Article Directory
User identity and capabilities
The root user has extremely high authority and can manage various functions, such as adding/deleting users, starting/closing processes, etc.
In fact, root is just a name, what really makes him a super user is his UID value.
UID (USER ID): Each user has a corresponding DUI value, just like an ID number.
The user of super user UID0, the default is the root user.
System user UID1-999: System services in the system are run by different users, which is more secure. By default, they are restricted to log in to Xirong.
Ordinary users UID1000~: Created by the administrator for daily work and cannot be used The
account name and UID of the ordinary user of the management system are stored in the /etc/passwd file, and the account password is stored in the /etc/shadow file
GID (GROUP ID): Multiple users can be grouped into a group for easy assignment of gifts or jobs. User group name and GID are stored in /etc/group
File permissions and ownership
Some of linux are files. The ownership and permissions of files and directories respectively stipulate the read, write, and execute permissions of the owner, owner, and others of the file.
The following example indicates that index.html is a file owner authority: read and write belonging group authority: read-only other user authority: read-only
first meaning: -: ordinary file d: directory file l: link file b: block device file c: Character device file p: Pipe file
The execution permission of ordinary files means that the file can be executed, and the execution permission of directory files means that the user can enter the directory
-rw-r--r-- 1 root root 2381 Oct 19 10:29 index.html
File special permissions
SUID : Allow the executor to temporarily have the authority of the owner (only valid for binary programs with execution authority)
SGID : 1) Allow the executor to temporarily have the authority of the group (valid only for executable files)
2) Create in this directory The files are automatically integrated into the user group of this directory (only effective for directory files)
The chmod command is used to modify the permission format of a file or directory: chmod [parameter] The name of the permission file or directory. The
chown command is used to modify the user and group format of the file or directory. Format: chown [parameter] User to belong to the group file or directory name
example
Use root user to create directory ttdir, increase execution permission (only files or directories with execution permission can add ssui and sgid permissions)
and then add sgid permission and switch to hadoop user to access and edit the directory normally. That is, the user hadoop temporarily has the permissions of the group to which it belongs
[root@bogon tmpdir]# mkdir ttdir
[root@bogon tmpdir]# ls -ald ttdir
drwxr-xr-x 2 root root 6 Oct 27 04:40 ttdir
[root@bogon tmpdir]# ls -ald ttdir
drwxrwxrwx 2 root root 6 Oct 27 04:40 ttdir
[root@bogon tmpdir]# chmod -rf g+s ttdir
chmod: invalid mode: ‘-rf’
Try 'chmod --help' for more information.
[root@bogon tmpdir]# chmod -R g+s ttdir
[root@bogon tmpdir]# ls -ald ttdir
drwxrwsrwx 2 root root 6 Oct 27 04:40 ttdir
[root@bogon tmpdir]# su hadoop
[hadoop@bogon tmpdir]$ cd ttdir
[hadoop@bogon ttdir]$ ll
total 0
[hadoop@bogon ttdir]$ echo “hello ” > test
[hadoop@bogon ttdir]$ ll
total 4
-rw-r--r-- 1 hadoop root 13 Oct 27 04:54 test
SBIT (Stick bit) : You can only manage your own data but cannot delete other people's files (only valid for directories).
Example, the root user enters the /tmp directory, and the last bit t in the permission means that the directory has SBIT permission (sticky bit). Create the file test.txt and develop read and write permissions for all users, and then switch to ordinary user hadoop to delete the file, prompting that the deletion failed. (Although there is a permission list that does not allow you to delete other people's files)
[root@bogon tmp]# ls -adl /tmp
drwxrwxrwt. 12 root root 4096 Oct 27 03:41 /tmp
[root@bogon tmp]# echo 123>test.txt
[root@bogon tmp]# ll
-rw-r--r-- 1 root root 0 Oct 27 05:06 test.txt
[root@bogon tmp]# chmod 777 test.txt
[root@bogon tmp]# su hadoop
[hadoop@bogon tmp]$ ll
-rwxrwxrwx 1 root root 0 Oct 27 05:06 test.txt
[hadoop@bogon tmp]$ rm test.txt
rm: cannot remove ‘test.txt’: Operation not permitted
File hidden attributes
File permissions have hidden permissions in addition to read-write execution and SUID, SGID, and SBIT. For example, you can only add content to a file, but cannot reduce the content.
The chattr command is
used to set the hidden permissions of the file. Format: chattr [Parameter] File
Parameters:
i 无法对文件进行修改,若对目录设置后则只能修改子文件不能新建或删除文件
a 仅允许补充内容,无法删除 覆盖
...
The lsattr command is
used to display the hidden permissions of the file, format: lsattr[parameter] File
Parameters:
a 显示所有文件和目录
l 显示隐藏属性的全称
R 递归处理
d 如果目标文件为目录 则需要加此参数
Example The
file 555.txt can be successfully deleted without adding special permissions.
Re-create the file 555.txt after adding special permission a, only the file content can be appended, but the file cannot be overwritten or deleted
[root@bogon ~]# echo '555'>555.txt
[root@bogon ~]# rm 555.txt
rm: remove regular file ‘555.txt’? y
[root@bogon ~]# echo '555' >555.txt
[root@bogon ~]# chattr +a 555.txt
[root@bogon ~]# echo '5555'>>555.txt
[root@bogon ~]# echo '5555'>555.txt
-bash: 555.txt: Operation not permitted
[root@bogon ~]# rm 555.txt
rm: remove regular file ‘555.txt’? y
rm: cannot remove ‘555.txt’: Operation not permitted
su command and sudo service
su command
Used to change the user's identity (switching login user) Format: su [-] User name plus parameters-environment variables can be switched at the same time, no user is switched, only the
root user does not need to enter a password when switching to other users. It is
found through the example that if it is added Parameters-Then it will automatically switch to the user's root directory, and the environment variables will be switched at the same time, otherwise the directory and environment variables will not be switched. At the same time, add parameters to execute exit and prompt logout when exiting, otherwise only exit is prompted.
