Linux - rights management

Linux permission management

1. Permission introduction

Linux permissions are the mechanism used by the operating system to restrict access to resources. Permissions are generally divided into read, write and execute. Each file in the system has specific permissions: owner, group, and others. Through this mechanism, users or user groups can be restricted to perform corresponding operations on specific files.

1.1 permission classification

  • Permissions are for three types of files:
full pinyin translate Abbreviation
owner Owner u
group Genus group g
other Other people o
  • Permission classification:
jurisdiction Impact on documents Impact on Directory
r (read) Readable file contents The contents in the directory can be listed
w (write) Modifiable file content You can create and delete content in the directory
x (execution) Can be executed as a command Accessible directory content

Note: the directory must have x permission, otherwise its contents cannot be viewed

  • Permission representation:
The first Second
- - - 0
- - x 1
- w - 2
- w x 3
r - - 4
r - x 5
r w - 6
r w x 7

1.2 Linux security context

Each process in Linux runs as a user. The permissions of the process are the same as those of the user. The greater the permissions of the user running the process, the greater the permissions the process has.

Files have owners and groups, and processes have owners and groups

  • Whether any executable program file can be started as a process depends on whether the initiator has executable permissions on the program file
  • After starting as a process, the owner of the process is the initiator, and the group is the basic group of the initiator
  • The permission of a process to access a file depends on the initiator of the process:
    • When the initiator of the process is the owner of the file, the file owner permission is applied
    • When the initiator of the process is the file group, the file group permission is applied
    • Application file "other" permission

2. Permission management command

2.1 permission modification command chmod

//Permission modification mainly modifies the permissions of three types of objects

//Syntax: chmod MODE file
    -R      //Recursive modification permission

//Modify the permission of a certain type of object: u,g,o,a

There are three ways to modify permissions:
chmod Object category=MODE file,.....
chmod Object category=MODE,Object category=MODE file,.....
For example:
[root@zsl ~]# chmod u=rwx zsl 
[root@zsl ~]# chmod u=rwx,g=rwx zsl 

chmod Object category+|-MODE file,.....
chmod Object category+|-MODE,Object category+|-MODE file,.....
chmod +|-MODE file,.....
For example:
[root@zsl ~]# chmod u+rwx zsl 
[root@zsl ~]# chmod u-x,g-x zsl
[root@zsl ~]# chmod +x zsl

chmod "mode number" file,.....
For example:
[root@zsl ~]# chmod 777 zsl

2.2 owner and group modification command chown

//The chown command is only available to administrators.

chown USERNAME file,...
    -R      //Modify the owner of the directory and its internal files

For example:
[root@zsl ~]# chown root.root zsl 
[root@zsl ~]# chown root:root zsl 

2.3 special authority

The permissions of linux are controlled by default according to the linux security context, and the existence of special permissions breaks the rules of the linux security context.

SUID(4)     //When running a program, the owner of the process started by the program is the owner of the program file itself, not the initiator
    chmod u+s file
    chmod u-s file
    //If the file itself has the execution permission, the SUID is displayed as s; otherwise, it is displayed as s
SGID(2)     //When running a program, the process started by the program belongs to the group of the program file itself, not the basic group to which the initiator belongs
            //Once a directory is set with SGID, the group of files or directories created in this directory by users with write permission belongs to the group of directories with SGID set
    chmod g+s DIR
    chmod g-s DIR
    //If the file itself has execution permission, the SGID is displayed as s; otherwise, it is displayed as s
SBIT(1)	    //Public directory, everyone can create files and delete their own files, but cannot delete files created by others
    chmod o+t DIR
    chmod o-t DIR
    //If DIR itself has the execution permission, SBIT is displayed as t; otherwise, it is displayed as t

Numerical representation of special permission:
4755    //With SUID and file permission of 755
2755    //With SGID and file permission of 755
1755    //With Sticky, the file permission is 755
//Here, the first 4, 2 and 1 respectively represent SUID, SGID and Sticky

2.4 file system access control list (facl)

facl (file system access control list), which uses file extensions to save additional access control permissions.

