7 | sort-RT:-K 3 | tr [A-Z] [A-Z] | WC

 

Xargs

We learned the pipeline above. The pipeline only allows the subsequent commands to obtain the input from the previous command.

Then, if we want to create a directory for the first domain (username) of/etc/passwd, we will not be able to implement it by using pipelines.

# Cut-D:-F 1/etc/passwd | head-N 5 | mkdir

Mkdir: the operand is missing.

Run "r; mkdir -- Help" to obtain more information.

# Cut-D:-F 1/etc/passwd | head-N 5 | xargs mkdir

# Ls

ADM bin daemon LP Root

#

Simple use of awk/SED

Awk-F: '{print}' file

Sed-n's/old/new/P' File

Grep family

Grep

Fgrep

Pgrep

Egrep

Regular Expression

^ Beginning of Line

$ End of line

Any single character except line breaks

* Zero or multiple leading characters

. * All characters

[] Any character in the character group

[^] Returns the inverse of each character in the character group (not matching each character in the character group)

^ [^] Rows starting with a character in a non-character group

[A-Z] lowercase letters

[A-Z] capital letters

[A-Z] lowercase and uppercase letters

[0-9] Number

/<Word header words are generally separated by spaces or special characters, and continuous strings are treated as words

/> End of a word

Extended regular sed plus-R parameter or escape

Grep plus-E or egrep or escape

Awk direct support

Sed-n'/Roo /? /P'/etc/passwd

Sed-Rn '/Roo? /P'/etc/passwd

? Zero or one leading character

+ One or more leading characters

ABC | def ABC or def

A (BC | de) f abcf or adef

X/{M/} X appears m times

X/{M,/} X appears m times at most (at least m times)

X/{M, N/} X appears m to n times

 

Search for files

Where is the SEARCH Command? The source is the command alias and $ path in the memory.

# Which lslll

/Usr/bin/which: No lslll in ($ PATH)

# Which ls

Alias ls = 'ls -- color = tty'

/Bin/ls

#

The source for searching all files in locate is updated regularly in the updatadb library, so the latest information cannot be found.

Locate passwd | head-N 3

Find is a file system, with various search methods

Find.

-Type F D L P C B

-The name can be wildcard.

-Size + 1 m is greater than 1 m,-1 m is smaller than 1 m, 1 m is equal to 1 m

-User: file owner

-Group file group

-Directory level of maxdepth search

-If the perm permission is set to +-, 0 is the wildcard;

+ Indicates that (or) three sets of permissions match one of them. For example, if R-x meets r -- x r-X, all three are valid.

-Indicates that (and) the three groups of permissions match at the same time. For example, if R-XR-x meets R-XR-X

-O or

-Not not

-Ls details

-Exec cmd {}/;-OK cmd {}/;

-Mtime + 3 the third day from the day to the historical day (excluding the third day before the three days)

-Atime-3: The range from the first three days of the current historical days to the current day

-Ctime 3: The third day from the current day to the historical day

Used with MPs queue | xargs

Compression and decompression

. GZ

Decompress 1: gunzip filename.gz

Decompress 2: gzip-D filename.gz

Compression: gzip filename

. Bz2

Decompress 1: Bzip2-D filename.bz2

Decompress 2: bunzip2 filename.bz2

Compression: Bzip2-Z filename

Create different types of compressed files

Tar CVF etc_init.d.tar/etc/init. d/

Tar xvf etc_init.d.tar/etc/init. d/

View the content in the compressed file

Tar tvf etc_init.d.tar

Tar is just a packaging tool;

If you need to compress the package, you also need other tools gzip gunzip Bzip2 bunzip2.

These tools have been integrated by tar.

Tar cvzf etc_init.d.tar.gz/etc/init. d/

Tar cvjf etc_init.d.tar.bz2/etc/init. d/

 

Zip etc-backup.tar.bz2.zip etc-backup.tar.bz2

Unzip etc-backup.tar.bz2.zip

GZ gunzip etc-backup.gz

Back up and restore dump restore

Tar can also be backed up. If there is no problem with backing up a small amount of data, but there is not much incremental data per day, and the raw data is very large

Tar backup is not suitable because the same data must be backed up repeatedly every day, which occupies space, consumes time and resources.

Dump can be used for differential backup.

 

Difference: only change data after the last backup

Backup level 0-9, 0 is full backup, 1, 2, 3... changed data after the last backup

-U update/etc/dumpdatas Database

-F backup file

Test:

Completely back up/boot partitions to the/tmp/boot. Dump File

# Dump-0 UF/tmp/boot. Dump/boot

Back up all changed data after the last backup (Level 0)

# Dump-1 UF/tmp/boot. Dump/boot

Back up all changed data after the last backup (level 1)

# Dump-2 UF/tmp/boot. Dump/boot

Back up all changed data after the last backup (Level 0) and all changes after level 0 backup

# Dump-1 UF/tmp/boot. Dump/boot

 

View contents in the backup file

Restore-TF/tmp/boot. Dump

Restore full recovery: Restore the specified file

Full recovery

# Restore-RF/tmp/boot. Dump

Interactive partial recovery

# Restore-If/tmp/boot. Dump

Restore> ls initrd-2.6.18-128.el5.img

Initrd-2.6.18-128.el5.img

Restore> Add initrd-2.6.18-128.el5.img

Restore> ls initrd-2.6.18-128.el5.img

* Initrd-2.6.18-128.el5.img

Restore>

Restore> extract

You have not read any volumes yet.

Unless you know which volume your file (s) are on you shoshould start

With the last volume and work towards the first.

Specify next volume # (none if no more volumes): 1

Mount Tape Volume 1

Enter ''none' if there are no more tapes

Otherwise enter tape name (default:/tmp/boot. Dump)

Resync restore, skipped 3 blocks

Set owner/mode '.'? [YN] y

Restore>

After adding, the file will be marked *

Because the parts may be split during backup, we only back up one file, so we can write 1. If there are multiple parts, specify them one by one.