Linux system configuration and service management-03-user permissions

Enterprise 2023-09-06 17:59:41 views: null

Linux system configuration and service management-03-user permissions

Basic Authority UGO

overview

- QQ空间的红钻特权
- 某高仿传奇,VIP16,一刀9999999
- 腾讯视频/爱奇艺,会员特权
- 文件权限设置真实的样子
    - 赋于某个用户或组 能够以何种方式 访问某个文件(图片文件,视频文件,普通文件)

permission object

属主: u
属组: g
其他人: o
所有人:a(u+g+o) =all

permission type

读:r=4
写:w=2
执行: x=1

View permissions

[root@localhost ~]#ls  -l  /root/1.txt
-rw-r--r--.   1   root root  179  5月  25  14:27  /root/1.txt

explanation of content

  • file type
rw-       主人的权限,属主
r--         属组的权限
r--         其他人的权限
  • extension of authority
1        文件链接(第七章文件链接)
root     文件的属主
root     文件的属组 
179      大小
5月  25  14:27      文件最后的修改时间
/root/1.txt    文件的名和路径

Setting permissions

change permissions

  • use symbols
    • grammar
使用符号:u用户 g组  o其他  r读   w写  x执行

语法: chmod   对象(u/g/o/a)赋值符(+/-/= 可加可减可等)权限类型(r/w/x)    文件/目录
      chmod u=rwx /1.txt
  • example
1.了解普通文件的基本权限
[root@localhost ~]# cd  /tmp
[root@localhost ~]# touch file1
[root@localhost tmp]# ll file1 
-rw-r--r--. 1 root root 0 4月  13 20:49 file1
权限           属主    属组                文件

2.编写程序,输入以下内容
[root@localhost tmp]#vim file1 

echo    "hello 2020"
read    -p     "请输入您的姓名:"     name
echo     "哈哈 $name 是大笨蛋"

3.增加执行权限
[root@localhost tmp]# chmod u+x file1    # 属主增加执行

4.运行测试。成功
[root@localhost tmp]# ./file1 

hello 2020
请输入您的姓名:4567
4567 是大笨蛋

5.去除权限。运行失败
[root@localhost tmp]# chmod u-x file1 
[root@localhost tmp]# ./file1
-bash: ./file1: 权限不够

6.更多的修改权限练习
[root@localhost tmp]# chmod a=rwx file1   # 所有人等于读写执行
[root@localhost tmp]# chmod a=- file1  # 所有人没有权限
[root@localhost tmp]# chmod ug=rw,o=r file1 //属主属组等于读写,其他人只读
[root@localhost tmp]# ll file1 # 以长模式方式查看文件权限
-rw-rw-r-- 1 alice it 17 10-25 16:45 file1 //显示的结果
  • use numbers
4读r   2写w   1执行x

[root@localhost ~]# chmod 644 file1
[root@localhost ~]# ll file1
-rw-r--r-- 1 alice it 17 10-25 16:45 file1

Change file owner and group

  • chown command
chown: 设置一个文件属于谁,属主

语法: chown 用户名.组名 文件  或   chown 用户名:组名  文件
[root@localhost ~]# chown alice.hr file1   # 改属主、属组

[root@localhost  ~]# chown alice file1  # 只改属主

[root@localhost ~]# chown .hr file1   # 只改属组

- 选项
	-R 针对目录中所有的文件进行更改。
	chown -R root.root /tmp/aa
  • chgrp command
- chgrp: 设置一个文件属于哪个组,属组。chown可实现该功能
- 语法:  chgrp   组名   文件      

[root@localhost ~]# chgrp it file1  # 改文件属组
[root@localhost ~]# chgrp -R it dir1  # 改文件夹属组。 -R 是递归的意思

the case

1. Significance of user permissions

  • Set the user account's access to files (pictures, videos, programs) (look, write, execute).

2. Permission object

  • Owner: Owner of the file: u
  • Belongs to group: File belongs to group member Permissions: g
  • Others: Users other than the owner and group members: other
  • Special object: everyone (including owner, group member, others): all all

3. Types of permissions

  • Read: r=4
  • Write: w=2
  • Execution: x=1

4. Modify the permissions of the file (one way to complete the authorization)

  • Command: chmod (ch:change changes mod:modify settings)
  • Syntax: chmod authorization file
  • Example: chmod u+x file1.txt
  • Example: chmod 764 file1.txt (owner read and write execution, group read and write, others read)

5. Modify the owner and group of the file (another method to complete authorization)

  • Command: chown (ch changes own owner)
  • Syntax: chown owner. Belongs to group file/folder
  • Syntax: chown owner file
  • Syntax: chown .belongs to group file
  • Example: chown user01.hr file1.txt
  • Example: chown -R user01.hr dir1/

