System-Day8
设置基本权限
- r 读取:允许查看内容-read
- w 写入:允许修改内容-write
- x 可执行:允许运行和切换-excute
[root@localhost ~]# ll -d /testdir/
drwxr-xr-x. 2 root root 4096 May 21 23:19 /testdir/
[root@localhost ~]# touch /testdir/readme.txt
[root@localhost ~]# ll /testdir/readme.txt
-rw-r--r--. 1 root root 0 May 21 23:20 /testdir/readme.txt
//切换用户
[root@localhost ~]# su - user1
//测试是否有权限创建
[user1@localhost ~]$ mkdir /testdir/user1dir
mkdir: cannot create directory `/testdir/user1dir': Permission denied
//为其他人添加W权限
[root@localhost ~]# chmod o+w /testdir/
[root@localhost ~]# ll -d /testdir/
drwxr-xrwx. 2 root root 4096 May 21 23:20 /testdir/
[root@localhost ~]# su - user1
[user1@localhost ~]$ mkdir /testdir/user1
//成功创建
[user1@localhost ~]$ ls /testdir/
readme.txt user1
/
/无权限写文件
[root@localhost ~]# ll -d /testdir/readme.txt
-rw-r--r--. 1 root root 0 May 21 23:20 /testdir/readme.txt
[root@localhost ~]# su - user1
[user1@localhost ~]$ echo 123 > /testdir/readme.txt
-bash: /testdir/readme.txt: Permission denied
//添加其他用户W权限
[root@localhost ~]# chmod o+w /testdir/readme.txt
[root@localhost ~]# ll /testdir/readme.txt
-rw-r--rw-. 1 root root 0 May 21 23:20 /testdir/readme.txt
[root@localhost ~]# su - user1
[user1@localhost ~]$ echo 123 > /testdir/readme.txt
[user1@localhost ~]$ cat /testdir/readme.txt
123
//设置任何人都不能进入该目录,只需将所有人的x执行权限去掉即可
[root@localhost ~]# ll -d /testdir/
drwxr-xrwx. 3 root root 4096 May 21 23:32 /testdir/
[root@localhost ~]# chmod a-x /testdir/
[root@localhost ~]# ll -d /testdir/
drw-r--rw-. 3 root root 4096 May 21 23:32 /testdir/
[root@localhost ~]# su - user1
[user1@localhost ~]$ cd /testdir/
-bash: cd: /testdir/: Permission denied
[user1@localhost ~]$ echo 321 > /testdir/readme.txt
-bash: /testdir/readme.txt: Permission denied
//-R为递归修改
[root@localhost ~]# chmod -R 750 /testdir/
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 root root 4096 May 21 23:32 /testdir/
[root@localhost ~]# ll -l /testdir/
total 8
-rwxr-x---. 1 root root 4 May 21 23:35 readme.txt
drwxr-x---. 2 user1 user1 4096 May 21 23:32 user1
- 文件/目录的默认权限
//确保自己登录身份是root
[root@localhost ~]# whoami
root
//查看当前umask值,需用最大权限777减去022
[root@localhost ~]# umask
0022
// -S选项是直接显示默认权限
[root@localhost ~]# umask -S
u=rwx,g=rx,o=rx
//管理员和普通用户umask值是不一样的
[root@localhost ~]# su - user1
[user1@localhost ~]$ umask
0002
//此配置文件规定创建用户家目录时,需遵循的umask值
[root@localhost ~]# grep -v "^#" /etc/login.defs |grep -v "^$"|grep -i umask
UMASK 077
- 设置归属关系
[root@localhost ~]# id user1
uid=601(user1) gid=601(user1) groups=601(user1)
[root@localhost ~]# groupadd test
//更改其归属关系
[root@localhost ~]# chown user1:test /testdir/
