table of Contents
linux rights management - special privileges
A special privilege
1.suid (4000)
SetUID (suid): s will write permissions on the implementation of the sovereignty belongs to the limit of
Executive authority on if the limit is a sovereign, then: s
If this is a no execute permissions on the sovereignty of the limit, then: S
Authorization
chmod u+s filename
chmod 4755 filenamesetuid Summary:
1. allow ordinary users to executable binary files, temporary owner has permission binaries
2. If the setting for binary files do not have permission, then the display is suid permission S
3. special permissions only on binary suid effective implementation of the program, other file or directory is invalid
2.sgid(2000)
[root@oldboyedu ~]# ll /bin/write
-rwxr-sr-x. 1 root tty 19624 Oct 31 2018 /bin/write setgid (sgid): will write s execute permissions on the genus group permission bits
if there is a group execute permissions on the permission bits, then: s
If you do not perform on the rights belong to the group permission bits, then: S
Authorization
[root@db04 ~]# chmod 2755 /tmp/test/
[root@db04 ~]# chmod g+s /tmp/test/Role: 1 bit for the user group permissions to modify, belongs to the same set of directories or files created by the user and owning group of the directory.
2. When a directory is set sgid, the new file is not in that directory is created by default owning group of the file
3. Use sgid may cause sharing between multiple users of a directory of all files easy.
3. sbit
Sticky bit:
[root@oldboyedu ~]# ll -d /tmp/
drwxrwxrwt. 8 root root 105 Jul 2 10:15 /tmp/If you have execute permissions to other users on the permission bits, then: t
If you do not perform on the other user permission bits permission,: T
License:
[root@db04 ~]# chmod 1755 /opt
[root@db04 ~]# chmod o+t /optsticky (SI TI KI) viscosity, currently only valid directories, role is as follows:
the average user has access to the directory w and x, namely the average user can have write permissions in this directory, without sticky bit, so common w user has permission, you can delete all the files in this directory, including other user-created files. But once been given a sticky bit, you can delete all files except root, ordinary users even if there w permission can only delete files you've created, but can not delete other files created by the user.
Note: The system existing in the / tmp directory is a classic sticky bit directory, who have write permissions, so security costs problem, often first-hand Trojan springboard.
Special privileges summary
SOUTH
Mainly on command, or binary file to a binary file permissions for the owner to execute the file command: passwd
2.SGID
mainly Authorization for a directory, shared directory3.SBIT
sticky bit, even if the directory has w permission, but in addition to root, other users can only their own files to delete, move operations
A normal user: zls belong to this group oldboyedu
a file permissions: rwxrw-rx root.oldboyedu filename1
zls permissions to the file: rw-
r: read
w: write
x: execution
South: 4000
sgid:2000
t:1000
Linux permissions attributes chattr Overview
chattr only the root user for permission to modify the file system attributes, establish the basis of the authorization above the rwx permissions
chattr command format: [root @ db04 ~] # #chattr [+ - =] [options] filename or directory name
lsattr: View special privileges
chattr: set special permissions
i: locked file can not be edited, can not be modified, can not be deleted, can not move, you can do
a: you can only append files, not edit, delete can not, can not move, you can do
Set file attributes (permissions) for all users, including root
#选项:+增加权限 -减少权限 =等于某个权限
#a:让文件或目录仅可追加内容
#i:不得任意更动文件或目录
#创建文件并设置属性
[root@zls ~]# touch file_a file_i
[root@zls ~]# lsattr file_a file_i
---------------- file_a
---------------- file_i
#设置属性
[root@zls ~]# chattr +a file_a
[root@zls ~]# chattr +i file_i
[root@zls ~]# lsattr file_a file_i
-----a---------- file_a
----i----------- file_i
#a权限, 无法覆盖写入和删除文件
[root@zls ~]# echo "aa" > file_a
bash: file_a: Operation not permitted
[root@zls ~]# rm -f file_a
rm: cannot remove ‘file_a’: Operation not permitted
#a权限, 只能追加, 适用于日志文件
[root@zls ~]# echo "aa" >> file_a
#i权限, 无法写入, 无法删除
[root@zls ~]# echo "i" > file_i
bash: file_i: Permission denied
[root@zls ~]# echo "i" >> file_i
bash: file_i: Permission denied
[root@zls ~]# rm -f file_i
rm: cannot remove ‘file_i’: Operation not permitted
#解除限制
[root@zls ~]# chattr -a file100
[root@zls ~]# chattr -i file200linux process mask umask
How to change the new file permissions umask
The default umask is 022, then when we create a directory, under normal circumstances directory permissions should be 777, but umask represents the value to be subtracted, so the new directory file permissions should be 777-022 = 755. As for file permissions and so too: 666-022 = 644
umask involved in the configuration file
/etc/bashrc
/etc/profile
~/.bashrc
~/.bash_profilenote:
Umask range of influence
shell (vim,touch) --umask--> 新文件或目录权限
vsftpd --umask--> 新文件或目录权限
samba --umask--> 新文件或目录权限
useradd --umask--> 用户 HOME1, create a file in the shell process
//查看当前用户的umask权限
[root@zls ~]# umask
0022
[root@zls ~]# touch file0022
[root@zls ~]# mkdir dir0022
[root@zls ~]# ll -d file0022 dir0022/
drwxr-xr-x 2 root root 6 Jan 24 09:02 dir0022/
-rw-r--r-- 1 root root 0 Jan 24 09:02 file0022
2, modify the shell umask value (provisional entry into force)
[root@zls ~]# umask 000
[root@zls ~]# mkdir dir000
[root@zls ~]# touch file000
[root@zls ~]# ll -d dir000 file000
drwxrwxrwx 2 root root 6 Jan 24 09:04 dir000
-rw-rw-rw- 1 root root 0 Jan 24 09:04 file000
3, modify the shell umask (permanent, not recommended)
[root@zls ~]# vim /etc/profile
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
//立即在当前 shell 中生效
[root@zls ~]# source /etc/profil