Linux system configuration and service management-03-user permissions
Basic Authority UGO
overview
- QQ空间的红钻特权
- 某高仿传奇,VIP16,一刀9999999
- 腾讯视频/爱奇艺,会员特权
- 文件权限设置真实的样子
- 赋于某个用户或组 能够以何种方式 访问某个文件(图片文件,视频文件,普通文件)
permission object
属主: u
属组: g
其他人: o
所有人:a(u+g+o) =all
permission type
读:r=4
写:w=2
执行: x=1
View permissions
[root@localhost ~]#ls -l /root/1.txt
-rw-r--r--. 1 root root 179 5月 25 14:27 /root/1.txt
explanation of content
- file type
rw- 主人的权限,属主
r-- 属组的权限
r-- 其他人的权限
- extension of authority
1 文件链接(第七章文件链接)
root 文件的属主
root 文件的属组
179 大小
5月 25 14:27 文件最后的修改时间
/root/1.txt 文件的名和路径
Setting permissions
change permissions
- use symbols
- grammar
使用符号:u用户 g组 o其他 r读 w写 x执行
语法: chmod 对象(u/g/o/a)赋值符(+/-/= 可加可减可等)权限类型(r/w/x) 文件/目录
chmod u=rwx /1.txt
- example
1.了解普通文件的基本权限
[root@localhost ~]# cd /tmp
[root@localhost ~]# touch file1
[root@localhost tmp]# ll file1
-rw-r--r--. 1 root root 0 4月 13 20:49 file1
权限 属主 属组 文件
2.编写程序,输入以下内容
[root@localhost tmp]#vim file1
echo "hello 2020"
read -p "请输入您的姓名:" name
echo "哈哈 $name 是大笨蛋"
3.增加执行权限
[root@localhost tmp]# chmod u+x file1 # 属主增加执行
4.运行测试。成功
[root@localhost tmp]# ./file1
hello 2020
请输入您的姓名:4567
4567 是大笨蛋
5.去除权限。运行失败
[root@localhost tmp]# chmod u-x file1
[root@localhost tmp]# ./file1
-bash: ./file1: 权限不够
6.更多的修改权限练习
[root@localhost tmp]# chmod a=rwx file1 # 所有人等于读写执行
[root@localhost tmp]# chmod a=- file1 # 所有人没有权限
[root@localhost tmp]# chmod ug=rw,o=r file1 //属主属组等于读写,其他人只读
[root@localhost tmp]# ll file1 # 以长模式方式查看文件权限
-rw-rw-r-- 1 alice it 17 10-25 16:45 file1 //显示的结果
- use numbers
4读r 2写w 1执行x
[root@localhost ~]# chmod 644 file1
[root@localhost ~]# ll file1
-rw-r--r-- 1 alice it 17 10-25 16:45 file1
Change file owner and group
- chown command
chown: 设置一个文件属于谁,属主
语法: chown 用户名.组名 文件 或 chown 用户名:组名 文件
[root@localhost ~]# chown alice.hr file1 # 改属主、属组
[root@localhost ~]# chown alice file1 # 只改属主
[root@localhost ~]# chown .hr file1 # 只改属组
- 选项
-R 针对目录中所有的文件进行更改。
chown -R root.root /tmp/aa
- chgrp command
- chgrp: 设置一个文件属于哪个组,属组。chown可实现该功能
- 语法: chgrp 组名 文件
[root@localhost ~]# chgrp it file1 # 改文件属组
[root@localhost ~]# chgrp -R it dir1 # 改文件夹属组。 -R 是递归的意思
the case
1. Significance of user permissions
- Set the user account's access to files (pictures, videos, programs) (look, write, execute).