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir
//设置user1用户权限为rwx
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
[root@localhost ~]# chmod u=rwx /testdir/
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
//其他人无任何权限
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
[root@localhost ~]# chmod o= /testdir/
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
//将user2用户加入test组
[root@localhost ~]# gpasswd -a user2 test
Adding user user2 to group test
[root@localhost ~]# grep user2 /etc/group
user2:x:602:
test:x:604:user2
[root@localhost ~]# su - user2
//查看是否具备r权限
[user2@localhost ~]$ ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
//查看是否具备x权限
[user2@localhost ~]$ cd /testdir/
[user2@localhost testdir]$ pwd
/testdir
//查看该组成员列表
[root@localhost ~]# grep test /etc/group
test:x:604:user2
[root@localhost ~]# gpasswd -a user1 test
Adding user user1 to group test
[root@localhost ~]# grep test /etc/group
test:x:604:user2,user1
//查看其权限划分情况
[root@localhost ~]# ll -d /testdir/
drwxr-x---. 3 user1 test 4096 May 21 23:32 /testdir/
//更改权限
[root@localhost ~]# chmod 450 /testdir/
//查看其权限划分情况
[root@localhost ~]# ll -d /testdir/
dr--r-x---. 3 user1 test 4096 May 21 23:32 /testdir/
[root@localhost ~]# su - user1
[user1@localhost ~]$ ls /testdir/
ls: cannot access /testdir/readme.txt: Permission denied
ls: cannot access /testdir/user1: Permission denied
readme.txt user1
//权限不够,优级级顺序,所有者>所属组>其他人
[user1@localhost ~]$ cd /testdir/
-bash: cd: /testdir/: Permission denied
很明显不能够切换成功,是只读权限。这里告诉大家Linux对于权限判别的一个优先顺序,是所有者>所属组>其他人,也就是说首先Linux系统判别的是你属于本目录的归属关系的哪一种,首先看你是不是所有者,再看你是不是所属组,最后看你是不是其他人。就拿本题来举例,首先看gelin01是不是所有者,可以看出gelin01是所有者那么权限直接就按照所有者的权限执行,也不会再看后面。也不会所有者权限与所属组权限取交或并,本题目的是让大家记住和体会Linux对于权限判别的一个优先顺序
SUID权限
/利用which找到mkdir命令的绝对路径
[root@localhost ~]# which mkdir
/bin/mkdir
//复制并改名
[root@localhost ~]# cp /bin/mkdir /bin/md
//添加SUID权限
[root@localhost ~]# chmod u+s /bin/md
[root@localhost ~]# ll /bin/md
-rwsr-xr-x. 1 root root 49384 May 22 18:18 /bin/md
[root@localhost ~]# su - user1
[user1@localhost ~]$ mkdir new1
[user1@localhost ~]$ md new2
//可以看到具备SUID--所属者
[user1@localhost ~]$ ll -d new*
drwxrwxr-x. 2 user1 user1 4096 May 22 18:22 new1
drwxrwxr-x. 2 root user1 4096 May 22 18:22 new2
SGID
[root@localhost ~]# which mkdir
/bin/mkdir
[root@localhost ~]# cp /bin/mkdir /bin/md2
[root@localhost ~]# chmod g+s /bin/md2
[root@localhost ~]# ll /bin/md2
-rwxr-sr-x. 1 root root 49384 May 22 18:30 /bin/md2
[root@localhost ~]# su - user2
[user2@localhost ~]$ mkdir new1
//查看权限及归属关系,属组继承
[user2@localhost ~]$ md2 new2
[user2@localhost ~]$ ll -d new?
