【Linux】Permission Management

Language 2022-10-25 00:52:16 views: null

Article directory

1. Shell commands and how they work

Strictly speaking, Linux is an operating system, which we call "kernel", that is, the Linux kernel; but because we are not good at dealing with the kernel, we do not use the kernel directly, but through the "shell" of the kernel. ” program, which is the so-called shell to communicate with the kernel;

From a technical point of view, the shell is most simply defined as "command interpreter (command Interpreter)" , and its functions mainly include two aspects:

  • Pass the user's command translation to the kernel for processing;
  • Return the translation of the processing result of the kernel to the user;

Taking the Windows we are familiar with, we operate Windows not directly with the Windows kernel, but with the interface provided by the Windows GUI (graphical interface). For example, we double-click to run an .exe program or maximize/minimize a window. Windows The GUI will translate these operations we perform into instructions that the Windows kernel can understand, and then pass it to the Windows kernel for processing; when the Windows kernel has finished processing, the GUI will translate the processing results into operations that our users can understand, so that The cost of our interaction with the Windows kernel will be greatly reduced.

The shell has the same function for Linux, mainly to parse our instructions and pass them to the Linux kernel, and then parse the processing results to the user;

At the same time, the shell is still protecting the operating system in disguise – the shell will parse the instructions passed by the user. If it parses an illegal instruction, it will throw an error directly and will not pass the error instruction to the kernel, which makes the kernel Only use legitimate instructions to protect the operating system to a certain extent.

In addition, in order to prevent the shell itself from crashing due to the illegal instructions of the user, the shell itself generally does not execute the corresponding instructions, but forks subprocesses to execute the instructions obtained by the user . We will learn more about multi-process knowledge later;

Therefore, the shell, like the GUI, is essentially a software layer (shell) outside the kernel, which is used to connect the user with the kernel.

In order to better understand the relationship between the kernel and the shell, let's take an interesting example:

Suppose you are an excellent programmer and your family conditions are also very good – your father is the village head, your family has two apartments and a car, and your own annual salary is also 30W+; you fall in love with another girl in the village. , but you are very introverted and dare not show your intentions to Ruhua;

but there is a very powerful matchmaker in your village - Wang Po, Wang Po is the most powerful matchmaker in your village for ten miles. There is nothing that can't be discussed; so you find Wang Po, let her go to Ruhua to match, and Wang Po also goes;

unfortunately, Ruhua means that you are a good person, but you are not suitable, and Ruhua has already met another rich man in the village. Shuai is engaged, and will get married in a year;

but you are a very single-minded person, and you must be like a flower, so you still ask Wang Po to talk to you again and again; Wang Po tried a few times and found this matchmaking It's completely impossible, so I won't ignore you later, and I won't look for Ruhua anymore;

you see that Wang Po will not ignore you, so she said to Wang Po: "My father is the village chief, Wang Po, you can tell me again. Talk about it." Wang Po sees that this matter can't be done, but if you continue to talk about matchmaking again and again, your reputation will be lost; in the

end, Wang Po thought of a way - Wang Po accepted more than a dozen apprentices, and every time you find a matchmaker Wang Po, Wang Po all made some high-sounding excuses to say that they were not free, and then sent their apprentices to look for Ruhua, so even if they failed, it could be said that the apprentice was too young to be new; in this way, they would not offend the village chief and save themselves. 's reputation.

In the above example, Wang Po is equivalent to a shell, which is used to transmit your (user) information (instructions) to Ruhua (kernel), and then feed back the information of Ruhua to you; at the same time, Wang Po refuses to talk about matchmaking many times, It is equivalent to the shell intercepting illegal instructions and protecting the kernel in disguise; finally, in order to ensure her reputation, Wang Po arranged for her apprentices to talk to the matchmaker, which is equivalent to the shell preventing itself from crashing, so she would not execute the instructions directly, but Forks a child process to execute.

Shell is a general term for "shells" , and the shell programs corresponding to different Linux versions may be different. Among them, bash is the standard GNU shell , so it has become the standard shell on all Linux distributions. Most modern Linux distributions now provide the Bash shell by default. Corresponding to the above example, the shell is the matchmaker, and the bash is the queen.

