Hidden attributes of files
In addition to general permissions and special permissions, files in the Linux system also have a hidden permission, that is, hidden permissions, which cannot be directly discovered by users by default. Some users have encountered situations in the production environment and RHCE exam questions that clearly have sufficient permissions but cannot delete a file, or can only add content to the log file but cannot modify or delete the content, which prevents it to a certain extent The hacker's attempt to tamper with the system log, so this "strange" file also guarantees the security of the Linux system.
chattr command
The chattr command is used to set the hidden permissions of the file, and the format is "chattr [parameter] file". If you want to add a hidden function to the file, you need to append "+parameter" after the command; if you want to move a hidden function out of the file, you need to append "-parameter".
The parameters used to hide permissions in the chattr command and their functions
lsattr command
The lsattr command is used to display the hidden permissions of a file, and the format is "lsattr [parameter] file". In the Linux system, the hidden permissions of files must be viewed using the lsattr command, while the usual ls and other commands have no clue.
Once the lsattr command is used, the hidden permissions granted on the file will be immediately revealed. At this time, you can use the chattr command to remove it according to the type (letter) of the hidden permissions displayed.
File access control list
General permissions, special permissions, and hidden permissions actually have one thing in common-permissions are set for a certain type of user. If you want to perform individual permission control on a specified user, you need to use the file access control list (ACL). In layman's terms, setting ACLs based on common files or directories is actually setting file or directory operation permissions for specified users or user groups. In addition, if an ACL is set for a directory, the file in the directory will inherit its ACL; if an ACL is set for a file, the file will no longer inherit the ACL of the directory where it is located.
setfacl command
The setfacl command is used to manage the ACL rules of files, and the format is "setfacl [parameter] file name". File ACL provides special permission control in addition to the read/write/execute permissions of the owner, group, and others. Use the setfacl command to read/write/write to a single user or user group, single file or directory. Control of execution authority. Among them, you need to use the -R recursive parameter for directory files; use the -m parameter for ordinary files; if you want to delete the ACL of a file, you can use the -b parameter.
Common parameters:
-R: Recursive parameters, used for directory files;
-m: used for ordinary files;
-b: ACL for deleting files or directories;
getfacl command
The getfacl command is used to display the ACL information set on the file, and the format is "getfacl file name". To set the ACL, use the setfacl command; to view the ACL, use the getfacl command.
