Third, file permissions and ownership

1. file permissions and ownership

Although everything is a file, but not the same type of each file system in Linux, so Linux systems use different characters to distinguish, as shown in the following common characters.

  • -: normal file.
  • d: directory files.
  • l: Link file.
  • b: block device file.
  • c: character device file.
  • p: pipe file.

In the Linux system, each file has belongs to the owner and all the groups, and specifies the file's owner, group and others on all files have read (r) , write (w) , executable (x) and other privileges. For general files, permissions easier to understand: "readable" means the ability to read the actual contents of the file; "write" means the ability to edit, add, modify, delete the actual contents of the file; "executable" means capable of run a script. However, the directory files, permissions to understand is not so easy. In fact, many experienced Linux users do not really understand.

Read files, write and execute permissions can be abbreviated as rwx, respectively, can also be used to represent numbers 4,2,1, no association between the file owner, owning group, and other user rights.

Character and Numeric representation of member privileges

Chapter 5 user identity and file permissions.  Chapter 5 user identity and file permissions.

Digital method of file permissions representation based on the character representation (rwx) permission from the calculation, which aims to simplify the representation rights. For example, if the permission for a file . 7 represents the readable, writable, executable (4 + 2 + 1); if permission is 6 represents a readable, writable (4 + 2). Let's look at an example of this. Now there is such a file, its owners readable, writable, executable permissions, that the file belongs to the group have permission readable, writable; and others only read permissions. So, access to this file is rwxrw-r--, represent a digital method that is 764. But we must stop these three numbers together to calculate the results of 7 + 6 + 4 = 17, which is the authority digital subtraction elementary mathematics, is not a Linux system representation, there is no interoperability between the three relationship.

Linux file permissions system is quite complex, but is so widely used, it is recommended that you find out after a thorough re-learning the next section. Now to practice. Please numerals 764,642,153,731 reader calculates the corresponding character representation method, and then rwxrw-r -, rw - w - wx, rw-r - r-- converted into digital Notation.

Chapter 5 user identity and file permissions.  Chapter 5 user identity and file permissions.

It contains a file type, access permissions, the owner (owner), belongs to the group (genus group), the amount of disk size, modification time, and file name and other information. By analysis, the type of the file as a regular file, the owner of the rights to read, write (rw-), owning group permissions to read (r--), other than other people only read permission ( r--), disk usage file size is 34298 bytes, last modification time for the April 2 in the morning 23 points, as the name of the file install.log.

2. special permissions file

In the midst of production environments, rwx file permissions set alone can not meet our need for security and flexibility, so there will be a special permission bits SUID, SGID and the SBIT. This is a special kind of file permissions feature set can be used simultaneously with the general authority to compensate for the general authority can not be achieved function. The following detailed explanation of these three special permission bits of functionality and usage.

1. SOUTH

SUID is a special kind of binary permissions settings, you can make performer binary program have temporary permission of the owner (binary program only has execute permission valid). For example, all users can run the passwd command to change your user password, user passwords are stored in / etc / shadow file. A closer look at this document will find its default permissions is 000, that is, all users do not have permission to view or edit the file except root administrator. However, when using the passwd command if coupled with SUID bit special permission, so that ordinary users can obtain temporary identity of the owner of the program, change the password information is written to the shadow file. This is much like what we see in the costume drama in the most powerful weapon in the hand-held imperial minister, he holds the most powerful weapon on behalf of the authority of the emperor, so you can discipline corrupt, but that does not mean he permanently became emperor. So this is just a conditional, temporary special privileges authorization method.

View passwd found rwx permission to the owner by the property became rws command, where x changes to s means that the file is given a SUID permission. Another reader will wonder, then, if the original permissions are rw- it? If you do not execute permissions on the original x permission bits, it will be given special permission to become a capital S.

[root@linuxprobe ~]# ls -l /etc/shadow
----------. 1 root root 1004 Jan 3 06:23 /etc/shadow
[root@linuxprobe ~]# ls -l /bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 29 2017 /bin/passwd

2. SGID

SGID achieve the following two main functions:

Let executives have temporary permission is a group of (binary program have execute permissions set);

Files created in a directory automatically inherit the user group to which the directory (the directory can only be set).

