Calculate the converted number: take the 9-digit authority every three digits as a group, and convert each group of numbers into numbers according to the above table and add them together, and finally get a three-digit number
Conversion example
drwxrwxr-- 774
-rw-r–r-x 645
drwx–xr-x 715
dr-xrwx–x 571
d–xr–xrwx 157
Use character change
Action description: -decrease, +increase
The indicator of the 9-digit authority group: all the digits of the last uthree digits in the first three digitsgoa
grammar:chmod 位符号+动作符号+权限符号 操作文件
example:chmod u+rwx oldboy.txt
3. Linux special permissions
south
Permission content: suid is for commands. After setting, any user will have the ability to perform file owner operations on the file
Setting method:chmod u+s 目录/文件
ls -lThe state after setting suid : -rwsr-xr-xor -rwSr–r--(the big S means that the owner has no execution permission)
Common example: passwdthe command is set to suid, and pingthe command is also set to suid
sgid: The character is s, three digits in
Sticky bit: the character is t, in the last three
4. Ordinary users elevate their privileges to root privileges
Method 1: The test user escalates to root through the vim command with suid set
Must operate under the root userchmod u+s /bin/vim
It must be operated under the test user vim /etc/sudoersto add the following contenttest ALL=(ALL) NOPASSWD:ALL
cut to rootsudo su -
Method Two
Must operate under the root userchmod u+s /bin/vim
vim /etc/passwdChange the UID of the test user's row to 0
Re-login test is root
Method 3: Modify the test user to belong to the wheel group
Be optimistic about the permissions of the /etc directory to prevent files from being replaced
Unified file permissions Unified 644directory permissions 755, the user and group corresponding to the file and directory should be root as much as possible (do not set it to 777)
Web applications are prohibited from uploading special files to the system directory
Judgment extension
Dynamic and static separation after upload
ssh monitors the intranet, prohibits root remote connection, and connects through a vpn dial-up springboard
The firewall restricts ssh access to the intranet or office network IP segment