Second, the concept of Linux permissions

1. User classification

There are two kinds of users in Linux: super user (root) and ordinary user

  • Super user: can do anything under the linux system, almost not restricted by permissions;

  • Ordinary user: do things within the scope of authority under linux;

  • The command prompt of super user is "#", and the command prompt of ordinary user is "$";

2. Switch users

The command to switch users in Linux is: su;

In Linux, if we want to switch from a super user to a normal user, we can simply "su username" without any restrictions:image-20220930111258457

But if we want to switch from ordinary users to super users, we need to enter the root password; there are two ways for ordinary users to switch to root users:

  • su: switch to the current directory of root;
  • su -: switch directly to the root directory of root;

image-20220930112019103

image-20220930112115625

Note: For security reasons in Linux, the password entered from the keyboard will not be echoed on the terminal, which means that nothing will be displayed on the screen when we enter the password;

3. User rights escalation

When we use Linux at work, there may be such a situation: there is currently a command that must be executed with the authority of the super user, but we do not want to switch users, and want to directly let the ordinary user execute the command as the root user;

The sudo command does what we need:image-20221006155038410

We executed the sudo command and found two strange phenomena:

1. Use the sudo command to allow us to have the authority of the root user. It stands to reason that we should be prompted to enter the root password, but the fact is that it allows us to enter the password of our own user;

2. When I execute the sudo command as thj, it prompts that the thj user is not in the sudoers file, and the sudo fails;

The above phenomena are caused by the mechanism of sudo: the purpose of sudo is to provide the least barriers to execution for trusted users, which are users who are added to the sudoers file; that is, when we exist When it is in the sudoers file, it means that the root user fully trusts us, so when we use the sudo command to escalate privileges, we only need to enter our own password; and if we are not in the sudoers file, then naturally we cannot use the sudo command to escalate privileges;image-20221006160438581

Note: The limited time of sudo is 15 minutes, that is, after we use sudo to escalate the privilege successfully, we do not need to enter the password again to use the sudo command again in the next 15 minutes;

3. Linux permission management

1. Classification of file visitors

Under Linux, file accessors are divided into three categories:

  • owner: the owner of files and file directories – u (user);
  • Owning group: The user of the group that the owner of the file and file directory belongs to – g (group);
  • Other users: users other than the owner and group users – o (other);

It is easy for everyone to understand the owner of the file and other users, but why is there a group to which it belongs? Let's illustrate with an example:

Suppose a poor start-up company wants to develop a product. The boss of the company pursues the concept of competition, so he divides his subordinates into two groups and asks them to develop the same product. Which group has a better product in the end Which group will get the extra bonus;

but since the company is very poor and can only afford one host, the problem arises: members of two groups share one host, so how can the code of members in the group be shared? ?

If I set the file to be private, so that although another group of people can't see my code, my teammates can't see it at the same time; and if I set the file to be public, there may be a risk of code leakage;

In order to solve this situation, Linux has designed the concept of a group. We can group multiple users into a group, allowing members within the group to share files, while members outside the group are restricted by permissions;

2. File types and access rights

When we view a file/directory in Linux, there is usually a long string of characters in front of the file:image-20221006162757146

Their corresponding meanings are as follows:image-20221006162843585

The first character represents the file type, and the next nine characters in groups of three represent the permissions of the file owner, the group to which they belong, and other users. The permissions of the file are divided into three categories:

  • r – read permission: Read has the permission to read the content of the file for a file; for a directory, it has the permission to browse the information of the directory;
  • w – write permission: Write has the permission to modify the content of the file for the file; for the directory, it has the permission to delete the file in the mobile directory;
  • x – Executable permission: execute has the permission to execute the file for the file; for the directory, has the permission to enter the directory;

There are characters representing permissions in the corresponding positions, indicating that the user has the corresponding permissions, and if - is displayed, it means that the user does not have the corresponding permissions;image-20221006163539658

file type

There are seven types of files in Linux:

  • d: directory;
  • -: Ordinary files (executable programs also belong to ordinary files);
  • l: Soft link (similar to Windows shortcut)
  • b: block device files (such as hard disks, optical drives, etc.)
  • p: pipe file
  • c: character device file (such as a serial port device such as a screen)
  • s: socket file

File extension and file type

As we mentioned before, the file suffix is ​​not used to distinguish file types in Linux, and the file suffix is ​​part of the file name; but this does not mean that we cannot use the file suffix to distinguish file types – which means that although in Linux In our eyes, the file suffix is ​​useless, but we can use the file suffix as a prompt to the user;

At the same time, the indiscrimination of file suffixes in Linux does not represent various tools under Linux, such as gcc and g++:image-20221006164743540

Fourth, the representation method of the file permission value

1. Character representation

image-20221006164905421

2. Octal numerical representation

image-20221006164944440

Five, set file permissions

1. chmod command

Format : chmod [parameter] permission file name;

Function : Set the access permissions of files;

Common options

  • -R recursively modify the permissions of directory files;

Note: Only the owner and root of the file can change the permissions of the file ;

Format of the chmod directive permission value

(1) User indicator +/-/= permission characters:

User symbols:

  • u: owner;
  • g: The owner is the same group of users;
  • o: other users;
  • a: all users;

    meaning of +/-/=:
  • +: Add the permission indicated by the permission code to the permission scope;
  • -: Cancel the permission indicated by the permission code from the permission scope;
  • =: Give the permission indicated by the permission code to the permission scope;

Instruction Demonstration

1. ± Permissions for a single user:image-20221006170931958

2. Permissions for multiple users:image-20221006171516446

(2) Three octal digits

There are three kinds of file permissions - read and write execution, so three binary bits can represent the whole situation, and if you use octal, only one bit is needed:image-20221006171949915