The first function is a reference SGID SUID and design, except that the user program execution is no longer obtain temporary permission to file owner, but to get access to the file belongs. For example, in the early Linux systems, / dev / kmem is a character device file for the kernel data storage to be accessed, permissions:

cr--r----- 1 root system 2, 1 Feb 11 2017 kmem

You see the problem yet? In addition to belonging to the system administrator or root group member, all users do not have access to the file read. Because usually we need to see the process status of the system, in order to be able to get into the process of status information, can increase the SGID bit special privileges on the system used to view the process status of the ps command file. View property information ps command file:

-r-xr-sr-x 1 bin system 59346 Feb 11 2017 ps

Thus, since the ps command is increased SGID special permission bits, when the user executes the command, it obtains a temporary user group permissions system, so that the device can successfully read the file.

Each file has its owner and group ownership, or when creating a file transfer, the file will be automatically assigned to this operation performed by the user (i.e. the user is the owner of the file). If now need to set up a shared directory in a sector, so that all personnel within the department are able to read the contents of a directory, then you can create a department shared directory, set the SGID bit special permissions on the directory. Thus, any document will be any personnel within the department in which the group belongs attributable to the creation of the directory, rather than your basic user groups. In this case, we use SGID is the second function, the file that is created in a directory automatically inherit the user group to which the directory (the directory can only be set).

[root@linuxprobe ~]# cd /tmp
[root@linuxprobe tmp]# mkdir testdir
[root@linuxprobe tmp]# ls -ald testdir/
drwxr-xr-x. 2 root root 6 Feb 11 11:50 testdir/
[root@linuxprobe tmp]# chmod -Rf 777 testdir/
[root@linuxprobe tmp]# chmod -Rf g+s testdir/
[root@linuxprobe tmp]# ls -ald testdir/
drwxrwsrwx. 2 root root 6 Feb 11 11:50 testdir/

After using the command to set a good 777 directory (to ensure that the average user can write to a file), and set the SGID bit special permissions for the directory, you can switch to a normal user, and then try to create a file in that directory , and see whether the newly created file will inherit the newly created directory where the file belongs to the group name:

[root@linuxprobe tmp]# su - linuxprobe
Last login: Wed Feb 11 11:49:16 CST 2017 on pts/0
[linuxprobe@linuxprobe ~]$ cd /tmp/testdir/
[linuxprobe@linuxprobe testdir]$ echo "linuxprobe.com" > test
[linuxprobe@linuxprobe testdir]$ ls -al test
-rw-rw-r--. 1 linuxprobe root 15 Feb 11 11:50 test

SGID addition to these two features mentioned above, we will introduce two related to the content of this section of the command: chmod and chown.

chmod command is a very useful command, can be used to set the file or directory permissions, the format is "chmod [parameters] authority file or directory name." If permission is arranged to make a file read-write executables its owner, readable and writable belonging group, the others do not have any rights, the corresponding character is represented rwxrw ---- methods, which method corresponding number He expressed as 760. By the previous and the current practice based learning practice, and now you can feel the convenience of using a digital method to set the file permissions of the bar.

[root@linuxprobe ~]# ls -al test
-rw-rw-r--. 1 linuxprobe root 15 Feb 11 11:50 test
[root@linuxprobe ~]# chmod 760 test
[root@linuxprobe ~]# ls -l test
-rwxrw----. 1 linuxprobe root 15 Feb 11 11:50 test

In addition to setting permissions on the file or directory, you can also set the owner and group file or directory, the command used here as chown, the format "chown [parameters] Owner: owning group file or directory name."

chmod and chown command is the most common commands used to modify file attributes and permissions, they also have a special commonality is the need to add the -R parameter when operating capital for recursive directory to represent that all files within the directory to the overall operation.

