Linux permission management
1. Permission introduction
Linux permissions are the mechanism used by the operating system to restrict access to resources. Permissions are generally divided into read, write and execute. Each file in the system has specific permissions: owner, group, and others. Through this mechanism, users or user groups can be restricted to perform corresponding operations on specific files.
1.1 permission classification
- Permissions are for three types of files:
| full pinyin | translate | Abbreviation |
|---|---|---|
| owner | Owner | u |
| group | Genus group | g |
| other | Other people | o |
- Permission classification:
| jurisdiction | Impact on documents | Impact on Directory |
|---|---|---|
| r (read) | Readable file contents | The contents in the directory can be listed |
| w (write) | Modifiable file content | You can create and delete content in the directory |
| x (execution) | Can be executed as a command | Accessible directory content |
Note: the directory must have x permission, otherwise its contents cannot be viewed
- Permission representation:
| The first | Second |
|---|---|
| - - - | 0 |
| - - x | 1 |
| - w - | 2 |
| - w x | 3 |
| r - - | 4 |
| r - x | 5 |
| r w - | 6 |
| r w x | 7 |
1.2 Linux security context
Each process in Linux runs as a user. The permissions of the process are the same as those of the user. The greater the permissions of the user running the process, the greater the permissions the process has.
Files have owners and groups, and processes have owners and groups
- Whether any executable program file can be started as a process depends on whether the initiator has executable permissions on the program file
- After starting as a process, the owner of the process is the initiator, and the group is the basic group of the initiator
- The permission of a process to access a file depends on the initiator of the process:
- When the initiator of the process is the owner of the file, the file owner permission is applied
- When the initiator of the process is the file group, the file group permission is applied
- Application file "other" permission
2. Permission management command
2.1 permission modification command chmod
//Permission modification mainly modifies the permissions of three types of objects
//Syntax: chmod MODE file
-R //Recursive modification permission
//Modify the permission of a certain type of object: u,g,o,a
There are three ways to modify permissions:
chmod Object category=MODE file,.....
chmod Object category=MODE,Object category=MODE file,.....
For example:
[root@zsl ~]# chmod u=rwx zsl
[root@zsl ~]# chmod u=rwx,g=rwx zsl
chmod Object category+|-MODE file,.....
chmod Object category+|-MODE,Object category+|-MODE file,.....
chmod +|-MODE file,.....
For example:
[root@zsl ~]# chmod u+rwx zsl
[root@zsl ~]# chmod u-x,g-x zsl
[root@zsl ~]# chmod +x zsl
chmod "mode number" file,.....
For example:
[root@zsl ~]# chmod 777 zsl
2.2 owner and group modification command chown
//The chown command is only available to administrators.
chown USERNAME file,...
-R //Modify the owner of the directory and its internal files
chown USERNAME:GROUPNAME file,...
chown USERNAME.GROUPNAME file,...
For example:
[root@zsl ~]# chown root.root zsl
[root@zsl ~]# chown root:root zsl
2.3 special authority
The permissions of linux are controlled by default according to the linux security context, and the existence of special permissions breaks the rules of the linux security context.
SUID(4) //When running a program, the owner of the process started by the program is the owner of the program file itself, not the initiator
chmod u+s file
chmod u-s file
//If the file itself has the execution permission, the SUID is displayed as s; otherwise, it is displayed as s
SGID(2) //When running a program, the process started by the program belongs to the group of the program file itself, not the basic group to which the initiator belongs
//Once a directory is set with SGID, the group of files or directories created in this directory by users with write permission belongs to the group of directories with SGID set
chmod g+s DIR
chmod g-s DIR
//If the file itself has execution permission, the SGID is displayed as s; otherwise, it is displayed as s
SBIT(1) //Public directory, everyone can create files and delete their own files, but cannot delete files created by others
chmod o+t DIR
chmod o-t DIR
//If DIR itself has the execution permission, SBIT is displayed as t; otherwise, it is displayed as t
Numerical representation of special permission:
4755 //With SUID and file permission of 755
2755 //With SGID and file permission of 755
1755 //With Sticky, the file permission is 755
//Here, the first 4, 2 and 1 respectively represent SUID, SGID and Sticky
2.4 file system access control list (facl)
facl (file system access control list), which uses file extensions to save additional access control permissions.
