Configuration File Permissions

# Chattr command to see what there is
$ -aw man chattr

# chattr view help information, and output to a text in
$ man chattr | COL -bx> chattr.txt

the chattr (1) General Commands Manual the chattr (1)

NAME
chattr - Change the Attributes File the Linux File System A ON

The SYNOPSIS
the chattr [-RVf] [-v Version] [MODE] Files ...

the DESCRIPTION
the chattr Changes The File Attributes the Linux File System A ON.

of The symbolic MODE A the format of IS + - = [acdeijstuACDST].

The operator `+' causes the selected attributes to be added to the existing attributes of the files; `-' causes them to be removed; and `='
Causes them to be the only attributes that the files have.

The letters `acdeijstuACDST' select the new attributes for the files: append only (a), compressed (c), no dump (d), extent format (e),
immutable (i), data journalling (j), secure deletion (s), no tail-merging (t), undeletable (u), no atime updates (A), no copy on write (C),
synchronous directory updates (D), synchronous updates (S), and top of directory hierarchy (T).

The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr: huge file (h), compression error (E),
indexed directory (I), compression raw access (X), and compressed dirty file (Z).

OPTIONS
-R Recursively change attributes of directories and their contents.

-V Be verbose with chattr's output and print the program version.

-f Suppress most error messages.

-v version
Set the file's version/generation number.

ATTRIBUTES
When a file with the 'A' attribute set is accessed, its atime record is not modified. This avoids a certain amount of disk I/O for laptop
systems.

A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

A file with the `c' attribute set is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data.
A write to this file compresses data before storing them on the disk. Note: please make sure to read the bugs and limitations section at
the end of this document.

A file with the 'C' attribute set will not be subject to copy-on-write updates. This flag is only supported on file systems which perform
copy-on-write. (Note: For btrfs, the 'C' flag should be set on new or empty files. If it is set on a file which already has data blocks,
it is undefined when the blocks assigned to the file will be fully stable. If the 'C' flag is set on a directory, it will have no effect on
the directory, but new files created in that directory will the No_COW attribute.)

When a directory with the `D' attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the
`dirsync' mount option applied to a subset of the files.

A file with the `d' attribute set is not candidate for backup when the dump(8) program is run.

The 'E' attribute is used by the experimental compression patches to indicate that a compressed file has a compression error. It may not be
set or reset using chattr(1), although it can be displayed by lsattr(1).

The 'e' attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr(1).

The 'I' attribute is used by the htree code to indicate that a directory is being indexed using hashed trees. It may not be set or reset
using chattr(1), although it can be displayed by lsattr(1).

The 'h' attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors, and means
that the file is (or at one time was) larger than 2TB. It may not be set or reset using chattr(1), although it can be displayed by
lsattr(1).

A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

A file with the `j' attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is
mounted with the "data=ordered" or "data=writeback" options. When the filesystem is mounted with the "data=journal" option all file data is
already journalled and this attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can set or
clear this attribute.

When a file with the `s' attribute set is deleted, its blocks are zeroed and written back to the disk. Note: please make sure to read the
bugs and limitations section at the end of this document.

When a file with the `S' attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the `sync'
mount option applied to a subset of the files.

A directory with the 'T' attribute will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator.
This is a hint to the block allocator used by ext3 and ext4 that the subdirectories under this directory are not related, and thus should be
spread apart for allocation purposes. For example it is a very good idea to set the 'T' attribute on the /home directory, so that
/home/john and /home/mary are placed into separate block groups. For directories where this attribute is not set, the Orlov block allocator
will try to group subdirectories closer together where possible.

A file with the 't' attribute will not have a partial block fragment at the end of the file merged with other files (for those filesystems
which support tail-merging). This is necessary for applications such as LILO which read the filesystem directly, and which don't understand
tail-merged files. Note: As of this writing, the ext2 or ext3 filesystems do not (yet, except in very experimental patches) support tail-
merging.

When a file with the `u' attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion. Note: please
make sure to read the bugs and limitations section at the end of this document.

The 'X' attribute is used by the experimental compression patches to indicate that a raw contents of a compressed file can be accessed
directly. It currently may not be set or reset using chattr(1), although it can be displayed by lsattr(1).