[root@linuxprobe ~]# ls -l test
-rwxrw----. 1 linuxprobe root 15 Feb 11 11:50 test
[root@linuxprobe ~]# chown root:bin test
[root@linuxprobe ~]# ls -l test
-rwxrw----. 1 root bin 15 Feb 11 11:50 test

3. SBIT

Now, many university teachers require students to upload jobs to a specific shared directory on the server, but there are always a few "saboteurs" like other students to delete the job, then we should set SBIT (Sticky Bit) special permission the bit (also can be called the sticky bit special permission bits). SBIT special permission bits can ensure that users can only delete their own files, not delete other users' files. In other words, when a directory is set to SBIT sticky bit permissions, then the files in the directory can only be executed deletion of its owner.

Not initially know which non-senior technical personnel will Sticky Bit literally become "sticky bit", teacher Trent Liu suggested that it be called "protection bit", which not only remember, but also people immediately understand its role. RHEL 7 system in the / tmp directory as a shared file, the default has been set SBIT special permission bits, unless the owner of the directory, or can not delete these files inside.

Previously spoken SUID SGID permissions and different display method, when the directory is set SBIT special permission bits, x execute permissions file permissions section others will be replaced or t T, would otherwise have x written execute permissions t, x execute permission will not originally written as T.

[root@linuxprobe tmp]# su - linuxprobe
Last login: Wed Feb 11 12:41:20 CST 2017 on pts/0
[linuxprobe@linuxprobe tmp]$ ls -ald /tmp
drwxrwxrwt. 17 root root 4096 Feb 11 13:03 /tmp
[linuxprobe@linuxprobe ~]$ cd /tmp
[linuxprobe@linuxprobe tmp]$ ls -ald
drwxrwxrwt. 17 root root 4096 Feb 11 13:03 .
[linuxprobe@linuxprobe tmp]$ echo "Welcome to linuxprobe.com" > test
[linuxprobe@linuxprobe tmp]$ chmod 777 test
[linuxprobe@linuxprobe tmp]$ ls -al test 
-rwxrwxrwx. 1 linuxprobe linuxprobe 10 Feb 11 12:59 test

In fact, the file can be deleted does not depend on its own authority, but whether they have write permissions in the directory (the principle will be the next chapter mentioned). In order to avoid that many readers do not trust, so the above command is given the largest test file 777 (rwxrwxrwx). We switched to another regular user, and then try to delete the files created by other people will find that, even if read, write, and execute permissions to open, but due to SBIT special permission bits, still can not delete the file:

[root@linuxprobe tmp]# su - blackshield
Last login: Wed Feb 11 12:41:29 CST 2017 on pts/1
[blackshield@linuxprobe ~]$ cd /tmp
[blackshield@linuxprobe tmp]$ rm -f test
rm: cannot remove ‘test’: Operation not permitted

Of course, if SBIT also want to set special permissions bits to other directories, use chmod command on it. O + t corresponding to the parameter representative of the sticky bit set SBIT permissions:

[blackshield@linuxprobe tmp]$ exit
Logout
[root@linuxprobe tmp]# cd ~
[root@linuxprobe ~]# mkdir linux
[root@linuxprobe ~]# chmod -R o+t linux/
[root@linuxprobe ~]# ls -ld linux/
drwxr-xr-t. 2 root root 6 Feb 11 19:34 linux/

3. hidden attribute file

Linux system files in addition to the general rights and have special privileges, there is a hidden authority, ie hidden permissions, the user can not directly be found by default. Once users in a production environment and RHCE encounter in exams but had sufficient authority clearly can not delete a file in the case, or only the additional content in the log file but can not modify or delete content, which prevents some extent, hackers tampering with the system log plot, so this "strange" documents also protect the security of Linux systems.

1. chattr command

chattr command is used to hide permission settings file in the format of "chattr [parameters] files." If you want to add a feature to hide the files, append "+ parameters" in the command back, if you want to move files to a hidden feature, append "- parameter." chattr command to choose the hidden privileges parameters are very rich, specifically as shown in Table 5-6.

