table of Contents
Two, several issues related to permissions
2.1 After the file is created, how to set the initial permissions?
2.2 Permissions of public executable files
2.4 Can multiple users log in to root, and then only use the root account?
Third, the authority structure idea
3.3.4 Add sub-groups for users
1. Permission abstraction
A complete rights management system must have a reasonable abstraction. This includes the abstraction of users, processes, files, memory, and system calls.
1.1 Users and groups
Linux is a multi-user platform that allows multiple users to log in to the system at the same time to work. Linux abstracts users into accounts. Accounts can log in to the system, such as logging in by entering a login name + password ; or logging in via a certificate.
But in order to facilitate the assignment of permissions for each user, Linux also supports Group accounts. A group account is a collection of multiple accounts, and a group can assign a certain type of authority to members. Each user can be in multiple groups, so that groups can be used to quickly assign permissions to users.
The concept of a group is a bit like a WeChat group . A user can be in multiple groups. For example, if a group is assigned permissions for 10 directories, then when creating a new user, this user can be added to this group, so that the newly added users do not need to go to each directory to assign permissions.
And every WeChat group has a group owner, and the root account is also called a super administrator, which is equivalent to the WeChat group owner, and it has complete control over the system. A super administrator can use all the capabilities provided by the system.
In addition, Linux also abstracts the permissions of files (note that a directory is also a kind of file). A file in Linux can set the following 3 permissions:
- Read permission (r): Control to read files.
- Write permission (w): control writing to files.
- Execution permission (x): Control the execution of files, such as scripts, applications, etc.
Then each file can configure the above 3 permissions from 3 dimensions:
- User dimension. Each file can belong to 1 user, and the rwx configured in the user dimension takes effect in the user dimension;
- Group dimensions. Each file can belong to 1 group, and the rwx configured in the group dimension takes effect in the group dimension;
- All user dimensions. Set permissions for all users.
Therefore, file permissions in Linux can be described by 9 characters and 3 groups of rwx:
- The first group is user permissions
- The second group is group permissions
- The third group is the permissions of all users
Then use-means no permission. For example, rwxrwxrwx represents all dimensions can be read and written. rw--wxr-x means that the user dimension cannot be executed, the group dimension cannot be read, and all user dimensions cannot be written.
Normally, if you use ls -l to view the permissions of a file, there will be 10 characters, because the first character represents the file type. I have pipeline files, catalog files, link files, etc.
-Stands for ordinary files, d stands for directories, and p stands for pipes .
Two, several issues related to permissions
2.1 After the file is created, how to set the initial permissions?
After a file is created, the user of the file will be set as the user who created the file. Whoever creates and owns it, this logic is very logical. But how are the groups of files allocated?
Here Linux thought of a good way, which is to create a group with the same name for each user.
For example, when the account zhang is created, a group called zhang will be created. After zhang logs in, the work group will use its group zhang with the same name by default. If zhang wants to switch the work group, you can use the newgrp command to switch to another work group. Therefore, the group to which the created file belongs is the working group where the user is at that time. If there is no special setting, it belongs to the group with the same name where the user is.
What about the file permissions? After the file is created, the permissions are usually:
rw-rw-r--
That is, the user and group dimensions cannot be executed, and they are readable by all users.
2.2 Permissions of public executable files
As mentioned earlier, you can use the which command to view the directory where the ls command is located, and we found it in /usr/bin. Then use ls -l to check the permissions of ls, you can see the following figure:
~]# ls -l /usr/bin/ls
-rwxr-xr-x 1 root root 143368 Jun 10 2020 /usr/bin/lsThe first-represents that this is a normal file, the following rwx represents the user dimension can read and write and execute; the second rx represents the group dimension can not be written; the third rx represents all users can read and execute. For the following two roots, the first is the user, and the second is the group.
At this point you may have a question: if a file is set to be unreadable but executable , what will happen?
The answer, of course, is that it cannot be executed, and the content of the file cannot be read naturally.
2.3 Execution file
In Linux, if a file can be executed, it can be executed directly by entering the file path (relative path or absolute path). If you want to execute a file that cannot be executed, Linux will report an error.
When the user enters a file name, if the full path is not specified, Linux will search for the file in a part of the directory. You can see which directories Linux will search for executable files through echo $PATH. PATH is the environment variable of Linux
~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/go/bin:/root/bin
2.4 Can multiple users log in to root, and then only use the root account?
The last question is, can all be rooted?
The answer is of course no ! But we just use it in actual production. The root privilege is really too dangerous. You should raise your awareness of using Linux privileges.
The kernel provides the core capabilities of operating hardware, disks, memory paging, processes, etc., and has the right to directly manipulate all memory. Therefore, the kernel cannot provide all its capabilities to users, and it cannot allow users to make system calls through shell commands. . Under Linux, the kernel provides system calls required by some processes in the form of C language API. Some system calls have permission checks, such as the system call to set the system time.