The 'Z' attribute is used by the experimental compression patches to indicate a compressed file is dirty. It may not be set or reset using
chattr(1), although it can be displayed by lsattr(1).

AUTHOR
chattr was written by Remy Card <[email protected]>. It is currently being maintained by Theodore Ts'o <[email protected]>.

BUGS AND LIMITATIONS
The `c', 's', and `u' attributes are not honored by the ext2, ext3, and ext4 filesystems as implemented in the current mainline Linux ker‐
nels.

The `j' option is only useful if the filesystem is mounted as ext3.

The `D' option is only useful on Linux kernel 2.5.19 and later.

AVAILABILITY
chattr is part of the e2fsprogs package and is available from http://e2fsprogs.sourceforge.net.

grammar

the chattr [- the RV ] [- V <version number>] [+ / - / = <attribute>] [file or directory ...]

parameter

　　-R recursive processing, all files and subdirectories in the specified directory dealt with together.

　　-v <version number> settings file or directory versions.

　　-V display process execution instruction.

　　+ <Properties> Properties to open the file or directory.

　　- <property> to close the file or directory attributes.

　　= <Attributes> Specify the file or directory attributes.

Examples

To prevent a critical system file is modified with the chattr command:

chattr +i /etc/resolv.conf

lsattr /etc/resolv.conf

It will display the following attributes

----i-------- /etc/resolv.conf

So that a file can only be entered, and additional data, but can not be deleted for a variety of log files:

chattr +a /var/log/messages

Source https://www.runoob.com/linux/linux-comm-lsattr.html

Linux lsattr command displays the file attributes.

With properties to perform change file or directory chattr, lsattr executable instructions to inquire about their property.

grammar

the lsattr [- adlRvV ] [file or directory ...]

Parameters :

-a displays all files and directories, including "." is the name starts with the characters of additional built-in, the current directory. "" parent directory with "..."
-d display, directory name, rather than its content.
-l This parameter currently has no effect.
-R recursive processing, all files and subdirectories in the specified directory dealt with together.
-v display version of a file or directory.
-V Display version information.

Examples

1, with the chattr command to prevent a critical system files are modified:

# chattr +i /etc/resolv.conf

Then mv /etc/resolv.conf to the file operation command and the like, are the results obtained in Operation not permitted.

vim can edit the file when prompted W10: Warning: Changing a readonly file error. To modify this file should i just get rid of property:

chattr -i /etc/resolv.conf

Use the lsattr command to display file attributes:

# lsattr /etc/resolv.conf

The output is:

----i-------- /etc/resolv.conf

2, so that a file can only be entered, and additional data, but can not be deleted for a variety of log files:

# chattr +a /var/log/messages

chmod g+s 、chmod o+t 、chmod u+s

Source https://blog.csdn.net/taiyang1987912/article/details/41121131

Describe three permissions Set uid, gid, sticky bit of

A file has an owner, who indicates that the file is created. At the same time, there is a group of the file number, representing the group that the file belongs to the general group owner of the file belongs to.

If it is an executable file, when executed, usually the file with only the user has permission to call the file. The setuid, setgid can change this setting.

setuid: Set the file permissions of the file owner has in the implementation phases of a typical file is / usr / bin / passwd If the average user execute the file, in the implementation process, the file can get root privileges, so you can change the user. password.

setgid: This permission is only valid for the directory after directory is set to this bit, any user-created files in this directory has a directory and group belongs to the same group.

sticky bit: This bit can be interpreted as anti-bit delete a file can be deleted if a user, depending on whether the group the file belongs to the user has write permissions if there is no written permission, all the files in this directory are. after it can not be deleted, but can not add new files. If you want users to be able to add the file but can not delete a file, you can use the sticky bit bit of documents. this bit is set, even if the user has write access to the directory, you can not delete the file.