2. Permission object
- Owner: Owner of the file: u
- Belongs to group: File belongs to group member Permissions: g
- Others: Users other than the owner and group members: other
- Special object: everyone (including owner, group member, others): all all
3. Types of permissions
- Read: r=4
- Write: w=2
- Execution: x=1
4. Modify the permissions of the file (one way to complete the authorization)
- Command: chmod (ch:change changes mod:modify settings)
- Syntax: chmod authorization file
- Example: chmod u+x file1.txt
- Example: chmod 764 file1.txt (owner read and write execution, group read and write, others read)
5. Modify the owner and group of the file (another method to complete authorization)
- Command: chown (ch changes own owner)
- Syntax: chown owner. Belongs to group file/folder
- Syntax: chown owner file
- Syntax: chown .belongs to group file
- Example: chown user01.hr file1.txt
- Example: chown -R user01.hr dir1/
6. Case requirements:
- file file10.txt
- The owner is user100, read and write execution -7 (you can view the content, you can change the content, you can execute)
- The belonging group is jishuzu (user200), read -4 (can only be viewed, cannot be modified, cannot be executed)
- Others have no permission -0 (can neither view, modify nor execute)
7. Operation:
# 1.使用root账户,来到/tmp目录
[root@localhost tmp]# cd /tmp
[root@localhost tmp]# pwd
# 2.创建文件file10.txt
[root@localhost tmp]# touch file10.txt
[root@localhost tmp]# ll file10.txt
-rw-r--r--. 1 root root 0 3月 19 16:20 file10.txt
- 主人:读写rw
- 组:读r
- 其他人:读r
# 3.准备测试账号
[root@localhost tmp]# useradd user100
[root@localhost tmp]# useradd user200
[root@localhost tmp]# useradd user300
[root@localhost tmp]# groupadd jishuzu
[root@localhost tmp]# usermod -aG jishuzu user200
[root@localhost tmp]# id user200
uid=1013(user200) gid=1016(user200) 组=1016(user200),1018(jishuzu)
# 4.授予文件属主和属组,以及其他人的权限。
[root@localhost tmp]# chmod 740 file10.txt
[root@localhost tmp]# ll file10.txt
-rwxr----- . 1 root root 0 3月 19 16:20 file10.txt
主人: 读写执行
组: 读
其他人:没有权限
# 5.修改文件属主和属组。chown
[root@localhost tmp]# chown user100.jishuzu file10.txt
[root@localhost tmp]# ll file10.txt
-rwxr-----. 1 user100 jishuzu 0 3月 19 16:20 file10.txt
属主:user100
属组:jishuzu(组员user200)
# 6.测试
- 使用user100,访问文件。写入文件,执行文件
[root@localhost tmp]# su - user100
[user100@localhost ~]$ cd /tmp/
[user100@localhost tmp]$ cat file10.txt
[user100@localhost tmp]$ vim file10.txt
[user100@localhost tmp]$ ./file10.txt
123
456
789
[user100@localhost tmp]$ exit
登出
# 7.使用jishuzu成员,可读,不可写和执行
[root@localhost tmp]# su - user200
[user200@localhost ~]$ cd /tmp/
[user200@localhost tmp]$ cat file10.txt
echo 123
echo 456
echo 789
[user200@localhost tmp]$ vim file10.txt
写入失败,强制退出:q!
[user200@localhost tmp]$ ./file10.txt
-bash: ./file10.txt: 权限不够
[user200@localhost tmp]$ exit
登出
# 使用其他用户user300,访问文件失败。写入失败,执行失败。
[root@localhost tmp]# su - user300
[user300@localhost ~]$ cd /tmp/
[user300@localhost tmp]$ cat file10.txt
cat: file10.txt: Permission denied
[user300@localhost tmp]$ vim file10.txt
写入失败,强制退出:q!
[user300@localhost tmp]$ ./file10.txt
-bash: ./file10.txt: 权限不够
[user300@localhost tmp]$ exit
登出
Basic permission ACL
the difference
-
Think about it: Can you set different permissions for files for individual users using chmod?
user01 rwx file1
user02 rw file1
user03 r file1
user04 rwx file1
user05 rw file1
The answer is no, hence the need for an ACL -
ACL file permission management: Set different users, different basic permissions (r, w, x). UGO set basic permissions: only one user, one group and others
grammar
setfacl -m u:alice:rw /home/test.txt
setfacl -m g:hr:rwx /home/test.txt
命令 选项 用户或组:用户名:权限 文件对象
usage
Preparing Files
[root@localhost ~]# touch /home/test.txt
[root@localhost ~]# ll /home/test.txt
-rw-r--r-- 1 root root 0 10-26 13:59 /home/test.txt
set ACL
- Check which ACL permissions the file has.