//Syntax: setfacl [- bkndrlp] {- M | - M | - x | - x...} file
    -m      //Set permission entry
       setfacl -m u:test:rw file
       setfacl -m g:test:rw file

//If you want to set the default access control list for a directory, you only need to add d before u or g when setting
       setfacl -m d:u:test:rw file
//At this time, all files created in this directory inherit the permissions set by this access control list

    -x      //Delete permission entry
       setfacl -x u:test file
       setfacl -x g:test file

    -b      //Remove all
       setfacl -b file

//View the file system access control list (getfacl)
//Syntax: getfacl [-aceEsRLPtpndvh] file
       getfacl file

2.5 mask code

Why is the default permission 644 after the file is created?
Why is the default permission 755 after the directory is created?

The default permissions for new files and new directories are determined by the mask code umask To control.

As can be seen from the name, the mask code umask is used to hide some permissions.

For example: what would you do if you didn't want people to recognize you?

The final permission of the file is:

666-umask	File maximum permission - Mask code = File final permission

The final permission of the directory is:

777-umask	Directory maximum permission - Mask code = Directory final permissions

A file cannot have execution permission by default. If a file has execution permission, its permission will be increased by 1.

3. sudo borrowing right

sudo can realize what commands a user can execute through which hosts as another user

sudo configuration file: / etc/sudoers

//Use the visudo command to configure sudo. Each line is a sudo entry. The entry format is as follows:

	who which_hosts=(runas) command

who : User,User_Alias			//Indicates the identity of the person who runs the command
which_hosts : Host,Host_Alias		//Through which hosts
runas : User,Runas_Alias		//As which user
command : Command,Cmnd_Alias		//What commands to run

//The alias must be all and can only use the combination of uppercase English letters, and the exclamation mark can be used to reverse

//Alias classification
1.User alias:
User_Alias "Alias" =
	User name of the user
	Group name, using%guide
	Other user aliases that have been defined can also be used

2.Host alias:
Host_Alias "Alias" =
	host name
	IP address
	network address
	Other host aliases

3.Command alias:
Cmnd_Alias =
	Command path:
	Directory (all commands in this directory)
	Other defined command aliases

//Sudo command syntax: sudo [options] COMMAND
    -V      //Display version number
    -h      //Help information, version number and instruction usage description will be displayed
    -l      //List all sudo class commands available to the current user
    -v      //Do the password confirmation again. If it exceeds N (default is 5) minutes, the password will also be asked
    -k      //Clear the authentication information immediately. If - k is not specified, the default authentication information will be invalid after 5 minutes
    -b      //Put the instructions to be executed in the background for execution
    -u USERNAME     //Execute the command with the specified user name. The default is root

4. File special properties command

The chatr command is used to change the special properties of a file. Compared with chmod command, chmod only changes the read / write and execution permissions of files, while chattr is a lower level attribute control based on the kernel.

Command format:
	chattr [option] [+/-/=attribute] [File or directory]

	-R	//recursion
	-V	//Display process

	+	//Used to add attributes
	-	//User delete attribute
	=	//Used to specify properties
	A	//Tell the system not to modify the last access time of the file
	a	//Only data can be added to the file and cannot be deleted
	i	//The setting file cannot be deleted, renamed, written or added

[root@hzz ~]# chattr +a hzz.txt / / add the a attribute to hzz.txt

[root@hzz ~]# Lsattr hz.txt / / view the special properties of the file 
-----a-------e-- hzz.txt

5. Extended command

sleep   //sleep

//When writing a script, in order to prevent the next command from being executed before the last command is executed, the sleep command can be used
//Syntax: sleep NUMBER[SUFFIX]
            s:Seconds, default
            m: branch
            h: hour
            d: day
	sleep 5     //Indicates that the following command is executed after 5 seconds of sleep 

last    //Display the contents of / var/log/wtmp file, user login history and system restart history                
      -n #        //Display relevant information of the last # times

lastb   //Display the contents of the / var/log/btmp file and the user's wrong login attempt                
      -n #        //Display relevant information of the last # times

lastlog //Display the last successful login information of each user                
      -u username     //Displays the latest login information of a specific user

basename        //Show path base name  

Tags: Linux

Posted by naboth_abaho on Wed, 17 Aug 2022 11:49:36 +0930