Table 5-6 chattr command parameters and their role in hiding for permission

parameter effect
i The file can not be modified; if this parameter is set on the directory, you can only modify the contents of the files son can not create or delete files
a Allow only supplementary (additional) contents can not be overwritten / deleted content (Append Only)
S After the contents of the file changes immediately synchronized to the hard disk (sync)
s Completely deleted from the hard disk, unrecoverable (filled with zeros where the original file hard disk area)
A Not modify the last access time of the file or directory (atime)
b No longer modify the access time of the file or directory
D Check the compressed file errors
d Ignore this file / directory when using the dump command to back up
c The default compress a file or directory
in When still retain their data in the hard disk after deleting the file for future recovery
t Let merge file system supports the tail (tail-merging)
x You can directly access the contents of compressed files

In order to give readers an insight to better hide the effect of authority, let's create a regular file, and then try to delete it immediately (this operation will surely succeed):

[root@linuxprobe ~]# echo "for Test" > linuxprobe
[root@linuxprobe ~]# rm linuxprobe
rm: remove regular file ‘linuxprobe’? y

Practice is the sole criterion for testing truth. If you have not personally witnessed the power of wonderful hidden privileges, you will not believe the original Linux system is so safe. Next we create a common file again, and set the cover can not be removed (+ a parameter) permissions, then try to delete this file:

[root@linuxprobe ~]# echo "for Test" > linuxprobe
[root@linuxprobe ~]# chattr +a linuxprobe
[root@linuxprobe ~]# rm linuxprobe
rm: remove regular file ‘linuxprobe’? y
rm: cannot remove ‘linuxprobe’: Operation not permitted

Seen the failed operation.

2. lsattr command

lsattr command for permission to display hidden files, the format is "lsattr [parameters] files." In the Linux system, hidden file permissions must use the lsattr command to view, usually use the ls command like you do not see the clues:

[root@linuxprobe ~]# ls -al linuxprobe
-rw-r--r--. 1 root root 9 Feb 12 11:42 linuxprobe

Once the lsattr command, the hidden files are given permission soon visible. At this time you can be displayed according to the type of hide authority (alpha) using chattr command to remove:

[root@linuxprobe ~]# lsattr linuxprobe
-----a---------- linuxprobe
[root@linuxprobe ~]# chattr -a linuxprobe
[root@linuxprobe ~]# lsattr linuxprobe 
---------------- linuxprobe
[root@linuxprobe ~]# rm linuxprobe 
rm: remove regular file ‘linuxprobe’? y

4. File Access Control Lists

I do not know if we find that the foregoing explanation of general competence, special privileges, in fact, there is a common hiding rights - rights are set for a certain type of user. If you want to specify a separate user access control, you need to use the file access control list (ACL) a. Popular terms, based on a common set ACL file or directory is actually a set operation permissions for the file or directory specified by the user or user group. In addition, if you set the ACL for a directory, the files in the directory will inherit its ACL; if the ACL is set for the file, the file is no longer inherit their ACL in the directory.

In order to be more intuitive to see a strong effect on the ACL file permissions to control, let's switch to the normal user, and then try to enter the root administrator's home directory. Before ACL is not set to the home directory of the root administrator for the average user, its execution results are as follows:

[root@linuxprobe ~]# su - linuxprobe
Last login: Sat Mar 21 16:31:19 CST 2017 on pts/0
[linuxprobe@linuxprobe ~]$ cd /root
-bash: cd: /root: Permission denied
[linuxprobe@linuxprobe root]$ exit

1. setfacl command

ACL rule setfacl commands for managing files in the format of "setfacl [argument] file name." ACL files are provided special privileges in addition to the owner, the owning group, others read / write / execute permissions control, use setfacl command can be read / write for a single user or group of users, single file or directory / control execute permission. Among them, for the catalog files requires the use of a recursive -R parameter; -m parameter is used for regular file; if you want to delete a file's ACL, you can use the -b parameter. Let's set user permissions on the / root directory:

[root@linuxprobe ~]# setfacl -Rm u:linuxprobe:rwx /root
[root@linuxprobe ~]# su - linuxprobe
Last login: Sat Mar 21 15:45:03 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ cd /root
[linuxprobe@linuxprobe root]$ ls
anaconda-ks.cfg Downloads Pictures Public
[linuxprobe@linuxprobe root]$ cat anaconda-ks.cfg
[linuxprobe@linuxprobe root]$ exit

Is not that cool effect it? But now there is such a small problem - how to view the ACL on those documents? Commonly used ls command can not see the ACL table information, but you can see the file permissions of the last point ( . ) Becomes a plus sign ( + ), which means that the file has been set up ACL. Now we are not feeling more we study, the more proficient Linux system would not say that, right? On such an obscure point (.), Also said that even such an important authority.