//Syntax: setfacl [- bkndrlp] {- M | - M | - x | - x...} file
-m //Set permission entry
u:UID:perm
g:GID:perm
Example:
setfacl -m u:test:rw file
setfacl -m g:test:rw file
//If you want to set the default access control list for a directory, you only need to add d before u or g when setting
Example:
setfacl -m d:u:test:rw file
//At this time, all files created in this directory inherit the permissions set by this access control list
-x //Delete permission entry
u:UID
g:GID
Example:
setfacl -x u:test file
setfacl -x g:test file
-b //Remove all
Example:
setfacl -b file
//View the file system access control list (getfacl)
//Syntax: getfacl [-aceEsRLPtpndvh] file
Example:
getfacl file
2.5 mask code
Why is the default permission 644 after the file is created?
Why is the default permission 755 after the directory is created?
The default permissions for new files and new directories are determined by the mask code umask To control.
As can be seen from the name, the mask code umask is used to hide some permissions.
For example: what would you do if you didn't want people to recognize you?
The final permission of the file is:
666-umask File maximum permission - Mask code = File final permission
The final permission of the directory is:
777-umask Directory maximum permission - Mask code = Directory final permissions
A file cannot have execution permission by default. If a file has execution permission, its permission will be increased by 1.
3. sudo borrowing right
sudo can realize what commands a user can execute through which hosts as another user
sudo configuration file: / etc/sudoers
//Use the visudo command to configure sudo. Each line is a sudo entry. The entry format is as follows:
Example:
who which_hosts=(runas) command
who : User,User_Alias //Indicates the identity of the person who runs the command
which_hosts : Host,Host_Alias //Through which hosts
runas : User,Runas_Alias //As which user
command : Command,Cmnd_Alias //What commands to run
//The alias must be all and can only use the combination of uppercase English letters, and the exclamation mark can be used to reverse
//Alias classification
1.User alias:
User_Alias "Alias" =
User name of the user
Group name, using%guide
Other user aliases that have been defined can also be used
2.Host alias:
Host_Alias "Alias" =
host name
IP address
network address
Other host aliases
3.Command alias:
Cmnd_Alias =
Command path:
Directory (all commands in this directory)
Other defined command aliases
//Sudo command syntax: sudo [options] COMMAND
-V //Display version number
-h //Help information, version number and instruction usage description will be displayed
-l //List all sudo class commands available to the current user
-v //Do the password confirmation again. If it exceeds N (default is 5) minutes, the password will also be asked
-k //Clear the authentication information immediately. If - k is not specified, the default authentication information will be invalid after 5 minutes
-b //Put the instructions to be executed in the background for execution
-u USERNAME //Execute the command with the specified user name. The default is root
4. File special properties command
The chatr command is used to change the special properties of a file. Compared with chmod command, chmod only changes the read / write and execution permissions of files, while chattr is a lower level attribute control based on the kernel.
Command format: chattr [option] [+/-/=attribute] [File or directory] Options: -R //recursion -V //Display process pattern: + //Used to add attributes - //User delete attribute = //Used to specify properties A //Tell the system not to modify the last access time of the file a //Only data can be added to the file and cannot be deleted i //The setting file cannot be deleted, renamed, written or added Example: [root@hzz ~]# chattr +a hzz.txt / / add the a attribute to hzz.txt [root@hzz ~]# Lsattr hz.txt / / view the special properties of the file -----a-------e-- hzz.txt
5. Extended command
sleep //sleep
//When writing a script, in order to prevent the next command from being executed before the last command is executed, the sleep command can be used
//Syntax: sleep NUMBER[SUFFIX]
SUFFIX:
s:Seconds, default
m: branch
h: hour
d: day
Example:
sleep 5 //Indicates that the following command is executed after 5 seconds of sleep
last //Display the contents of / var/log/wtmp file, user login history and system restart history
-n # //Display relevant information of the last # times
lastb //Display the contents of the / var/log/btmp file and the user's wrong login attempt
-n # //Display relevant information of the last # times
lastlog //Display the last successful login information of each user
-u username //Displays the latest login information of a specific user
basename //Show path base name