1. User related commands
useradd - create a user, by default a user group with the same name as the user name is created
groupadd - create a user group
usermod - modifies user attributes, such as UID, group to which they belong, additional groups, etc.
passwd - Modify password-related properties, such as password modification, password expiration time, etc.
userdel - delete a user
groupdel - delete a user group
umask - View/set permissions that need to be removed by default when users create files/directories
The file is subtracted with rw-rw-rw-, and the directory is subtracted with rwxrwxrwx
chown - set the user/group to which a file/directory belongs
-R recursive
su - switch user identity
The difference between add-and not add-: Whether the environment variable is switched to the new user, add-switch, not add-no switch.
sudo - execute commands as another user
You can use visudo to edit the configuration file of the sudo service
Only root users can use visudo commands
Format
who can use allowed hosts=(as whom) list of executable commands
Such as: root ALL=(ALL:ALL) ALL # ALL:ALL means any user: any group
yc ALL=(ALL) NOPASSWD: ALL # NOPASSWD: means no password is required
2. File Type
- normal file
d directory file
l connection file
b block device file
c character device file
p pipe file
3. Normal file permissions
|
file owner |
group the file belongs to |
other users |
character |
rwx |
rwx |
rwx |
r - 4; w - 2; x - 1
4. File special permissions
4.1 SOUTH
A special permission set on a binary program allows the executor of the binary program to have the permission of the owner of the binary program when executing the binary program.
For example, /bin/passwd, the program permission is rwsr-xr-x, the user password will be modified when the binary program is executed, and the user password is stored in /etc/shadow, the permission of /etc/shadow is 000, then the s permission is It is guaranteed that when other users execute the binary program, they can temporarily use the root identity to modify the shadow file.
chmod u+s /xx/yy/zz
Note: The writable bit of the original user is s if there is x, and S if there is no x
4.2 SGID
two functions
1. The special permission set on the binary program allows the executor of the binary program to have the permission of the group that the binary program belongs to when executing the binary program.
For example, ps, the permission is r-xr-sr-x, and it needs to access /dev/kmem when executing (kmem is a character device file, which is used to store the data to be accessed by the kernel program)
chmod g+s /xx/yy/zz
2. Set the directory, so that the newly created or newly transferred files in the directory can automatically inherit the user group of the directory.
It is applicable to the case of directory sharing within a group. No matter who creates a new file in the group, it belongs to the group.
chmod -R g+s /xx/yy/
Note: The writable bit of the original group is s if there is x, and S if there is no x
4.3 SBITs
The protection bit is set for a directory. After setting, unless the owner of the directory has no permission to delete the files in the directory, even if there is w permission
Whether a file can be deleted by user A depends on whether user A has w permission to the directory where the file is located, not whether the file has w permission
It is applicable to the case of directory sharing within a group. Even if other people in the group have permission to view someone's folder, they cannot delete it.
chmod -R o+t /xx/yy/
Note: The original writable bit of other is t if there is x, and T if there is no x
5. File Hidden Permissions
5.1 setattr
Set (+)/Cancel (-) hidden permissions
5.2 lsattr
View hidden permissions
5.3 Common hidden permissions
i - file: cannot be modified; directory: can only modify sub-files in the directory, cannot create/delete sub-files
a - Append content only, cannot modify/delete the original content
S - Sync to hard drive immediately after file content changes
s - completely deleted from the hard disk, unrecoverable (the original hard disk area is filled with 0)
d - Ignore this file/directory when backing up with dump
u - delete the file and keep its data on the hard drive
6. File Access Control List ACL
6.1 Understanding
Common permissions, special permissions, and hidden permissions are all based on user, group, and other three groups for access control;
ACL is based on the user as the dimension to control access, that is, you can specify any user's access rights to a file/directory. (For example, the other permission of the x file is r--, and now you want the vbird in other to be rwx, and the others in the other are still r--, you need to use ACL)
If an ACL is set for a directory, the files in the directory will inherit the ACL;
If an ACL is set for a file, the file no longer inherits the ACL of its directory;
Note: In ls, if the last permission bit is ".", it means that no ACL is set; if it is "+", it means that the ACL is set for the file/directory.
6.2 setfacl
Set the ACL of a file/directory
R - Set ACL on a directory
m - set the ACL on the file
b - remove the ACL of the file/directory
example:
Use ACL to restrict all members of the yc user group from writing content in the /tmp directory
Parse:
It is not allowed to write content in the directory, that is, it is not allowed to add/delete files in the directory (remove w for the directory), and it is not allowed to modify the file (remove w for the file), so the command is as follows:
setfacl -Rm g:yc:r-x /tmp
6.3 getfacl
View the ACL of a file/directory
7. File related commands
chmod - set file permissions, including hidden permissions
You can use methods such as chmod go+wx x.file
-R recursive