table of Contents:
-
- 1. RWX-UGO authority control
- 1). Permission object
- 2). Permission type
- 2. File permission judgment logic
- 3. Privilege management commands
- 1).chmod command
- 2). chown command
- 3).chgrp command
- Four. The security context of the process
- 五.ACL(Access Control List)
- 1).setfacl command
- 2).getfacl command
- 6. Permission mask
- 7. Special permissions for files
- 1) .SUID
- 2.)SGID
- 3) .SBIT
- 8. Attached
- Nine. Hidden attributes
- 1).lsattr
- 2).chattr
1. RWX-UGO authority control
Linux's RWX permission control is also called DAC (Discretionary Access Control). The DAC mechanism means that the owner of an object can modify or grant corresponding permissions to the object at will. From the perspective of the subject and the object, it means that the subject has the right to determine what kind of access authority it and other subjects have to the object .For example, a user A in Linux can freely set UGO (ie: this user, this user group, other users) the RWX (ie: read, write, execute) permissions of the file.
1). Permission object
- owner :File owner
- group :user group
- others:Not the file owner, or someone outside the user group, others
2). Permission type
rwx rwx rwx
属主 属组 其他人
例:
drwxr-xr-x. 2 root root 4096 Mar 1 05:09 ssl
-
r (Read, read): For documents, Has the permission to read the contents of the file; For the catalog, Has permission to browse the directory.
-
w (Write, write) For documents, Has the right to add, modify and delete the content of files;For the catalog, Has the authority to create, delete, modify, and move files in the directory.
-
x (eXecute, execute):For documents, Has the authority to execute the file;For the catalog, The user has permission to enter the directory. (You can cd to this directory, and you can use ls -l to get the detailed attribute information of the file)
-
A file has only read permission. Can the owner of the file write to this file?
[root@localhost tmp]# ls -l
total 0
-r--r--r--. 1 root root 0 Mar 13 19:16 file
[root@localhost tmp]# vim file
[root@localhost tmp]# cat file
hello world!(这是我写入的内容)
- Conclusion: The file owner must be able to write to the file.
For example, root can compulsorily write shadow. Because the owner of the shadow is root
2. File permission judgment logic
-
Delete Files:CorrectFile directoryHaveWPermission to
determine the identity of the user, in what identity the user deletes the file,owner—>group—>others
ifOwner of the directory: Directory permission bitsThe left three need to have w permission, If there is a success, if there is no failure,
if not the owner of the directory, yesBelong to group, Directory permission bitsThree of you need to have w permission, Succeed if there is, fail
if not if yesother people, In the directory permission bitsThe right three digits need w permission, Succeed if there is, fail if not -
Read-only access to the directory does not allow cd to enter the directory, Must haveExecution authorityTo enter
-
Only execute permissionCan only enter the directory,Can't see the contents of the directory,wantWant to see the file name and directory name in the directory,needRead permission
-
The w bit of the directory is not set, even if you have the w permission of a file in the directory, you cannot write the file
3. Privilege management commands
(The chmod command is used to change the access permissions of linux system files or directories, and use it to control the access permissions of files or directories. )
| u | Owner |
|---|---|
| g | Belong to group |
| O | other |
| a | All |
| -R | Recursive modification |
1.Empowered notation:
实例:
[root@localhost tmp]# ls -l
total 0
-rw-r--r--. 1 root root 0 Mar 13 05:21 file
[root@localhost tmp]# chmod u=rwx file
[root@localhost tmp]# ls -l
total 0
-rwxr--r--. 1 root root 0 Mar 13 05:21 file
[root@localhost tmp]# chmod g=rwx file
[root@localhost tmp]# chmod o=rwx file
[root@localhost tmp]# ls -l
total 0
-rwxrwxrwx. 1 root root 0 Mar 13 05:21 file
[root@localhost tmp]# chmod a=x file
[root@localhost tmp]# ls -l
total 0
---x--x--x. 1 root root 0 Mar 13 05:21 file
- What user do you log in as, then the file or directory you create will automatically become the owner and group of the file
2.Authorization notation:
实例:
[root@localhost tmp]# ls -l
total 0
-rw-r--r--. 1 root root 0 Mar 13 05:24 file
[root@localhost tmp]# chmod a+x file
[root@localhost tmp]# ls -l
total 0
-rwxr-xr-x. 1 root root 0 Mar 13 05:24 file
[root@localhost tmp]# chmod a-r file(可以加也可以减)
[root@localhost tmp]# ls -l
total 0
--wx--x--x. 1 root root 0 Mar 13 05:24 file
u,g,o同上方法
(chown changes the owner of the specified file to the specified user or group, User can be user name or user ID; Group can be group name or group ID.System administrators often use the chown command to give the user permission to use the file after copying a file to another user's directory.)