[root@linuxprobe ~]# ls -ld /root
dr-xrwx---+ 14 root root 4096 May 4 2017 /root

2. getfacl command

ACL information getfacl command sets on display file format "getfacl file name." Linux systems command is so cute and easy to remember. I want to set ACL, use the setfacl command; To view the ACL, then use the getfacl command. Getfacl use the following command to display all ACL information provided in the root directory home administrator.

[root@linuxprobe ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:linuxprobe:rwx
group::r-x
mask::rwx
other::---

5. su command with sudo service

su command to switch users solve the identity of the demand, making the current user without logging out, smoothly switch to another user, such as switching from the root administrator to the average user:

[root@linuxprobe ~]# id 
uid=0(root) gid=0(root) groups=0(root)
[root@linuxprobe ~]# su - linuxprobe
Last login: Wed Jan 4 01:17:25 EST 2017 on pts/0
[linuxprobe@linuxprobe ~]$ id 
uid=1000(linuxprobe) gid=1000(linuxprobe) groups=1000(linuxprobe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Careful readers will find that there is a minus sign between the above su command with a user name (-), which means that switching to a completely new user, that is the environment variable information is also changed to the corresponding information for the new user, rather than Keep the original information. It is strongly recommended to add the minus sign when switching user identity (-).

Further, when switching from the root to the regular user does not require an administrator password authentication, the user is switched from the normal to the root administrator password verification is required; this is a necessary security checks:

[linuxprobe@linuxprobe root]$ su root
Password:
[root@linuxprobe ~]# su - linuxprobe
Last login: Mon Aug 24 19:27:09 CST 2017 on pts/0
[linuxprobe@linuxprobe ~]$ exit
logout
[root@linuxprobe ~]#

Despite this use the su command as above, the average user can completely switch to root administrator to complete the corresponding work, but it will be exposed root administrator's password, thereby increasing the probability of system password from being captured by hackers; this is not the most security program.

sudo command is used to provide additional ordinary users permissions to complete the original root administrator to complete the task, the format is "sudo [parameter] command name." sudo service available parameters and corresponding action

parameter effect
-h List help information
-l Command lists the current user can perform
-u user name or UID value To execute the command specified user identity
-k Effective time to empty password, password authentication is required again next time when performing sudo
-b Executes the specified command in the background
-p Change the password prompt inquiry

In conclusion, sudo command has the following functions:

  • Restrict user executes the specified command:
  • Records each command executed by the user;
  • Configuration file (/ etc / sudoers) provides centralized user management, right with the host and other parameters;
  • After verifying the password within 5 minutes (default) without let a user authentication password again.

Of course, if you are concerned directly modify the configuration file problem occurs, you can use the sudo command provides the visudo command to configure user permissions. This command when configuring user permissions to multiple users to simultaneously modify the ban sudoers configuration file, you can also check the syntax of the parameters in the configuration file, and when it finds an error parameter error.

Only root administrators can use the sudo visudo command to edit the service configuration file.

visudo: >>> /etc/sudoers: syntax error near line 111 <<<
What now?
Options are:
(e)dit sudoers file again
(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

When you configure the profile to use the sudo command visudo command, the same method used in the method and Vim editor of its operation, so after their completion remember to save and exit line mode. Sudo command in the configuration file, the information specified on the (approximately) will be completed in accordance with the format line 99 the following:

Who can use allow the use of host = list (to whose identity) executable commands

[root@linuxprobe ~]# visudo
 96 ##
 97 ## Allow root to run any commands anywhere
 98 root ALL=(ALL) ALL
 99 linuxprobe ALL=(ALL) ALL

After completed remember to first save and then exit, and then switch to specify a regular user, then you can use sudo -l command to view all executable commands (the following command to verify that the average user password instead of root administrator password, please do not confuse the reader):

