User Identity and File Permissions - Next
file hidden attribute
In addition to general permissions and special permissions, files in the Linux system also have hidden permissions, that is, hidden permissions, which cannot be directly discovered by users by default. Some users have encountered in the production environment and RHCE exam questions that they have sufficient permissions but cannot delete a file, or can only append content to the log file but cannot modify or delete the content. This is to a certain extent It prevents hackers from attempting to tamper with system logs, so this "strange" file permission also ensures the security of the Linux system.
Since it is called a hidden permission, you can't see its true face by using the regular ls command. The dedicated setting command for hidden permissions is chattr, and the dedicated viewing command is lsattr.
chattr
The chattr command is used to set the hidden permission of the file. The English full name is change attributes, and the syntax format is "chattr [parameter] file name".
If you want to add a hidden function to the file, you need to add "+parameter" after the command, and if you want to remove a hidden function from the file, you need to append "-parameter". The optional hidden permission parameters in the chattr command are very rich, as shown in the table.
To give readers a better idea of the effect of hiding permissions, let's first create a normal file and then immediately try to delete it (this operation will definitely succeed):
echo "for test" > linuxprobe
rm linuxprobe
Next, create a new ordinary file again, and set the "do not allow deletion and overwriting" (+a parameter) permission for it, and then try to delete this file:
echo "for test" > linuxprobe
chatter +a linuxprobe
rm linuxpeobe
It can be seen that the above operation failed.
lsattr
The lsattr command is used to view the hidden permissions of files. The full English name is "list attributes", and the syntax format is "lsattr [parameter] file name".
In the Linux system, the hidden permissions of files must be checked with the lsattr command, and the usual ls and other commands cannot be seen:
ls -al linuxprobe
lsattr linuxprobe
At this time, according to the type (letter) of the displayed hidden permission, use the chattr command to remove it:
chattr -a linuxprobe
lsattr linuxprobe
rm linuxprobe
file access control list
If you want to perform separate permission control on a specified user, you need to use the file access control list (ACL).
In order to see the powerful effect of ACL on file permission control more intuitively, we first switch to a common user, and then try to enter the home directory of the root administrator. Before the ACL is set for the home directory of the root administrator for ordinary users, the execution result is as follows:
su - linuxprobe
cd /root
exit
setfacl
The setfacl command is used to manage the ACL permission rules of files. The English full name is "set files ACL", and the syntax format is "setfacl [parameter] file name".
ACL permissions provide special permission control beyond the read/write/execute permissions of the owner, group, and others. Use the setfacl command to control read/write/execute permissions for a single user or user group, single file or directory. Among them, you need to use the -R recursive parameter for directory files; use the -m parameter for ordinary files; if you want to delete the ACL of a file, you can use the -b parameter. Common parameters of the setfacl command are shown in the table.
For example, we were unable to enter the /root directory originally, but now we set the permissions separately for ordinary users, and then switch to the identity of this ordinary user, and now we can enter normally:
setfacl -Rm u:linuxprobe:rwx /root
su - linuxprobe
cd /root
ls
exit
ls -ld /root
getfacl
The getfacl command is used to view the ACL permission rules of files. The English full name is "get files ACL", and the syntax format is "getfacl [parameter] file name".
The commands in the Linux system are so cute and easy to remember. To set the ACL, use the setfacl command; to view the ACL, use the getfacl command. The following uses the getfacl command to display all ACL information set on the root administrator's home directory:
getfacl /root
ACL permissions can also be set for a user group. For example, to allow all users in a group to read and write the /etc/fstab file:
setfacl -m g:linuprobe:rw /etc/fstab
getfacl /etc/fstab
Wrong settings and want to delete? no problem! To clear all ACL permissions, use the -b parameter; to delete a specified permission, use the -x parameter:
setfacl -x g:linuxprobe /etc/fstab
getfacl /etc/fstab
When backing up the ACL permissions on the /home directory, you can use the -R recursive parameter, so that not only the permissions of the directory itself can be backed up, but the permissions of the files inside can also be automatically backed up. In addition, coupled with the output redirection operation learned in Chapter 3, the backup of permissions can be easily realized. It should be noted that getfacl cannot use the absolute path form when backing up directory permissions, so we need to switch to the topmost root directory before proceeding.
cd/
getfacl -R home > backup.acl
ls -l
The restoration of ACL permissions is also very simple, using the --restore parameter. Since the operation on the /home directory has been specified during backup, there is no need to write the corresponding directory name, it can automatically find the object to be restored:
setfacl -- restore backup.acl
su command and sudo service
The su command can solve the need to switch user identities, so that the current user can smoothly switch to other users without logging out, such as switching from root administrator to ordinary user:
su - linuxprobe
id
Careful readers will definitely find that there is a minus sign (-) between the above su command and the user name, which means to completely switch to the new user, that is, to change the environment variable information to the corresponding information of the new user instead of Keep the original information. It is highly recommended to add this minus sign (-) when switching users.
In addition, password authentication is not required when switching from a root administrator to an ordinary user, but password authentication is required when switching from an ordinary user to a root administrator; this is also a necessary security check:
su - root
<输入管理员密码>
Authorization principle: On the premise of ensuring that ordinary users can complete the corresponding work, grant as few additional permissions as possible.
The visudo command is used to edit and configure the permission file of user sudo, the syntax format is "visudo [parameter]"
When configuring the service file in the Linux system, although there are no hard and fast rules, it is not recommended to place the new parameters too high from experience, so as not to fail when the newly filled parameters are executed, resulting in some necessary service functions not being loaded successfully . It is generally recommended to find similar parameters in the configuration file, and then make new changes in adjacent positions, or add and modify them in the middle and lower parts of the file.
visudo