[root@localhost ~]# getfacl /home/test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
- Set user alice, jack permission
前提:创建alice 和jack用户。过程略
[root@localhost ~]# setfacl -m u:alice:rw /home/test.txt
[root@localhost ~]# setfacl -m u:jack:- /home/test.txt
[root@localhost ~]# getfacl /home/test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
user:alice:rw-
user:jack:---
group::r--
mask::rw-
other::r--
[root@localhost ~]# setfacl -m o::rw /home/test.txt # o:其他用户,俩冒号,不指定用户名,不写冒号语法错误
View/delete:
- view ACL
[root@localhost ~]# getfacl /home/test.txt
getfacl: Removing leading '/' from absolute path names
# file: home/test.txt 文件名
# owner: root 属主:root
# group: root 属组:root
user::rwx 用户:属主:rwx
user:alice:rw- 用户:alice:rw-
user:jack:--- 用户:jack:---
group::rwx 组:属组:rwx
mask::rwx 掩码::rwx
other::rwx other:其他人:rwx
- remove ACL
- 设置
- 增加hr组对test.txt文件读取的权限
- [root@localhost ~]# setfacl -m g:hr:r /home/test.txt # -m 是设置
- 删除部分
- [root@localhost ~]# setfacl -x g:hr /home/test.txt # -x 是删除,删除组hr的acl权限
- 删除所有
- [root@localhost ~]# setfacl -b /home/test.txt # -b 删除所有acl权限
Special Permissions (Understanding)
special bit suid
Types of advanced privileges
suid 针对文件/程序(如 cat命令)时,具备临时获得属主的权限。
sgid
stick
question
# 下面的操作,为什么会失败!
[root@localhost ~]# ll /root/file1.txt
-rw-r--r-- 1 root root 4 7月 27 14:14 /root/file1.txt
[root@localhost ~]#su - alice
[alice@localhost ~]$ cat /root/file1.txt
cat: /root/file1.txt: 权限不够
Analysis: The root operation is the authority of super-management, and the ordinary user operation is the authority of ordinary users.
root /usr/bin/cat (root) /root/file1.txt OK
alice /usr/bin/cat (alice) /root/file1.txt
example
Set suid, so that ordinary users can temporarily elevate their rights through suid, and view the files of super-management root users
# 1.为cat程序添加上suid权限。
[root@localhost ~]# ll /usr/bin/cat
-rwxr-xr-x. 1 root root 54080 8月 20 2019 /usr/bin/cat
[root@localhost ~]# chmod u+s /usr/bin/cat
[root@localhost ~]# ll /usr/bin/cat
-rwsr-xr-x. 1 root root 54080 8月 20 2019 /usr/bin/cat
You can see that the power of the master has become rws
# 2.使用普通用户运行cat。暂时获得root权限
[root@localhost ~]# su - alice
[alice@localhost ~]$ cat /root/file1.txt # 结果,普通用户,看到了root的内容。这个行为很危险
# 请在试验后,将cat的suid权限除去。
[root@localhost ~]# chmod u-s /usr/bin/cat
File attribute modification chattr
use
- It is often used to lock a file and refuse to modify it. It is common to add non-deletable or append settings to log files. Prevent accidental deletion
Classification
the case
# 1 先创建新文件进行对比。查看默认权限。
[root@localhost ~]# touch file100
[root@localhost ~]# lsattr file100
-------------- file100
# 2 加上不能删除的属性。
[root@localhost ~]# chattr +i file100 # 不能更改,重命名,删除
# 3 查看不同属性
[root@localhost ~]# lsattr file100
----i--------- file100
# 4 尝试删除
[root@localhost ~]# rm -rf file100
rm: cannot remove `file100': Operation not permitted
# 5 将属性还原。
[root@localhost ~]# chattr -i file100
Note: Set file attributes (special permissions), for all users, root does not have permission to operate
process mask umask
overview
The default permissions of new files and directories will be affected by the umask. The umask represents the permissions to be subtracted. When creating a new directory, subtract the value of the umask from 777. When creating a new file, subtract 111 from the value of the umask.
The default value of umask is 0022 (mask), in which the first bit represents a special security feature called sticky bit (sticky bit), and the following three values form the octal value of umask.
Example 1: Observing the system default mask
Create a file in the shell process, first check the umask permission of the current user
[root@localhost ~]# umask
0022
[root@localhost ~]# touch file800
[root@localhost ~]# mkdir dir800
[root@localhost ~]# ll -d dir800 file800
drwxr-xr-x. 2 root root 4096 3月 11 19:40 dir800 # 创建目录减去022
-rw-r--r--. 1 root root 0 3月 11 19:40 file800 # 创建文件还要再减去022的基础上减去111
Example 2: Modify shell umask value (temporary)
[root@localhost ~]# umask 000
[root@localhost ~]# mkdir dir900
[root@localhost ~]# touch file900
[root@localhost ~]# ll -d dir900 file900
drwxrwxrwx. 2 root root 4096 3月 11 19:44 dir900
-rw-rw-rw-. 1 root root 0 3月 11 19:44 file900