drwxrwxr-x. 2 user2 user2 4096 May 22 18:31 new1
drwxrwxr-x. 2 user2 root 4096 May 22 18:31 new2
[root@localhost ~]# mkdir /public
[root@localhost ~]# grep test /etc/group
test:x:604:user2,user1
//更改目录所属组
[root@localhost ~]# chown :test /public/
[root@localhost ~]# ll -d /public/
drwxr-xr-x. 2 root test 4096 May 22 18:33 /public/
[root@localhost ~]# ll /public/
total 4
drwxr-xr-x. 2 root root 4096 May 22 18:36 new1
-rw-r--r--. 1 root root 0 May 22 18:36 test1.txt
//添加SGID权限
[root@localhost ~]# chmod g+s /public/
[root@localhost ~]# ll -d /public/
drwxr-sr-x. 3 root test 4096 May 22 18:36 /public/
[root@localhost ~]# mkdir /public/new2
[root@localhost ~]# touch /public/test2.txt
//可以看到所属组不一样 继承的所属组身份及权限
[root@localhost ~]# ll /public/
total 8
drwxr-xr-x. 2 root root 4096 May 22 18:36 new1
drwxr-sr-x. 2 root test 4096 May 22 18:37 new2
-rw-r--r--. 1 root root 0 May 22 18:36 test1.txt
-rw-r--r--. 1 root test 0 May 22 18:37 test2.txt
Sticky权限测试
[root@localhost ~]# mkdir -p /test/public
[root@localhost ~]# ls -R /test
/test:
public
/test/public:
[root@localhost ~]# ll -d /test
drwxr-xr-x. 3 root root 4096 May 22 18:41 /test
[root@localhost ~]# ll -d /test/public/
drwxr-xr-x. 2 root root 4096 May 22 18:41 /test/public/
//设置权限为777
[root@localhost ~]# chmod 777 /test/public/
[root@localhost ~]# ll -d /test/public/
drwxrwxrwx. 2 root root 4096 May 22 18:41 /test/public/
//设置特殊权限t权限
[root@localhost ~]# chmod o+t /test/public/
[root@localhost ~]# ll -d /test/public/
drwxrwxrwt. 2 root root 4096 May 22 18:41 /test/public/
//切换用户创建文件
[root@localhost ~]# su - user1
[user1@localhost ~]$ touch /test/public/user1file1
[user1@localhost ~]$ ll /test/public/user1file1
-rw-rw-r--. 1 user1 user1 0 May 22 18:56 /testpublic/user1file1
//切换用户创建文件
[root@localhost ~]# su - user2
[user2@localhost ~]$ touch /test/public/user2file2
[user2@localhost ~]$ ll /test/public/user2file2
-rw-rw-r--. 1 user2 user2 0 May 22 18:57 /test/public/user2file2
//查看文件权限和归属
[user2@localhost ~]$ ll /test/public/
total 0
-rw-rw-r--. 1 user1 user1 0 May 22 18:56 user1file1
-rw-rw-r--. 1 user2 user2 0 May 22 18:57 user2file2
[user2@localhost ~]$ whoami
user2
[user2@localhost ~]$ ll -d /test/public/
drwxrwxrwt. 2 root root 4096 May 22 18:57 /test/public/
[user2@localhost ~]$ ll /test/public/
total 0
-rw-rw-r--. 1 user1 user1 0 May 22 18:56 user1file1
-rw-rw-r--. 1 user2 user2 0 May 22 18:57 user2file2
//无法删除其他用户的文件
[user2@localhost ~]$ \rm -rf /test/public/user1file1
rm: cannot remove `/test/public/user1file1': Operation not permitted
[user2@localhost ~]$ \rm -rf /test/public/user2file2
[user2@localhost ~]$ ll /test/public/
total 0
-rw-rw-r--. 1 user1 user1 0 May 22 18:56 user1file1
定义ACL控制策略
[root@localhost ~]# mkdir /data
[root@localhost ~]# touch /data/file1.txt
[root@localhost ~]# ll /data/file1.txt
-rw-r--r--. 1 root root 0 May 22 19:02 /data/file1.txt
[root@localhost ~]# chown user1:user2 /data/file1.txt
[root@localhost ~]# ll /data/file1.txt
-rw-r--r--. 1 user1 user2 0 May 22 19:02 /data/file1.txt
[root@localhost ~]# chmod o= /data/file1.txt
[root@localhost ~]# ll /data/file1.txt
-rw-r-----. 1 user1 user2 0 May 22 19:02 /data/file1.txt
[root@localhost ~]# gpasswd -a user3 user2
Adding user user3 to group user2
[root@localhost ~]# grep user2 /etc/group
user2:x:602:user3
[root@localhost ~]# id user3
uid=603(user3) gid=603(user3) groups=603(user3),602(user2)
[root@localhost ~]# echo test > /data/file1.txt
[root@localhost ~]# cat /data/file1.txt
test
//切换其他用户
[root@localhost ~]# su - user4
//没有权限查看文件
[user4@localhost ~]$ cat /data/file1.txt
cat: /data/file1.txt: Permission denied