6. Case requirements:

  • file file10.txt
  • The owner is user100, read and write execution -7 (you can view the content, you can change the content, you can execute)
  • The belonging group is jishuzu (user200), read -4 (can only be viewed, cannot be modified, cannot be executed)
  • Others have no permission -0 (can neither view, modify nor execute)

7. Operation:

# 1.使用root账户,来到/tmp目录
[root@localhost tmp]# cd /tmp
[root@localhost tmp]# pwd

# 2.创建文件file10.txt
[root@localhost tmp]# touch file10.txt
[root@localhost tmp]# ll file10.txt 
-rw-r--r--. 1 root root 0 3月  19 16:20 file10.txt
-  主人:读写rw
-  组:读r
-  其他人:读r

# 3.准备测试账号
[root@localhost tmp]# useradd user100
[root@localhost tmp]# useradd user200
[root@localhost tmp]# useradd user300
[root@localhost tmp]# groupadd jishuzu
[root@localhost tmp]# usermod -aG jishuzu   user200
[root@localhost tmp]# id user200
uid=1013(user200) gid=1016(user200) 组=1016(user200),1018(jishuzu)

# 4.授予文件属主和属组,以及其他人的权限。
[root@localhost tmp]# chmod 740 file10.txt 
[root@localhost tmp]# ll file10.txt 
-rwxr-----  . 1 root root 0 3月  19 16:20 file10.txt
主人:  读写执行
组:    读
其他人:没有权限

# 5.修改文件属主和属组。chown
[root@localhost tmp]# chown user100.jishuzu  file10.txt 
[root@localhost tmp]# ll file10.txt 
-rwxr-----. 1 user100 jishuzu 0 3月  19 16:20 file10.txt
属主:user100
属组:jishuzu(组员user200)

# 6.测试
- 使用user100,访问文件。写入文件,执行文件

[root@localhost tmp]# su - user100
[user100@localhost ~]$ cd /tmp/
[user100@localhost tmp]$ cat file10.txt 
[user100@localhost tmp]$ vim file10.txt 
[user100@localhost tmp]$ ./file10.txt 
123
456
789
[user100@localhost tmp]$ exit
登出

# 7.使用jishuzu成员,可读,不可写和执行
[root@localhost tmp]# su - user200
[user200@localhost ~]$ cd /tmp/
[user200@localhost tmp]$ cat file10.txt 
echo 123
echo 456
echo 789
[user200@localhost tmp]$ vim file10.txt 
写入失败,强制退出:q!
[user200@localhost tmp]$ ./file10.txt
-bash: ./file10.txt: 权限不够
[user200@localhost tmp]$ exit
登出

# 使用其他用户user300,访问文件失败。写入失败,执行失败。
[root@localhost tmp]# su - user300
[user300@localhost ~]$ cd /tmp/
[user300@localhost tmp]$ cat file10.txt 
cat: file10.txt: Permission denied
[user300@localhost tmp]$ vim file10.txt 
写入失败,强制退出:q!
[user300@localhost tmp]$ ./file10.txt
-bash: ./file10.txt: 权限不够
[user300@localhost tmp]$ exit
登出

Basic permission ACL

the difference

  • Think about it: Can you set different permissions for files for individual users using chmod?
    user01 rwx file1
    user02 rw file1
    user03 r file1
    user04 rwx file1
    user05 rw file1
    The answer is no, hence the need for an ACL

  • ACL file permission management: Set different users, different basic permissions (r, w, x). UGO set basic permissions: only one user, one group and others

grammar

setfacl   -m   u:alice:rw    /home/test.txt
setfacl   -m   g:hr:rwx      /home/test.txt
命令      选项  用户或组:用户名:权限    文件对象

usage

Preparing Files

[root@localhost ~]# touch /home/test.txt
[root@localhost ~]# ll /home/test.txt 
-rw-r--r-- 1 root root 0 10-26 13:59 /home/test.txt

set ACL

  • Check which ACL permissions the file has.
[root@localhost ~]# getfacl /home/test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
  • Set user alice, jack permission
前提:创建alice 和jack用户。过程略
[root@localhost ~]# setfacl -m u:alice:rw /home/test.txt
[root@localhost ~]# setfacl -m u:jack:- /home/test.txt
[root@localhost ~]# getfacl /home/test.txt
# file: test.txt
# owner: root
# group: root
user::rw-
user:alice:rw-
user:jack:---
group::r--
mask::rw-
other::r--

[root@localhost ~]# setfacl -m o::rw /home/test.txt    # o:其他用户,俩冒号,不指定用户名,不写冒号语法错误

View/delete:

