File permissions and ownership
Although everything is a file in a Linux system, the type of each file is different. Therefore, the Linux system uses different characters to distinguish them. Common characters are as follows.
-: Ordinary file.
d: Directory file.
l: Link file.
b: Block device file.
c: Character device file.
p: Pipe file.
The read, write, and execute permissions of a file can be abbreviated as rwx, and can also be represented by the numbers 4, 2, and 1, respectively. There is no correlation between the file owner, the group to which it belongs, and the permissions of other users, as shown in Table 5-5.
Character and number representation of file permissions
Numbers and letters can be used to define file permissions back and forth
Special permissions for files
SOUTH
SUID is a special permission for binary programs, which allows the executor of the binary program to temporarily have the owner's permission (only valid for the binary program with the execution permission). Temporarily effective, one-time.
The default user is viewing the /etc/shadow file. If you look carefully at this file, you will find that its default permission is 000, which means that all users except the root administrator have no permission to view or edit the file.
SGID
SGID mainly implements the following two functions:
Let the executor temporarily have the permission of the group (set the binary program with the execution permission);
Files created in a directory automatically inherit the user group of the directory (only the directory can be set)
The first function of SGID is designed with reference to SUID. The difference is that the user executing the program is no longer the temporary permission of the file owner, but the permission of the group to which the file belongs. For example, in the early Linux system, /dev/kmem is a character device file used to store data to be accessed by the kernel program
[root@myserver tmp]# mkdir 2021_test
[root@myserver tmp]# ls -ald 2021_test/
drwxr-xr-x. 2 root root 6 Jan 16 22:22 2021_test/
[root@myserver tmp]# chmod -Rf 777 2021_test/
[root@myserver tmp]# ls -ald 2021_test/
drwxrwxrwx. 2 777 root 6 Jan 16 22:22 2021_test/
[root@myserver tmp]# chmod -Rf g+s 2021_test/
[root@myserver tmp]# ls -ald 2021_test/
drwxrwsrwx. 2 777 root 6 Jan 16 22:22 2021_test/
[root@myserver tmp]#
SBIT
When the directory is set with the SBIT special permission bit, the x execution permission of the other person's permission part of the file will be replaced with t or T, the original x execution permission will be written as t, and the original x execution permission will be written as T.
Of course, ordinary users cannot delete, root users can delete
Hidden attributes of files
The chattr command is used to set the hidden permissions of the file, the format is "chattr [parameter] file". If you want to add a hidden function to the file, you need to add "+parameter" after the command, if you want to remove a hidden function from the file, you need to add "-parameter"
i 无法对文件进行修改;若对目录设置了该参数,则仅能修改其中的子文件内容而不能新建或删除文件
a 仅允许补充(追加)内容,无法覆盖/删除内容(Append Only)
S 文件内容在变更后立即同步到硬盘(sync)
s 彻底从硬盘中删除,不可恢复(用0填充原文件所在硬盘区域)
A 不再修改这个文件或目录的最后访问时间(atime)
b 不再修改文件或目录的存取时间
D 检查压缩文件中的错误
d 使用dump命令备份时忽略本文件/目录
c 默认将文件或目录进行压缩
u 当删除该文件后依然保留其在硬盘中的数据,方便日后恢复
t 让文件系统支持尾部合并(tail-merging)
x 可以直接访问压缩文件中的内容
lsattr command
The lsattr command is used to display the hidden permissions of a file, and the format is "lsattr [parameter] file". In the Linux system, the hidden permissions of files must be viewed using the lsattr command, but the usual ls and other commands do not show the clue:
[root@myserver tmp]# lsattr chattr_test2021
----ia-A---------- chattr_test2021
[root@myserver tmp]#
File access control list
You need to use the file access control list (FACL). In layman's terms, setting ACLs based on common files or directories is actually setting file or directory operation permissions for specified users or user groups. In addition, if FACL is set for a directory, the file in the directory will inherit its FACL; if the FACL is set for a file, the file will no longer inherit the ACL of the directory where it is located.
setfacl command
The setfacl command is used to manage the ACL rules of files, and the format is "setfacl [parameter] file name". File ACL provides special permission control in addition to the read/write/execute permissions of the owner, group, and others. The setfacl command can be used to read/write/write to a single user or user group, single file or directory. Control of execution authority. Among them, you need to use the -R recursive parameter for directory files; use the -m parameter for ordinary files; if you want to delete the ACL of a file, you can use the -b parameter. Let's set the user's permissions on the /root directory
getfacl command
The getfacl command is used to display the ACL information set on the file, and the format is "getfacl file name". The commands in the Linux system are so cute and easy to remember. To set the ACL, use the setfacl command; to view the ACL, use the getfacl command. The following use the getfacl command to display all ACL information set on the root administrator's home directory
su command and sudo service
The su command can solve the need to switch user identities, so that the current user can smoothly switch to other users without logging out, such as switching from root administrator to ordinary user, there is a reduction between the su command and the user name above. Sign (-), which means switching to the new user completely, that is, changing the environment variable information to the corresponding information of the new user instead of retaining the original information.
The sudo command is used to provide ordinary users with additional permissions to complete tasks that could only be completed by the root administrator. The format is "sudo [parameter] command name"
| -h | List help information |
| -l | List the commands executable by the current user |
| -u username or UID value | Execute the command as the specified user |
| -k | Clear the effective time of the password, the next time you execute sudo, you need to verify the password again |
| -b | Execute the specified command in the background |
| -p | Change the prompt for asking for a password |
sudo命令具有如下功能:
限制用户执行指定的命令:
记录用户执行的每一条命令;
配置文件(/etc/sudoers)提供集中的用户管理、权限与主机等参数;
验证密码的后5分钟内(默认值)无须再让用户再次验证密码。Edit visudo configuration file
If you need to allow a user to execute the specified command only as the root administrator, remember to give the absolute path of the command , otherwise the system will not recognize it. We can first use the whereis command to find out the save path corresponding to the command, and then modify the user permission parameter on line 99 of the configuration file to the corresponding path.