Command function: Change the owner and group of the file through chown.When changing the owner or group of a file, you can use the user name and user ID settings. Ordinary users cannot change their files to other owners.The operation authority is generally the administrator.
usage:chown [option]... [owner][:[group]] file...
| -R | Process all files in the specified directory and its subdirectories (recursive modification) |
|---|
实例:
[root@localhost ~]# groupadd kobi
[root@localhost tmp]# ls -l
total 0
-rw-r--r--. 1 root root 0 Mar 13 05:21 file
[root@localhost tmp]# chown root:kobi file
[root@localhost tmp]# ll
total 0
--wx--x--x. 1 root kobi 0 Mar 13 05:24 file
[root@localhost tmp]# chown root:jerry file
[root@localhost tmp]# ll
total 0
--wx--x--x. 1 root jerry 0 Mar 13 05:24 file
[root@localhost tmp]# chown jerry file
[root@localhost tmp]# ll
total 0
--wx--x--x. 1 jerry jerry 0 Mar 13 05:24 file(jerry是用户不是组)
(This command changes the user group to which the specified file belongs, Only the administrator can modify the owner and group of the file)
Usage:chgrp [options] [group] [file]
实例:
[root@localhost tmp]# ll
total 0
--wx--x--x. 1 jerry jerry 0 Mar 13 05:24 file
[root@localhost tmp]# chgrp root file
[root@localhost tmp]# ll
total 0
--wx--x--x. 1 jerry root 0 Mar 13 05:24 file
Four. The security context of the process
(The application model of process access to files. What is the access permission of the user who initiated the process to the file, then what is the access permission of the process to the file)
Whether the owner of the process is the same as the owner of the file, if they are the same, the owner authority is applied.
Otherwise, check whether the owner of the process is the same as the file's belonging group, and if they are the same, the permissions of the belonging group are applied.
Otherwise, use other permissions.
Run a file into a process, depending on whether the user has x permissions and executable permissions on the file
五.ACL(Access Control List)
Access control list
ACL allows you to set access permissions for any file/directory to any user or user group.
-
Set permissions for users
-
Set permissions for user groups
-
Child files or subdirectories inherit the permissions of the parent directory
-
1).setfacl command
( Use the setfacl command to control read/write/execute permissions for a single user or user group, single file or directory )
| -m | Configure ACL |
|---|---|
| -x | Remove ACL parameters |
| -b | Remove all ACL permissions |
| -R | Recursive configuration |
| -R | Recursive configuration |
|---|
Example 1: Set the rwx permissions that user curry has on the file file. Curry does not belong to the main and group of file, and curry is other. How to do it?
When the extended permissions ACL is added to the boboyu user, under its user, you can see that there is a + sign behind the permissions of other users, and you can write the file, and the file still belongs to the root user and the root group.
When switching to This file cannot be written under the kd user, and this file
can be written under the curry user
Example 2. Adding permissions to the directory
has the d parameter:
6. Permission mask
The default permission of umask (022 by default )
is 666 for files and 777 for directories.
- Default file permissions: If there is execution permission in the result of subtraction, add 1
666-umask 644 - Default permissions of the directory: 777-umask 755 The
scientific calculation method of permissions:
1. Convert the default permissions (directory 777, file 666) and umask values to binary digits.
2. Invert umask.
3. Add the default permissions and umask to the inverted value.
4. Add the resulting binary value. Convert octal, that is, permission
Instance: Umask
6 6 6 umask 0 3 3
110 110 110 000 011 011 # 转成2进制
111 100 100 # umask取反的值
110 110 110
与 #默认权限和umask取反后的值做与运算
111 100 100 # umask取反的值
110 100 100
6 4 4 #转成8进制
7. Special permissions for files
SUID SGID SBIT
(When the original permission bit has execute permission, use lowercase letters, otherwise use uppercase letters )
The permission is that s S appears in the x position of the owner
1. It is only valid for binary programs.
2. The executor needs to have executable permissions for the program.
3. It is only valid in the process of executing the program. Program -----> process
4. The executor will have the authority of the owner of the program.
SOUTH Example:
Permission is in the x position of the group, s S appears
1. Effective for binary programs
2. The executor needs to have executable permissions for the program
3. The executor will have the permissions of the program’s belonging group
4. SGID mainly acts on the directory : When creating a new file in this directory, the new file’s genus group is the same as the directory’s genus group
SGID Example:
For other, /tmp, t T appears in the execute permission position
1. Only valid for the directory
2. Only the user and root have the authority to delete files or directories created by the user in this directory
SBIT Example:
8. Attached
-
Add extended permissions to all files in the directory: Setfacl -R -mu:boboyu:rw-testdirectory/ ( -R must be in front of -m, which means all files in the directory )
-
Remove individual permissions:setfacl -x u:curry /tmp/file
-
Remove all acl permissions:setfacl -b /tmp/file
Nine. Hidden attributes
1).lsattr
Under Linux, we can use the stat command to view the relevant attribute information of the file. In addition to these attributes, there are some hidden attributes of the file under Linux
. We can use the lsattr command to view
Note: The hidden attribute of the file is onlyext2/ext3/ext4 file systemComplete and effective, other file systems may only support partial hidden attributes or may not
support hidden attributes at all.
| a | Display attribute information of all files, including files beginning with. |
|---|---|
| R | Recursively display the attributes of all subdirectories and files in the directory |
| d | Display the attributes of the directory, not the attributes of the files under the directory |
2).chattr
Format: chattr ±= [ai]
| a | You can only add data to the file, not delete it. It is mostly used for server log file security. Only root can set it. |
|---|---|
| i | Files cannot be deleted, renamed, set hard link relationships, and cannot be written or added (not even for root users). Only root can be set |