Knowledge of network security Day11-Linux file attributes and permissions

Others 2023-08-18 19:24:36 views: null

Knowledge of Linux file attributes and permissions

1. Special file attribute commands: chattr, lsattr (this is a command to view file attributes)

  1. Function: Lock a file or directory and prevent it from being changed or deleted
  2. grammar:chattr 选项 文件
  3. option attribute
    1. -iA file is locked and cannot be deleted
    2. -acontent can be added
  4. option action
    1. -reduce
    2. +Increase
  5. Exercise: lock the file - view properties - change the file - unlock - view properties
    [root@localhost ~] touch oldboy.txt

[root@localhost ~] ls
anaconda-ks.cfg  day02_world_oldboy.sql  oldboy  oldboy.txt

[root@localhost ~] chattr +i oldboy.txt

[root@localhost ~] lsattr oldboy.txt
----i----------- oldboy.txt

[root@localhost ~] rm -f oldboy.txt
rm: cannot remove ‘oldboy.txt’: Operation not permitted

[root@localhost ~] chattr -i oldboy.txt

[root@localhost ~] lsattr oldboy.txt
---------------- oldboy.txt

[root@localhost ~] rm -f oldboy.txt

[root@localhost ~] ls
anaconda-ks.cfg  day02_world_oldboy.sql  oldboy
  6. Production application: If you want to make changes to locked files quickly, you can consider using scripts
    [root@oldboyedu ~]vim /bin/test ##增加如下内容
chattr -i /etc/passwd /etc/group /etc/shadow /etc/gshadow /etc/sudoers
$*
chattr +i /etc/passwd /etc/group /etc/shadow /etc/gshadow /etc/sudoers

2. Introduction to Linux basic permissions

  1. View file properties:ls -l
  2. 9 is permission grouping: the first three user permissions, the middle three group permissions, and the last three other permissions
  3. Permission representation method: character permission and numeric permission
  4. Characters, numbers, and positions corresponding to permissions
    character effect Corresponding digital authority Location
    r readable 4 The first one
    w writable 2 second
    x executable 1 the third
    - none 0 any bit
  5. How to change permissions
    1. Change with digital rights
      1. Syntax: chmod 换算后的数字组 文件路径(-R recursive modification)
      2. Calculate the converted number: take the 9-digit authority every three digits as a group, and convert each group of numbers into numbers according to the above table and add them together, and finally get a three-digit number
      3. Conversion example
        1. drwxrwxr-- 774
        2. -rw-r–r-x 645
        3. drwx–xr-x 715
        4. dr-xrwx–x 571
        5. d–xr–xrwx 157
    2. Use character change
      1. Action description: -decrease, +increase
      2. The indicator of the 9-digit authority group: all the digits of the last uthree digits in the first three digitsgoa
      3. grammar:chmod 位符号+动作符号+权限符号 操作文件
      4. example:chmod u+rwx oldboy.txt

3. Linux special permissions

  • south
    • Permission content: suid is for commands. After setting, any user will have the ability to perform file owner operations on the file
    • Setting method:chmod u+s 目录/文件
    • ls -lThe state after setting suid : -rwsr-xr-xor -rwSr–r--(the big S means that the owner has no execution permission)
    • Common example: passwdthe command is set to suid, and pingthe command is also set to suid
  • sgid: The character is s, three digits in
  • Sticky bit: the character is t, in the last three

4. Ordinary users elevate their privileges to root privileges

  1. Method 1: The test user escalates to root through the vim command with suid set
    1. Must operate under the root userchmod u+s /bin/vim
    2. It must be operated under the test user vim /etc/sudoersto add the following contenttest ALL=(ALL) NOPASSWD:ALL
    3. cut to rootsudo su -
  2. Method Two
    1. Must operate under the root userchmod u+s /bin/vim
    2. vim /etc/passwdChange the UID of the test user's row to 0
    3. Re-login test is root
  3. Method 3: Modify the test user to belong to the wheel group
    1. Make sure the group id of test is 20008
      [test@oldboyedu ~]$ grep -w test /etc/passwd
test:x:20008:20008::/home/test:/bin/bash
    2. Make sure the wheel group id is 10
      [test@oldboyedu ~]$ grep wheel /etc/group
wheel:x:10:
    3. Modify the group id to 10
      [test@oldboyedu ~]$ vim /etc/passwd
test:x:20008:10::/home/test:/bin/bash
    4. login sudosudo su - ###需要test密码

5. How to elevate the rights of ordinary users and web users

  1. Prohibit setting suid for commands
    1. The administrator should not use the suid function, and cancel the useless suid function at the same time
    2. The application software PHP (/etc/php.ini configuration) is forbidden to open the function of reading system files, etc.
    3. Disk mount prohibits suid
  2. Lock key files:/etc/passwd /etc/group /etc/shadow /etc/gshadow /etc/sudoers
  3. chmod 440 /etc/sudoers
  4. Be optimistic about the permissions of the /etc directory to prevent files from being replaced
  5. Unified file permissions Unified 644directory permissions 755, the user and group corresponding to the file and directory should be root as much as possible (do not set it to 777)
  6. Web applications are prohibited from uploading special files to the system directory
    1. Judgment extension
    2. Dynamic and static separation after upload
  7. ssh monitors the intranet, prohibits root remote connection, and connects through a vpn dial-up springboard
  8. The firewall restricts ssh access to the intranet or office network IP segment

Guess you like

Origin blog.csdn.net/m0_73293867/article/details/131995773
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com