Said the following about how to operate these signs:

These operations mark and the operation command file permissions are the same, are chmod. There are two ways to operate,

1) chmod u + s temp - temp file to add setuid flag (setuid only valid for the file).

chmod g + s tempdir - tempdir directory is setgid plus sign (setgid only valid directory)

chmod o + t temp - temp file to add sticky flag (sticky only valid for File)

2) octal embodiment. General file counter by three octal flag, such as 666, 777, 644, etc. If these special flag, plus a set of octal numbers beyond this number. As

4666, 2777, etc. octal significance of the numbers three groups as follows,

abc

a - setuid bit. If this bit is 1, it indicates that the setuid

b - setgid bit. If this bit is 1, the setup setgid

c - sticky bit. If this bit is 1, then set the sticky

After setting these flags can be used to view the ls -l. If these flags are displayed in the original execution flag position as

rwsrw-r- expressed setuid flag

rwxrwsrw- expressed setgid flag

rwxrw-rwt expressed sticky flags

Then the original execution flag x go out? System is such a requirement, if would have been on the x bits, the special flag that is the lowercase letters (s, s, t). Otherwise, the display capital letters ( S, S, T)

Three digits permissions can be understood

[root@server3 test]# 1 1 1

[root@server3 test]# rw s rws rwt

[root@server3 test]#

[root@server3 test]# SUID SGID Sticky

So, we can draw

chmod 4777 is set sid

chmod 2777 is set gid

chmod 1777 is set sticky

Common Operations

Identify all dangerous directory (the directory set everyone can read and write directory sticky bit is not set yet)

find / -perm -0007 -type d

Identify all set suid files

find / -perm -4000 -type f

Supplementary: (Angelus)
SGID bits, files can also be set SGID, such as an executable file is given SGID, it has the privilege of all groups, any access to system resources can be used by all groups, to have a copy

SGID bit file directory, copy only when the -p parameter, to retain the original group settings

There sticky-bit permission, it simply is a file even if other users have write permission can not be deleted. Mobile

Etc., can only be deleted file owner, movement, etc.

In a typical example is the system / tmp (temporary file system directory) avoid chaos compliance arbitrary user placed by the user to delete other files

SUID owner occupancy x (execute) bit group occupies SGID x bits, sticky-bit x bits occupied by other,

If the bit x permission to lowercase s, not to use capital S

Setting values special authority is octal 4, showing a first special permissions represent the three basic permissions

Said that only the first 8-ary authority representatives

0: no special permissions set
1: Sticky provided only
2: provided only SGID
. 3: only set SGID and Sticky
. 4: provided only SUID
. 5: only set SUID and Sticky
. 6: only set SUID and SGID
. 7: 3 kinds of setting permissions

Change the permissions on the file or directory.

In the UNIX system family, the file or directory permissions are controlled to read, write, execute permissions to distinguish three general, and another three kinds of special privileges available to use, and then with the owner and their group management competence. Permissions You can use the chmod command to change file and directory, set the way the use of text or numeric code can be. Permissions symbolic link can not be changed, if you connect to modify permissions on the symbol, its role will change in the original file to be linked. Purview notation as follows:

　　u: User, that is, the owner of the file or directory.

　　g: Group, that is, their group of files or directories.

　　o: Other, except for the file or directory owner, or their group, others belong to this range.

　　a: All, that is, all users including owner, owning group, and other users.

　　Section on rights code, the list below:

　　r: Read permission, digital code-named "4."

　　w: write access, the digital code is "2."

　　x: execute permission or switch, numeric codes "1."

　　-: does not have any rights, numeric code-named "0."

　　s: Special Instructions b> Features:? permission to change the file or directory.

sudo configuration file / etc / sudoers

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Modify some of the content:

%admin ALL=/usr/sbin/*,/sbin/*,/usr/bin/*,!/usr/sbin/user*!/usr/bin/passwd,!/usr/bin/rm,!/usr/bin/ssh*,!/usr/sbin/visudo,!/usr/sbin/useradd,!/usr/sbin/userdel
%sudo  ALL=/usr/sbin/*,/sbin/*,/usr/bin/*,!/usr/sbin/user*!/usr/bin/passwd,!/usr/bin/rm,!/usr/bin/ssh*,!/usr/sbin/visudo,!/usr/sbin/useradd,!/usr/sbin/userdel

===================== End