Linux Chapter 5-Rights Management

Others 2020-10-26 16:54:41 views: null

Introduction to Linux

Article Directory

One, permission to use objects

  • File permissions are mainly defined for three types of objects:
  • owner: the owner-u
  • group: belonging group-g
  • other: other users -o
  • Each file defines three types of permissions for visitors:
Authority Corresponding operation object Permission description
read file Readable, you can use commands like cat to view the contents of the file
write file Can write, can edit or delete this file
x eXacutalbe file Executable, eXacutalbe, can be submitted to the kernel as a command under the command prompt i
r table of Contents You can execute ls on this directory to list all files inside
W table of Contents You can create files in this directory, or delete files in this directory
x table of Contents You can use cd to switch to this directory, or use ls-l to view the detailed information of internal files

Two, authority management commands

1. Command to modify permissions -chmod

Modify three types of users and permissions:
//Syntax chmod mode file,…
//Modify a certain type of user or certain types of user permissions;
//User category (u (owner 0, g (same group), o (other), a (all) 0)
chmod user category = mode file,…
chmod user category = MODE, user category = MODE, file,…
modify a certain type of user or certain bit permissions:
//u, g, o, a
//chmod user category+|-mode file
//chmod user category+|-MODE,user category+|-MODE file,…
//chmod +|-MODE file,…

Insert picture description here
![Insert image description here](https://img-blog.csdnimg.cn/20201020161617704.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmN5MjIubmV0L0color

2. The command to modify the owner and group of the file-chown-only the administrator can use (change owner to change the owner)

//chown username file
-R//Modify the owner of the directory and its internal files.
Chown username:groupname file
Chown username.groupname file

  • 2.1, command example.

      		[root@Eryuege work]# ll
  		总用量 4
  		-rw-rw-r--. 1 jjyy jjyy 15 10月 20 11:38 abc
  		[root@Eryuege work]# chown jerry abc 
  		[root@Eryuege work]# ls
  		abc
  		[root@Eryuege work]# ll
  		总用量 4
  		-rw-rw-r--. 1 jerry jjyy 15 10月 20 11:38 abc
  		[root@Eryuege work]# chown .jerry abc
  		[root@Eryuege work]# ll
  		总用量 4
  		-rw-rw-r--. 1 jerry jerry 15 10月 20 11:38 abc
  		[root@Eryuege work]# chown jjyy.jjyy abc 
  		[root@Eryuege work]# ll
  		总用量 4
  		-rw-rw-r--. 1 jjyy jjyy 15 10月 20 11:38 abc.

Third, the mask code (umask)

3.1 After the file is created, the default permission is 644;

After the directory is created, it is 755; the
mask code is used to hide some permissions.
The permission of the file is 666-umask
The permission of the directory is 777-umask
Umask 0022 The first 0 is a special permission.
666-644 is equal to 022
777-755 is equal to 022

3.2. The file cannot have execution permission by default. If the calculated result has execution permission, the overall permission will be increased by 1.

Configuration case:

						[root@Eryuege work]# umask 001
						[root@Eryuege work]# umask
						0001
						[root@Eryuege work]# ll
						总用量 4
						drwxrwxrw-. 2 root root  6 10月 20 11:50 a
						-rw-rw-r--. 1 jjyy jjyy 15 10月 20 11:38 abc
						注:遮罩码只能影响设置之后的文件的权限;

Four, Linux security context and special permissions

1. Linux security context.

  • First check the permissions of the owner, followed by the group, and then check the permissions of other users.

Prerequisite: Process has owner and group: file has owner and group
a, whether any executable program file can start a bit process depends on whether the initiator has executable permissions on the program file;
b, after starting as a process , The owner of the process is the initiator, and the group is the group
c to which the initiator belongs. The permission of the process to access the file depends on the initiator of the
process. when the main, the application file owner permissions
---------- when is a group of files when the initiator of the process, the application file is a set of permissions
---------- application files "other Permissions"

2. Special permissions:

  • Linux default permissions are controlled according to the linux security context, and the existence of special permissions breaks the rules of the linux security context.
    Umask 0022 (the first one is special permissions) Example of setting permissions: chmod 4644 abc

  • Object is program

    1, SUID(4) //When running the program, the owner of the process started by this program is the owner of the program file itself, not the owner of the initiator
    chmod u+s file
    chmod us file
    //If the file itself is originally If you have execute permission, SUID is displayed as s, otherwise it is displayed as S
    [root@Eryuege tmp]# chmod 4755 /usr/bin/vi

  • Object time directory

    2. SGID(2) //When running a program, the group of the process started by this program is the group of the program file itself, not the basic group to which the initiator belongs.
    // By default, when the user creates a file, it belongs to the group The basic group to which this user belongs;
    //Once a directory is set with SGID, the file or directory created in this directory by a user with write permission for this directory, the group to which it belongs
    // SGID is set for this is a group of directory
    chmod G + S DIR
    chmod GS DIR
    // If the file itself has always had execute permission, SGID is displayed as s, otherwise it is S
    [root @ Eryuege the Test] # chmod 2755 Work /
    [root @ Eryuege the Test ]# ll
    total usage 8
    -rw-r–r--. 1 root root 5530 October 18 18:26 man_db.conf
    drwxr-sr-x. 2 jjyy she 32 October 20 13:42 work