[user4@localhost ~]$ exit
logout
//定义ACL策略
[root@localhost ~]# getfacl /data/file1.txt
getfacl: Removing leading '/' from absolute path names
# file: data/file1.txt
# owner: user1
# group: user2
user::rw-
group::r--
other::---
[root@localhost ~]# setfacl -m u:user4:r /data/file1.txt
[root@localhost ~]# getfacl /data/file1.txt
getfacl: Removing leading '/' from absolute path names
# file: data/file1.txt
# owner: user1
# group: user2
user::rw-
user:user4:r--
group::r--
mask::r--
other::---
//设置了ACL策略就可以访问了
[root@localhost ~]# su - user4
[user4@localhost ~]$ cat /data/file1.txt
test
定义默认ACL控制策略
[root@localhost ~]# mkdir /public
[root@localhost ~]# getfacl /public
getfacl: Removing leading '/' from absolute path names
# file: public
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
//设置ACL策略
[root@localhost ~]# setfacl -m u:user1:rwx /public/
[root@localhost ~]# !ge
getfacl /public
getfacl: Removing leading '/' from absolute path names
# file: public
# owner: root
# group: root
user::rwx
user:user1:rwx
group::r-x
mask::rwx
other::r-x
[root@localhost ~]# ll -d /public/
drwxrwxr-x+ 2 root root 4096 May 22 19:14 /public/
[root@localhost ~]# mkdir /public/dir1
[root@localhost ~]# touch /public/file1
//查看ACL策略
[root@localhost ~]# getfacl /public/dir1/
getfacl: Removing leading '/' from absolute path names
# file: public/dir1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[root@localhost ~]# getfacl /public/file1
getfacl: Removing leading '/' from absolute path names
# file: public/file1
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@localhost ~]# getfacl /public/
getfacl: Removing leading '/' from absolute path names
# file: public/
# owner: root
# group: root
user::rwx
user:user1:rwx
group::r-x
mask::rwx
other::r-x
//设置默认可继承ACL权限
[root@localhost ~]# setfacl -dm u:user2:rwx /public/
[root@localhost ~]# getfacl /public/
getfacl: Removing leading '/' from absolute path names
# file: public/
# owner: root
# group: root
user::rwx
user:user1:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user2:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
[root@localhost ~]# mkdir /public/dir2
[root@localhost ~]# touch /public/file2
[root@localhost ~]# getfacl /public/dir2 /public/file2
getfacl: Removing leading '/' from absolute path names
# file: public/dir2
# owner: root
# group: root
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user2:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
# file: public/file2
# owner: root
# group: root
user::rw-
user:user2:rwx #effective:rw-
group::r-x #effective:r--
mask::rw-
other::r--
[user2@localhost ~]$ ll -d /public/dir1
drwxr-xr-x. 2 root root 4096 May 22 19:16 /public/dir1
//权限不够
[user2@localhost ~]$ mkdir /public/dir1/1
mkdir: cannot create directory `/public/dir1/1': Permission denied
[user2@localhost ~]$ mkdir /public/dir2/1
[user2@localhost ~]$ ll -d /public/dir2
drwxrwxr-x+ 3 root root 4096 May 22 19:23 /public/dir2
[user2@localhost ~]$ getfacl /public/dir2
getfacl: Removing leading '/' from absolute path names
# file: public/dir2
# owner: root
# group: root
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user2:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
[user2@localhost ~]$ ll -d /public/dir2/1
drwxrwxr-x+ 2 user2 user2 4096 May 22 19:23 /public/dir2/1
[user2@localhost ~]$ getfacl /public/dir2/1
getfacl: Removing leading '/' from absolute path names
# file: public/dir2/1
# owner: user2
# group: user2
user::rwx
user:user2:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:user2:rwx
default:group::r-x
default:mask::rwx
default:other::r-x