Instruction Demonstration

image-20221006172207400

2. chown command

Format : chown [parameter] username filename;

Function : modify the owner of the file;

Common options

  • -R Process all files in the specified directory and its subdirectories;

Note: When we use the chown command to assign a file belonging to us to others, we need to obtain the consent of others , so in general we cannot change the owner of the file; only root is not restricted by permissions, and can directly A's documents are assigned to B without the consent of A and B;

Instruction Demonstration

image-20221016215859203

image-20221016220150906

3. chgrp command

Format : chgrp [parameter] user group name file name;

Function : Modify the group to which a file or directory belongs;

Common options

  • -R recursively modifies the group of a file or directory;

Note: Like the owner of the modified file, we cannot directly modify the group to which the file belongs, we need to obtain the consent of others, and root is not restricted by permissions;

Instruction Demonstration

image-20221016220612844

image-20221016220709741

4. umask command

The default permissions of files under Linux are as follows – the default permissions of ordinary files are 0666, and the default permissions of directory files are 0777 , where the first digit represents a three-digit octal number, and the last three digits represent the owner, the group and other People's permissions on files; but we found that the permissions of the files we usually create do not seem to be the same as the above:image-20221016221429071

This is because when creating a file or directory, in addition to being bound by the default permissions, it is also affected by the umask (file mask) . Assuming that the default permission is mask, the actually created file permission is: mask & ~umask ;

The function of the permission mask is to remove all the permissions that appear in it from the initial permissions , because a permission is 1 in the umask, then its bitwise inversion and then bitwise AND with the default permission must be 0; If umask is 0, the bitwise inversion of the bitwise and the default permission does not affect the value of the default permission;

Format : umask permission value;

Function : View or modify the file mask;

Note: After subtracting the permission mask from the existing access permission, the default permission when creating a file can be generated; the default mask value for super users is 0022, and the default value for ordinary users is 0002 ;

Instruction Demonstration

View file masks:image-20221016222013264

Modify the file mask: As you can see, when we set the file mask to 000, the final permission of the file created at this time is equal to the default permission of the file;image-20221016222238620

5. file command

Format : file [options] file or directory;

Function : Identify the file type;

Common options

  • -c Displays the instruction execution process in detail, which is convenient for debugging or analyzing the execution of the program;
  • -z try to interpret the contents of the compressed file;

Instruction Demonstration

image-20221016223333123

6. Directory permissions

The meaning of directory permissions is as follows:

  1. Executable permission: Can you enter the directory – if the directory does not have executable permission, you cannot cd to the directory;image-20221016224208286

  2. Read permission: Can you view the file contents in the directory – if the directory does not have read permission, you cannot view the file contents in the directory with commands such as ls;image-20221016224141466

  3. Writable permission: Can you create and delete files in the directory – if the directory does not have writable permissions, you cannot create files in the directory, nor can you delete files in the directory;image-20221016224346884

So if we want to enter a directory, we must have executable permission; this is why the default permission of ordinary files is 666, and the default permission of directory files is 777;

Precautions

  • The executable permission of a directory indicates whether you can execute commands in the directory;
  • If the directory does not have executable permission, you cannot execute any command on the directory, or even cd into the directory, even if the directory still has read permission; (it is easy to make mistakes here, thinking that you can enter the directory with read permission to read the files in the directory)
  • If the directory has executable permission but no read permission, the user can execute commands and cd into the directory, but since there is no read permission for the directory, even if the ls command can be executed in the directory, it still does not have permission to read the contents of the directory. documentation;

Seven, sticky bit

There are usually many users in a Linux system, so sometimes there is such a requirement - different users need to add, delete, check and modify temporary files in a common directory . This common directory is usually created by the root user, and then the directory The permission is modified to 777;image-20221016231220487

image-20221016231402709

But there is a problem here: since the permission of this public directory is 777, any user can delete the files in this directory, no matter whether the file belongs to him or not; as followsimage-20221016232453481

It can be seen that for yzpq, the file thj.txt is unreadable, writable and unexecutable, and yzpq cannot perform these operations on it; but yzpq can directly delete thj.txt, because thj.txt is in tmp Under this directory, and this directory is readable, writable and executable for yzpq;

In order to come out of the above unscientific situation, Linux introduced the concept of sticky bits ;

The sticky bit is a special case of permissions. It does not affect the read and write operations of different users in the public directory, but it can prohibit the mutual deletion of files between different users ; the way to set the sticky bit is very simple. You can add t to the existing permissions, and you do not need to specify a user when adding, Linux will automatically recognize it;image-20221016233500318

image-20221016233627037

Note: When a directory is set to "sticky bit", the files in this directory can only be deleted by the owner or root of the file, and other users cannot.

Guess you like

Origin blog.csdn.net/m0_62391199/article/details/127378384
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com