Understand the default security mechanism of Linux documents, hidden properties, special permissions, MOM does not have to worry about you from the deletion of the library to the escape!!!

Write in front

The previous chapters explain Linux document properties, owners, groups, permissions, differences, the basic permissions of the document, including read-write Execution (r,w,x), and several properties, including whether it is a directory (d), a file (-), a linked file (l), the owner, the owning group, the capacity size (in bytes), The last modification time, and so on, can be chown、chgrp、chmod changed by these properties and permissions.

Default security mechanism

First, we create the root files and directories separately using the Administrator account file001 dir001 :

From what you can see,

1. file001The default permissions for files are, that is, the rw-r--r-- owner can read and write, the account can only read files under the same group, others can only read the files.
2. The default permission of the directory is dir001 that the owner can access, rwxr-xr-x Enter, edit, delete files under the directory, the same group of accounts can access, enter the directory, others can access, enter the directory.

We then use the General justmine account to create separate files file001 and directories dir001 :

From what you can see,

1. The default permission for a file is that the file001 rw-rw-r-- owner can read and write files, the accounts under the same group can read and write files, and others can only read the files.
2. The default permission of the directory is dir001 that the owner can access, rwxrwxr-x Enter, edit, delete files under the directory, the same group of accounts can access, enter, edit, delete files in the directory, others can access, enter the directory.

See, the different accounts created by the default permissions are not the same, because the Linux system has applied the default document security mechanism, then how these default permissions are calculated, here need to clarify two concepts.

Default permissions for documents

1. File
   The default permissions for a file are, that is rw-rw-rw- , no permissions by default x , and a numeric fraction is 666. So, we assign execute permissions for the shell file, because by default this permission is removed, and now you know it.
2. Directory
   The default permission for the directory is rwxrwxrwx , and the number fraction is represented as 777.

Umask

Represents the default permissions for the document to be removed. For example:002, take away other people's w rights.

We know that R, W, x corresponding permissions are divided into 4, 2, 1, the Order of permissions for the owner, group, other people, then if you take away other people's w permissions,umask should be set to 002. If you take away the permissions of the group and others w , theumask should be set to 022. These two default document security mechanisms are applied to administrators and general accounts, respectively.

Example Description:
rootAccount:

justmineAccount:

Based on these two default security mechanisms, let's now calculate the actual default permissions for files and directories
Root Administrator account

• When creating the file: (-rw-rw-rw-)-(-----w--w-) ==>-rw-r--r--
• When creating the Catalog: (drwxrwxrwx)-(d----w--w-) ==> drwxr-xr-x

Justmine General Account

• When creating the file: (-rw-rw-rw-)-(--------W) ==>-rw-rw-r--
• When creating the Catalog: (drwxrwxrwx)-(d-------W) ==> drwxrwxr-x

See, the actual default permissions for the document are that way. Understand this mechanism, we should be able to extrapolate establish their own document default security mechanism, hey. So, how to modify umask , super simple, directly in the back input the permission score, such as:umask 002. By the way, the supervisor process daemon uses this mechanism to protect the child processes, as follows:

Hide Properties

In addition to the 9 basic permissions, the document can also be used chattr to set the hidden properties, such as completely non-modifiable , even the document owner cannot modify this document OH. These hidden properties can only be lsattr viewed by.

centos7.x uses the xfs file system instead of the traditional EXT2/EXT3/EXT4 file system and does not support all chattr parameters.

Grammar

chattr [+-=] [文件|目录]+ 增加隐藏属性- 拿掉隐藏属性= 设置隐藏属性

Usage

1. The change directory is completely non-modifiable
   
2. The change file is completely non-modifiable
   
   See, the effect of this property, we can no longer worry about misoperation RM-RF and then run!!!
   especially at the system security level, if you need strong system security, then hiding the properties is very useful .

Special permissions

What document also has special permission, the front 9 big permission skull All big, woo-woo. In fact, special permission is the most difficult to understand, including SUID, SGID, Sbit.

1. SUID
   When s occupies the position of the document owner x Permission, it is called the Set UID, referred to as SUID, such as:-RWsr-xr-x.
   • The SUID permission is valid only for binary program (binary programs);
   • Performer must have X executable permission for the program;
   • Valid only in the course of executing the program (run-time);
   • The performer will have the permissions of the program owner (owner) (This permission is the most important because it gives the average user the right to temporarily get the root account through a binary program).
2. Guid
   When s occupies the position of the document group x Permission, it is called Set GID, referred to as SGID, such as:-rwxr-sr-x.
   • SGID is useful for binary programs;
   • The program executor is required to have X permission for the program;
   • The performer will receive support for the program group during execution (for document multi-tenancy management is useful, refer to the previous section: How Linux manages document multi-tenancy);
3. Gbid
   • When the user has W, x permission, that is, the Write permission for this directory;

   • When the user creates a file or directory under that directory, only himself and Root have the power to delete the file ;

     Note: Sbit is only valid for the directory and does not have any effect on the file

Settings for special permissions

Earlier, we introduced the use of the digital method to set the document basic permissions, such as: chmod 777, representing the owner, group, other people's rights combination. Then the special permission is set, and its position is in front of the owner. Their permission scores are suid=4,sgid=2,sbid=1respectively.

Usage

The permission to set file test6 is -rwxr-sr-x, because s occupies the position of group x , so the special permission is SGID, then the command is:chmod 2755 test6

Summarize

This article details the default security mechanisms, hidden attributes, special permissions for Linux documents, and the purpose of writing these articles is to be able to play multi-tenancy with Linux systems. Good memory than rotten pen, Xun said, "Do not smell if not to smell, if not to see it, see if not know, know not if the line, learning as to the line and stop it, the line, Ming also." "For the basics of learning, the light will not be long, may forget, so everyone with me to act together."

If you feel that this article is helpful to you, thank you for your "recommendation".
If you are interested in Linux, you can follow me, I will regularly share my learning experience in the blog .

Understand the default security mechanism of Linux documents, hidden properties, special permissions, MOM does not have to worry about you from the deletion of the library to the escape!!!