On the sixth day, users, groups, permissions, grep
<Font color = red> permission summarized in Table </ font>
operating | Source Directory Permissions | file permission | Target directory permissions |
---|---|---|---|
rm delete files | wx | - | - |
mv renamed | wx | - | - |
mv move files | wx | r | wx |
cp copy files | x | r | wx |
> Makefile | wx | - | - |
>> additional content to file | x | w | - |
> Overwrite the file contents | x | w | - |
vim editor | x | rw | - |
Perform a binary file | x | x | - |
Execute a shell script | x | rx | - |
Knowledge Point: useradd, getent, restore the home directory, add additional groups, delete additional groups, file directory permissions, minimum permissions to copy the necessary files, umask, Linux special permissions SUID, SGID, Sticky BIT; Linux specific property settings and view: chatr , lsattr; ACL permissions; sequential file access permissions;
user group
View httpd installation script
[root@centos7 ~]# rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):
# Add the "apache" group and user
/usr/sbin/groupadd -g 48 -r apache 2> /dev/null || :
/usr/sbin/useradd -c "Apache" -u 48 -g apache \
-s /sbin/nologin -r -d /usr/share/httpd apache 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
if [ $1 -eq 1 ] ; then
# Initial installation
systemctl preset httpd.service htcacheclean.service >/dev/null 2>&1 || :
fi
preuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
systemctl --no-reload disable httpd.service htcacheclean.service > /dev/null 2>&1 || :
systemctl stop httpd.service htcacheclean.service > /dev/null 2>&1 || :
fi
postuninstall scriptlet (using /bin/sh):
systemctl daemon-reload >/dev/null 2>&1 || :
# Trigger for conversion from SysV, per guidelines at:
# https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
/bin/systemctl try-restart httpd.service htcacheclean.service >/dev/null 2>&1 || :
/usr/sbin/groupadd -g 48 -r apache 2> /dev/null
groupadd create a group, -g specified gid, -r specified system group, apache to create a group name. 2> / dev / null does not print an error message
/usr/sbin/useradd -c "Apache" -u 48 -g apache -s /sbin/nologin -r -d /usr/share/httpd apache 2> /dev/null
useradd create a user, -c "Apache" as user instructions, -u 48 specified uid, -g apache specify the group, -s / sbin / nologin specified user default shell type, -r designated users of the system, -d / usr / share / httpd specify the user's home directory, 2> / dev / null does not output an error message
ubuntu create a user: useradd -ms / bin / bash zhangsan, ubuntu default create a user does not create a home directory to add the -m parameter, the default shell is sh, to use the -s / bin / bash shell specified
useradd -r -s /sbin/nologin mysql
Create a system type mysql user, shell type / sbin / nologin
change Password:
1, passwd --stdin (ubuntu is not supported)
[root@centos7 ~]# echo 123 | passwd --stdin alice
更改用户 alice 的密码 。
passwd:所有的身份验证令牌已经成功更新。
2, chpasswd (ubuntu universal and can be centos)
chpasswd can be used to batch change the password
[root@centos7 ~]# echo alice:123 | chpasswd
3, passwd -q (Universal)
[root@centos7 ~]# echo -e "123\n123" | passwd alice
更改用户 alice 的密码 。
新的 密码:无效的密码: 密码少于 8 个字符
重新输入新的 密码:passwd:所有的身份验证令牌已经成功更新。
4, passwd other parameters
usermod -L user lock can also be achieved, usermod -U unlock the user can be achieved
-
-e: let a user password expires, you must change your password the next landing. passwd -e alice
- -l: lock the user, not the next landing. passwd -l alice.
- -u: -l and contrast, unlock the user. passwd -u alice
newusers batch create users, chpasswd batch change password
Passwd file format through batch create user
[root@centos7 ~]# cat users.txt
wangmazi:x:2000:2000:wangmazi:/home/wangmazi:/bin/bash
wangmazi2:x:2001:2001:wangmazi2:/home/wangmazi2:/bin/bash
[root@centos7 ~]# newusers users.txt
[root@centos7 ~]# id wangmazi
uid=2000(wangmazi) gid=2000(wangmazi) 组=2000(wangmazi)
[root@centos7 ~]# id wangmazi2
uid=2001(wangmazi2) gid=2001(wangmazi2) 组=2001(wangmazi2)
[root@centos7 ~]# cat passwd.txt
wangmazi:123
wangmazi2:123
[root@centos7 ~]# cat passwd.txt | chpasswd
[root@centos7 ~]# getent shadow wangmazi
wangmazi:$6$GTDPf/xUtOE$2XBjr7prZI0mr3M4SH1z4/Gmhoyut/IWv6YOKQd1jhGYl8NweXhIH7sFQDbATniaKlR4ZPHlnJZTqhOJpDLyC1:18104:0:99999:7:::
[root@centos7 ~]# getent shadow wangmazi2
wangmazi2:$6$CZ6RG/ndilFV2s$gsl4mVNkE/QlctHn6EQDw74uilWofVSjuw8bYOfeh3LqUP8INw7R46THhzfSY88AYvpJMHSM43Psgu1Y5ODBw1:18104:0:99999:7:::
Create a directory hidden files come from?