[root@linuxprobe ~]# su - linuxprobe
Last login: Thu Sep 3 15:12:57 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ sudo -l
[sudo] password for linuxprobe:此处输入linuxprobe用户的密码
Matching Defaults entries for linuxprobe on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User linuxprobe may run the following commands on this host:
(ALL) ALL

Next is the time to witness the miracle! As an ordinary user, is certainly not see the file information root administrator's home directory (/ root) is, however, only you need to think of the command preceded by sudo command on it:

[linuxprobe@linuxprobe ~]$ ls /root
ls: cannot open directory /root: Permission denied
[linuxprobe@linuxprobe ~]$ sudo ls /root
anaconda-ks.cfg Documents initial-setup-ks.cfg Pictures Templates
Desktop Downloads Music Public Videos

Immediate effect! But given the highest executive power production environment does not allow ordinary users to have a whole system of all commands (this is not in line with the previously mentioned rights conferred principle that the authority given as little as possible), some parameters can not therefore ALL appropriate. It can only be given to ordinary users specific orders to meet the needs of the work, which has also been necessary permissions constraints. If you need to allow a user to use as root administrator of the specified order, must remember to give the absolute path of the command, otherwise the system will not identify them. We can first use the whereis command to find the path to save the corresponding command, and then line 99 of the profile user rights to modify the parameters corresponding to the path:

[linuxprobe@linuxprobe ~]$ exit
logout
[root@linuxprobe ~]# whereis cat
cat: /usr/bin/cat /usr/share/man/man1/cat.1.gz /usr/share/man/man1p/cat.1p.gz
[root@linuxprobe ~]# visudo
 96 ##
 97 ## Allow root to run any commands anywhere
 98 root ALL=(ALL) ALL
 99 linuxprobe ALL=(ALL) /usr/bin/cat

After editing is still a good first save and then exit. Again switched to the specified average user, and then try to properly view the contents of a file, then the system prompts do not have permission. The next time you use the sudo command can successfully view the contents of the file:

[root@linuxprobe ~]# su - linuxprobe
Last login: Thu Sep 3 15:51:01 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[linuxprobe@linuxprobe ~]$ sudo cat /etc/shadow
root:$6$GV3UVtX4ZGg6ygA6$J9pBuPGUSgZslj83jyoI7ThJla9ZAULku3BcncAYF00Uwk6Sqc4E36MnD1hLtlG9QadCpQCNVJs/5awHd0/pi1:16626:0:99999:7:::
bin:*:16141:0:99999:7:::
daemon:*:16141:0:99999:7:::
adm:*:16141:0:99999:7:::
lp:*:16141:0:99999:7:::
sync:*:16141:0:99999:7:::
shutdown:*:16141:0:99999:7:::
halt:*:16141:0:99999:7:::
mail:*:16141:0:99999:7:::
operator:*:16141:0:99999:7:::
games:*:16141:0:99999:7:::
ftp:*:16141:0:99999:7:::
nobody:*:16141:0:99999:7:::
………………省略部分文件内容………………

I wonder if everyone noticed after each run sudo command will be asked to verify the password. Although this is no longer a password is required to verify the password that is currently logged in user's password, but each time the sudo command must enter a password actually quite troublesome, then you can add NOPASSWD parameters, allowing users to run sudo command:

[linuxprobe@linuxprobe ~]$ exit
logout
[root@linuxprobe ~]# whereis poweroff
poweroff: /usr/sbin/poweroff /usr/share/man/man8/poweroff.8.gz
[root@linuxprobe ~]# visudo
 96 ##
 97 ## Allow root to run any commands anywhere
 98 root ALL=(ALL) ALL
 99 linuxprobe ALL=NOPASSWD: /usr/sbin/poweroff

Thus, when a command to switch to the ordinary user and then, will not need to verify your password frequently, we are also extremely happy in their daily work.

[root@linuxprobe ~]# su - linuxprobe
Last login: Thu Sep 3 15:58:31 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ poweroff
User root is logged in on seat0.
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'systemctl poweroff -i'.
[linuxprobe@linuxprobe ~]$ sudo poweroff

Guess you like

Origin www.cnblogs.com/dyanbk/p/11258228.html