  • view ACL
[root@localhost ~]# getfacl /home/test.txt
getfacl: Removing leading '/' from absolute path names
# file: home/test.txt      文件名
# owner: root              属主:root
# group: root              属组:root
user::rwx                  用户:属主:rwx
user:alice:rw-			   用户:alice:rw-
user:jack:---		       用户:jack:---
group::rwx		           组:属组:rwx
mask::rwx				   掩码::rwx
other::rwx				   other:其他人:rwx
  • remove ACL
- 设置
	- 增加hr组对test.txt文件读取的权限
	- [root@localhost ~]# setfacl -m g:hr:r /home/test.txt   # -m 是设置

- 删除部分
	- [root@localhost ~]# setfacl -x g:hr /home/test.txt   # -x 是删除,删除组hr的acl权限

- 删除所有
	- [root@localhost ~]# setfacl -b /home/test.txt  # -b 删除所有acl权限

Special Permissions (Understanding)

special bit suid

Types of advanced privileges

suid 针对文件/程序(如 cat命令)时,具备临时获得属主的权限。
sgid
stick

question

# 下面的操作,为什么会失败!
[root@localhost ~]# ll /root/file1.txt 
-rw-r--r-- 1 root root 4 7月  27 14:14 /root/file1.txt
[root@localhost ~]#su - alice
[alice@localhost ~]$ cat /root/file1.txt
cat: /root/file1.txt: 权限不够

Analysis: The root operation is the authority of super-management, and the ordinary user operation is the authority of ordinary users.
root /usr/bin/cat (root) /root/file1.txt OK
alice /usr/bin/cat (alice) /root/file1.txt

example

Set suid, so that ordinary users can temporarily elevate their rights through suid, and view the files of super-management root users

# 1.为cat程序添加上suid权限。
[root@localhost ~]# ll  /usr/bin/cat
-rwxr-xr-x. 1 root root 54080 8月  20 2019 /usr/bin/cat
[root@localhost ~]# chmod u+s /usr/bin/cat
[root@localhost ~]# ll  /usr/bin/cat
-rwsr-xr-x. 1 root root 54080 8月  20 2019 /usr/bin/cat

You can see that the power of the master has become rws

# 2.使用普通用户运行cat。暂时获得root权限
[root@localhost ~]# su - alice
[alice@localhost ~]$ cat /root/file1.txt  # 结果,普通用户,看到了root的内容。这个行为很危险
# 请在试验后,将cat的suid权限除去。
[root@localhost ~]# chmod u-s /usr/bin/cat

File attribute modification chattr

use

  • It is often used to lock a file and refuse to modify it. It is common to add non-deletable or append settings to log files. Prevent accidental deletion

Classification

insert image description here

the case

# 1 先创建新文件进行对比。查看默认权限。

[root@localhost ~]# touch file100
[root@localhost ~]# lsattr file100
-------------- file100


# 2 加上不能删除的属性。
[root@localhost ~]# chattr +i file100   # 不能更改,重命名,删除

# 3 查看不同属性

[root@localhost ~]# lsattr file100
----i--------- file100

# 4 尝试删除

[root@localhost ~]# rm -rf file100 
rm: cannot remove `file100': Operation not permitted

# 5 将属性还原。

[root@localhost ~]# chattr -i file100

Note: Set file attributes (special permissions), for all users, root does not have permission to operate

process mask umask

overview

The default permissions of new files and directories will be affected by the umask. The umask represents the permissions to be subtracted. When creating a new directory, subtract the value of the umask from 777. When creating a new file, subtract 111 from the value of the umask.

The default value of umask is 0022 (mask), in which the first bit represents a special security feature called sticky bit (sticky bit), and the following three values ​​form the octal value of umask.

Example 1: Observing the system default mask

Create a file in the shell process, first check the umask permission of the current user

[root@localhost ~]# umask 			
0022
[root@localhost ~]# touch file800
[root@localhost ~]# mkdir dir800
[root@localhost ~]# ll -d dir800 file800 
drwxr-xr-x. 2 root root 4096 3月  11 19:40 dir800   # 创建目录减去022
-rw-r--r--. 1 root root    0 3月  11 19:40 file800   # 创建文件还要再减去022的基础上减去111

Example 2: Modify shell umask value (temporary)

[root@localhost ~]# umask 000
[root@localhost ~]# mkdir dir900
[root@localhost ~]# touch file900
[root@localhost ~]# ll -d dir900 file900 
drwxrwxrwx. 2 root root 4096 3月  11 19:44 dir900
-rw-rw-rw-. 1 root root    0 3月  11 19:44 file900

Guess you like

Origin blog.csdn.net/HYESC/article/details/127382242
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com