/ Etc / skel / directory, and we hope the new user's home directory has such and such a file, put the files / etc / skel directory can
[root@centos7 ~]# ls /home/alice/ -a
. .bash_logout .bashrc 模板
.. .bash_profile .mozilla
[root@centos7 ~]# ls /etc/skel/ -a
. .bash_logout .bashrc 模板
.. .bash_profile .mozilla
The user's default configuration, the default home directory, default shell, etc. Where the default mail configuration?
/etc/login.defs /etc/useradd
[root@centos7 ~]# grep -Ev "^$|#" /etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
[root@centos7 ~]# grep -Ev "^$|#" /etc/default/useradd
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
getent view information about a user's library passwd, shadow libraries, group libraries, etc.
More can be seen getent --help
[root@centos7 ~]# getent passwd alice
alice:x:2006:2006::/home/alice:/bin/bash
[root@centos7 ~]# getent group alice
alice:x:2006:
[root@centos7 ~]# getent shadow alice
alice:!!:18104:0:99999:7:::
useradd help
Do not want to create a home directory can use -M, ubuntu does not create a default home directory, centos default home directory is created
[root@centos7 ~]# useradd --help
用法:useradd [选项] 登录
useradd -D
useradd -D [选项]
选项:
-b, --base-dir BASE_DIR 新账户的主目录的基目录
-c, --comment COMMENT 新账户的 GECOS 字段
-d, --home-dir HOME_DIR 新账户的主目录
-D, --defaults 显示或更改默认的 useradd 配置
-e, --expiredate EXPIRE_DATE 新账户的过期日期
-f, --inactive INACTIVE 新账户的密码不活动期
-g, --gid GROUP 新账户主组的名称或 ID
-G, --groups GROUPS 新账户的附加组列表
-h, --help 显示此帮助信息并推出
-k, --skel SKEL_DIR 使用此目录作为骨架目录
-K, --key KEY=VALUE 不使用 /etc/login.defs 中的默认值
-l, --no-log-init 不要将此用户添加到最近登录和登录失败数据库
-m, --create-home 创建用户的主目录
-M, --no-create-home 不创建用户的主目录
-N, --no-user-group 不创建同名的组
-o, --non-unique 允许使用重复的 UID 创建用户
-p, --password PASSWORD 加密后的新账户密码
-r, --system 创建一个系统账户
-R, --root CHROOT_DIR chroot 到的目录
-s, --shell SHELL 新账户的登录 shell
-u, --uid UID 新账户的用户 ID
-U, --user-group 创建与用户同名的组
-Z, --selinux-user SEUSER 为 SELinux 用户映射使用指定 SEUSER
Alice user to add three additional groups: root, bob, jerry
If you use the command usermod -G option only, the new group will replace the old attach additional groups, -aG represent additional groups added, does not affect the original additional groups. -G "" to clear all of the user's additional groups
[root@centos7 ~]# usermod -aG root,bob,jerry alice
View alice joined those groups
[root@centos7 ~]# id alice
uid=2006(alice) gid=2006(alice) 组=2006(alice),0(root),1006(bob),1007(jerry)
View root group which additional user
[root@centos7 ~]# getent group root
root:x:0:gentoo,alice
[root@centos7 ~]# groupmems -g root -l
gentoo alice
Alice kicked out of the root group
[root@centos7 ~]# groupmems -g root -d alice
[root@centos7 ~]# id alice
uid=2006(alice) gid=2006(alice) 组=2006(alice),1006(bob),1007(jerry)
Clear all of the additional group of alice
Alice empty to replace the original additional groups,
[root@centos7 ~]# usermod -G "" alice
[root@centos7 ~]# id alice
uid=2006(alice) gid=2006(alice) 组=2006(alice)
groupmems Help
[root@centos7 ~]# groupmems --help
用法:groupmems [选项] [动作]
选项:
-g, --group groupname 更改组 groupname,而不是用户的组(只 root)
-R, --root CHROOT_DIR chroot 到的目录
动作:
-a, --add username 将用户 username 添加到组成员中
-d, --delete username 从组的成员中删除用户 username
-h, --help 显示此帮助信息并推出
-p, --purge 从组中移除所有成员
-l, --list 列出组中的所有成员
If alice home directory is deleted, the home directory did things, how to quickly restore alice home directory
1, / etc / skel recovery
[root@centos7 ~]# rm -rf /home/alice/
[root@centos7 ~]# cp /etc/skel /home/alice -a
[root@centos7 ~]# chmod 700 /home/alice
[root@centos7 ~]# chown alice:alice /home/alice -R
2, the new user recovery
[root@centos7 ~]# rm -rf /home/alice/
[root@centos7 ~]# useradd rose
[root@centos7 ~]# cp /home/{rose,alice} -a
[root@centos7 ~]# chown alice:alice /home/alice -R
[root@centos7 ~]# userdel -r rose
Define an alias, rm prevent accidental deletion
[root@centos7 ~]# mkdir /data/.trash -p