Third, the authority structure idea
The main goal of an excellent permission architecture is to make the system safe and stable, and to restrict and isolate users and programs from each other. This requires that the authority division in the authority system is sufficiently clear and the cost of assigning authority is low enough.
Therefore, an excellent architecture should follow the principle of least privilege (Least Privilege). Authorization design needs to ensure the security and stability of the system. For example: each member's authority should be small enough, and the execution process of each privileged program should be short enough. When the security level is high, member permissions are also required to check each other. For example, in the financial field, two logins are usually required to log in to an online database, that is, two passwords are required, each in the hands of two roles. In this way, even if one member has a problem, the safety of the entire system can be guaranteed.
Similarly, each program should also reduce permissions, for example, only have a small number of directory read and write permissions, and only a small number of system calls can be made.
3.1 Division of permissions
The idea of permission structure should also follow a principle, and the boundary of permission division should be clear enough to isolate each other as much as possible. Linux provides users and groups. Of course, Linux does not force you to divide permissions. This is to deal with more scenarios. Usually important applications on our server will be executed by different accounts. For example, Nginx, Web server, and database will not be executed under one account. Now with the development of containerization technology, we even hope that each application can enjoy a virtual space, as if running in a separate operating system, so that they do not interfere with each other.
3.2 Hierarchical protection
Because the kernel can directly manipulate the memory and CPU , it is very dangerous. Drivers can directly control core devices such as cameras and displays, but also need to take security measures, such as preventing malicious applications from turning on the camera to steal privacy. Usually the operating system adopts a ring protection mode.
As shown in the figure above, the kernel is at the innermost point, which is Ring 0. The outermost application is Ring 3. The driver is in the middle, namely Ring 1 and Ring 2. For two adjacent rings, the inner ring will have higher authority and can change the outer ring; while the outer ring wants to use the resources of the inner ring, there will be a special program (or hardware) to do so protection.
For example, if a Ring3 application needs to use the kernel, it needs to send a system call to the kernel . This system call will be verified by the kernel, such as verifying whether the user has sufficient permissions, and whether this behavior is safe, and so on.
3.3 User group instruction
3.3.1 View
Use the groups command
The above command lists all the groups of the current user. The first one is the main group with the same name, and the following is the sub-group starting from adm.
Let me introduce you two groups first, and you can check the information for the other groups:
- The adm group is used for system monitoring. For example, part of the log in /var/log is the adm group.
- sudo group users can increase their privileges through sudo commands.
If you want to view the current user, you can use the id command, as shown below:
~]# id
uid=0(root) gid=0(root) groups=0(root)- uid is the user id;
- gid is the group id;
- Groups are followed by the id of each group and group.
If you want to view all users, you can directly look at /etc/passwd.
~]# more /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
The file /etc/passwd stores all user information, as shown in the following figure:
sudo usermod -a -G sudo foo3.3.2 Create User
sudo useradd fooThe original meaning of sudo was superuser do , but later evolved into using another user's identity to execute a certain command. If the user who needs sudo is not specified, as above, it is as a super administrator. Because useradd requires administrator status. After this sentence is executed, the authority will be elevated, and an input interface for entering the administrator password will pop up.
3.3.3 Create Group
sudo groupadd hello3.3.4 Add sub-groups for users
The groups are divided into primary groups (Primary Group) and secondary groups (Secondary Group). There is only one main group, and there can be multiple sub-groups. If you want to add a sub-group for the user, you can use the usermod command. The following command adds user foo to the sudo group, so that foo has sudo permissions.
sudo usermod -a -G sudo foo-a stands for append, -G stands for a list of sub-groups, and the last foo is the account name.
3.3.5 Modify user main group
sudo usermod -g somegroup foo
Four, the problem
1. Why not use the root account to execute the program?
For example, if you have a Mysql process executed on the root (maximum privilege) account, if a hacker breaks into your Mysql service and gains the permission to execute Sql on Mysql, then your entire system will be exposed to the hacker Right now. This can lead to very serious consequences.
Hackers can use Mysql's Copy From Prgram command to do whatever they want, such as backing up your key files first, then deleting them, and coercing you to send money through a designated account. If the principle of least privilege is implemented, even if a hacker breaks into our Mysql service, he can only obtain the least privilege. Of course, it is also very scary for hackers to get Mysql permissions, but compared to getting all permissions, the loss is much smaller.
2. Please briefly describe the principle of Linux permissions division?
- Linux follows the principle of least privilege.
- The authority controlled by each user should be small enough, and the authority controlled by each group should be small enough. In the actual production process, it is best that the administrator authority can be split to check each other to prevent problems.
- Each application should have as little permission as possible. Ideally, each application occupies a separate container (such as Docker), so that there is no problem of mutual influence. Even if the application is compromised, the protection layer of Docker cannot be compromised.
- Root as little as possible. If a user needs root ability, then it should be surrounded by permissions-immediately increase the permissions (such as sudo), and release the permissions immediately after processing.
- The system level realizes the hierarchical protection of permissions, and divides the permissions of the system into rings. When the outer ring calls the inner ring, the inner ring needs to check the permissions.