  • Object is public directory

    3. Sticky(1) //In a public directory, everyone can create files, delete their own files, but cannot delete files created by others
    chmod o+t DIR
    chmod ot DIR
    //If DIR itself has execute permission , Sticky is displayed as t, otherwise it is displayed as T
    [root@Eryuege test]# chmod 1775 work/
    [root@Eryuege test]# ll
    total usage 8
    -rw-r–r--. 1 root root 5530 October 18 18 :26 man_db.conf
    drwxrwsr-t. 2 jjyy she 32 October 20 13:42 work

  • 4775 // With SUID, file permission is 755

  • 2755 //With SGID, file permission is 755

  • 1755 //With Sticky, file permission is 755

  • //4, 2, 1 respectively represent SUID, SGID, Sticky

Five, file access control list facl (Filesystem Access Control List)

  • Use file extensions to save additional access control permissions.
  • Syntax: setfacl [-bkndRLP][option] file...

-m: //set
u:UID:perm
g:GID:perm
//setfacl -mu:test:rw file set user user name user authority, target file
//setfacl -mg:test:rw file set group user Group: files targeted by group permissions
-d: default inherited permissions
// If you want to set a default access control list for a directory, you only need to add d before u or g when setting. For example:
//setfacl -md:u:test:rw file, the files created in this directory at this time all inherit the permissions set by this access control list
-x: //Cancel
u:UID
g:GID
//setfacl- xu:test file
//setfacl -xg:test fil
-b: Remove all Clear all set permissions

  • View the main group that the file belongs to.

语法:getfacl 【aceESRLPtpndvh】file …

Six, sudo authority delegation

1, sudo can realize what commands a user can execute through those hosts as another user

  • sudo configuration file: /etcsudoers
  • Visudo uses this command to configure sudo, each line is a sudo entry, the format is as follows:
who which_host=(runas command
root ALL=(ALL ALL
she ALL=(ALL /usr.sbin.useradd, /user/sbin/userdel
jjy ALL=(ALL NOPASSWD: /usr/sbin/useradd
Field meaning
whi User_Alias, which represents the identity of the person running the command
which_host Host_Alias, through which hosts
speech Runas_Alias, as which user
command Cmnd_Alias, which commands to run

2. The alias must be all and only a combination of uppercase English subtitles can be used, and the exclamation mark can be used to reverse

  • Decoupling: understand the use of aliases in the form of building blocks, define a command or file as an alias, and run through the alias

Alias ​​classification:
User alias:
User_Alias ​​NETWORKADMIN =
user's user name,
group name, use% to guide
you can also other defined user aliases
Host alias:
Host_Alias ​​=
host name
IP address
network address
Other host alias
Runas alias:
Runas_Alias ​​=
user name
% group Name such as %root alias of the root group.
Other Runas aliases
Command alias:
Cmnd_Alias ​​=
command path
directory (all commands in this directory)
other defined command aliases

  • ** sudo command syntax: sudo [option COMMAND
option description
-V Show version number
-h Shows the version number and instructions on how to use instructions
-l List all sudo commands available to the current user
-v Because when sudo is executed for the first time or N (after N=5, it will text the password, this parameter will be confirmed again, if it exceeds N minutes, the password will also be asked
-k Make the authentication information invalid, if -k is not specified, the default authentication information will become invalid after 5 minutes
-b Put the instructions to be executed in the background for execution
-u USERNAME executes the command with the specified user name, the default is root

Seven, management commands

  • w //Show who are currently logged in to the system and what they are doing
  • sleep sleep, when the script is written, the last command has not been executed. When the next command 9 starts to execute, you can add sleep #\ means pause # seconds later, execute the following command

SUFFIX:
s: second, default
m: minute
h: hour
d: day

  • last //Display /var/log/wtmp file, display user login history and system restart history

    -n # //Display the related information of the most taboo # times.

  • lastb displays the /var/log/btmp file, which shows the wrong login attempts of the user

    -n # //Display related information of the latest # times

  • lastlog displays the last successful login information of each user

    -u username://Display the latest login information for a specific user
    — basename: //Display the path name
    such as [root@Eryuege ~]# dirname /usr/local/a/b/c
    /usr/local/a/b
    [root @Eryuege ~]# basename /usr/local/a/b/c
    c

Eight, command practice

  • 1. Create a new user openstack without a home directory

    useradd -M openstack

  • 2. Copy /etc/skel to /home/openstack

cp -r /etc/skel /home/openstack

  • 3. Change the owner group of /home/openstack and its internal files to openstack

chown openstack.openstack openstack/

  • 4. Set /home/openstack and its internal files, the group and other users do not have any access rights

chmod 700 openstack/

Guess you like

Origin blog.csdn.net/LBJ19224/article/details/109174019
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com