[root@bogon ~]# su hadoop
[hadoop@bogon root]$ su root
Password:
[root@bogon ~]# su - hadoop
Last login: Tue Oct 27 07:51:53 EDT 2020 on pts/1
[hadoop@bogon ~]$ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/opt/apps/jdk/bin:/home/hadoop/.local/bin:/home/hadoop/bin
[hadoop@bogon ~]$ su root
Password:
[root@bogon hadoop]# su hadoop
[hadoop@bogon ~]$ su - root
Password:
Last login: Tue Oct 27 07:53:30 EDT 2020 on pts/1
[root@bogon ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/apps/jdk/bin:/root/bin
[root@bogon ~]# su hadoop
[hadoop@bogon root]$ echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/apps/jdk/bin:/root/bin
[hadoop@bogon root]$
[root@bogon ~]# su hadoop
[hadoop@bogon root]$ exit
exit
[root@bogon ~]# su - hadoop
Last login: Tue Oct 27 07:59:17 EDT 2020 on pts/1
[hadoop@bogon ~]$ exit
logout
sudo instruction
It is used to provide ordinary users with extra permissions to complete tasks that were originally super users. The format is: sudo [parameter] command name
su command can switch the login user to root, which will increase hidden dangers. Using sudo can only grant file execution permissions to ordinary users to increase security. Reduce permissions as much as possible on the premise of ensuring that ordinary users complete their work.
The specific functions of sudo:
1. Restrict users from executing specified commands
2. Record every command executed by users
3. Provide centralized management of users, permissions, hosts and other parameters in the configuration file (/etc/sudoers)
4. After verifying the password, 5 minutes (Default) there is no need to verify the password again, which is more convenient for
parameters
-h 列出帮助信息
-l 列出前用户可执行命令
-u 用户性或uid 以指定的用户身份执行命令
-k 清空安全时间,下次执行sudo时 必须要再次验证密码
-b 在后台执行指定的命令
-p 更改询问密码提示语
visudo command
Only super users can use the visudo command to edit the /etc/sudoers file. This command can prevent multiple people from modifying it at the same time. At the same time, the file content will be grammatically checked. If the check fails, it cannot be saved.
Example
Allow hadoop users to execute all commands through sudo.
Edit files through visudo command. After 99 lines, add hadoop permissions and configure as follows
root ALL=(ALL) ALL
hadoop ALL=(ALL) ALL
Switch to the hadoop user to view the commands that can be executed through sudo. Direct access to the /root directory cannot be accessed, but can be accessed normally through sudo.
[root@bogon ~]# su - hadoop
Last login: Tue Oct 27 08:20:08 EDT 2020 on pts/1
[hadoop@bogon ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for hadoop:
Sorry, try again.
[sudo] password for hadoop:
Matching Defaults entries for hadoop on bogon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User hadoop may run the following commands on bogon:
(ALL) ALL
[hadoop@bogon ~]$ ls /root
ls: cannot open directory /root: Permission denied
[hadoop@bogon ~]$ sudo ls /root
555.txt date.txt res.txt test testdd.txt tmpdir tmpfile ttt.txt
anaconda-ks.cfg index.html root.tar.gz test2.txt test.txt tmpdir.tar.gz tstd
Similarly, you can configure
hadoop ALL=(ALL) ALL //It means that the hadoop user can execute all commands as all users
hadoop ALL=(root) /bin/cat //It means that the hadoop user can execute as the root user /bin/ The cat command
hadoop ALL=NOPASSWD:ALL //Indicates that the hadoop user can execute commands with any identity and does not require password verification
File access control list
The above rwx permission control is all permission control for a certain type of person. If you need to control the permission of the specified user, you need to use the file access control list to achieve.
ACL can be set based on files or directories (specify the access rights of users or user groups). If a control policy is set for a directory, then its sub-files will inherit the access policy by default (unless special settings are made)
The setfacl command is
used to add or modify acl rules, format: setfacl [parameter] file
-r 递归(对目录使用)
-m 设置文件的acl规则
-b 删除acl规则
The getfacl command is
used to display the ACL rules of the file, format: getfacl file
The
root directory of the example is normal and the hadoop user cannot access it. Here, add the root directory access permission for hadoop, and then switch to the hadoop user to access the directory
[root@bogon ~]# setfacl -rm u:hadoop:rwx /root
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
Try `setfacl --help' for more information.
[root@bogon ~]# setfacl -Rm u:hadoop:rwx /root
setfacl: /root/ttt.txt: Operation not permitted
setfacl: /root/555.txt: Operation not permitted
[root@bogon ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:hadoop:rwx
group::r-x
mask::rwx
other::---
[root@bogon ~]# su - hadoop
Last login: Tue Oct 27 08:23:45 EDT 2020 on pts/1
[hadoop@bogon ~]$ cd /root
[hadoop@bogon root]$ ll
total 52
-rw-r--r-- 1 root root 9 Oct 27 07:43 555.txt
-rw-rwx---+ 1 root root 1260 Jun 10 05:26 anaconda-ks.cfg
-rw-rwxr--+ 1 root root 1595 Oct 26 04:59 date.txt
-rw-rwxr--+ 1 root root 2381 Oct 19 10:29 index.html
-rw-rwxr--+ 1 root root 767 Oct 19 09:51 res.txt