[root@centos7 ~]# echo "alias rm='mv -t /data/.trash'" >> ~/.bashrc
[root@centos7 ~]# . ~/.bashrc
[root@centos7 ~]# rm hello.txt
[root@centos7 ~]# ls /data/.trash/
hello.txt
By id command to determine whether the user exists, does not exist, create
-u -G
[root@centos7 ~]# id root
uid=0(root) gid=0(root) 组=0(root)
[root@centos7 ~]# id wang
uid=1003(wang) gid=1003(wang) 组=1003(wang),10(wheel)
Switch User
1, su wang (incomplete switching, similar travel)
Wang switch to the user, PATH variable, the environment remains unchanged, the current directory unchanged
2, su -l wang (completely switched, similar to moving)
--login -l i.e., switching means fully, may be abbreviated as su - wang,
3, nologin users can not cut
System users are generally nologin, can not be switched
4, the temporary handover command as root
[qqq@centos7 ~]$ su - -c "cat /etc/shadow"
Modify the user password policy chage
chage
[root@centos7 ~]# chage --help
用法:chage [选项] 登录
选项:
-d, --lastday 最近日期 将最近一次密码设置时间设为“最近日期”
-E, --expiredate 过期日期 将帐户过期时间设为“过期日期”
-h, --help 显示此帮助信息并推出
-I, --inactive INACITVE 过期 INACTIVE 天数后,设定密码为失效状态
-l, --list 显示帐户年龄信息
-m, --mindays 最小天数 将两次改变密码之间相距的最小天数设为“最小天数”
-M, --maxdays 最大天数 将两次改变密码之间相距的最大天数设为“最大天数”
-R, --root CHROOT_DIR chroot 到的目录
-W, --warndays 警告天数 将过期警告天数设为“警告天数”
- chfn specify personal information
- chsh modify user shell, equal usermod -s
- newgrp
Create a user gentoo, additional group bin and root, the default shell is / bin / csh, annotation information "Gentoo Distribution"
[root@centos7 ~]# getent passwd gentoo
[root@centos7 ~]# useradd gentoo -G bin,root -s /bin/csh -c "Gentoo Distribution"
[root@centos7 ~]# getent passwd gentoo
gentoo:x:2007:2007:Gentoo Distribution:/home/gentoo:/bin/csh
Create the following users, groups, memberships
The group named webs
User nginx, webs used as an additional Group
User varnish, used as an additional set of webs
User mysql, non-interactive landing system, is not a member webs. nginx, mysql, varnish passwords are magedu
[root@centos7 ~]# getent group webs
webs:x:2008:
[root@centos7 ~]# getent passwd nginx varnish mysql
nginx:x:987:981:nginx user:/var/cache/nginx:/sbin/nologin
mysql:x:986:980::/home/mysql:/sbin/nologin
[root@centos7 ~]# userdel -r nginx
[root@centos7 ~]# groupdel webs
[root@centos7 ~]#
[root@centos7 ~]# groupadd webs
[root@centos7 ~]# useradd -G webs nginx
[root@centos7 ~]# useradd -G webs mysql
[root@centos7 ~]# userdel -r mysql
[root@centos7 ~]# useradd -G webs varnish
[root@centos7 ~]# useradd -s /sbin/nologin mysql
[root@centos7 ~]# echo magedu | passwd --stdin nginx
更改用户 nginx 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@centos7 ~]# echo magedu | passwd --stdin mysql
更改用户 mysql 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@centos7 ~]# echo magedu | passwd --stdin varnish
更改用户 varnish 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@centos7 ~]# getent passwd nginx varnish mysql
nginx:x:2008:2009::/home/nginx:/bin/bash
varnish:x:2009:2010::/home/varnish:/bin/bash
mysql:x:2010:2011::/home/mysql:/sbin/nologin
[root@centos7 ~]# groupmems -g webs -l
nginx varnish
[root@centos7 ~]# getent shadow nginx mysql varnish
nginx:$6$hch9C3JT$oK5.j.CG8rJ1kndv542EbBBEtdB2SYqER9n8m48KUtr0wFuENZviQL2X/IO6CfsAfyYpZH4F856JGRIpCSgit.:18104:0:99999:7:::
mysql:$6$iODHihkf$slMMlr32yfQO9NY6Ob/QIV4t8VaFm7yQRLg4VIRJTB6ZGi3a9RqBE8VMo/fzU3u2bjP9nakiai8W.0Y2CRsFr/:18104:0:99999:7:::
varnish:$6$pdjOkLXJ$D4Xzm3v8oyiQjakHhmU/5Yg.05XKDZCsUWoWZ7e7HtqyW6WacfjJqEZWMZudDECoqdRtWNS8szrDg8tDHm1y60:18104:0:99999:7:::
file permission
Picture Reference: Linux file attributes Detailed
Reference: summary Linux file permissions Detailed
chmod Help
[root@centos7 ~]# chmod --help
用法:chmod [选项]... 模式[,模式]... 文件...
或:chmod [选项]... 八进制模式 文件...
或:chmod [选项]... --reference=参考文件 文件...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE.
-c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's mode instead of MODE values
-R, --recursive change files and directories recursively
--help 显示此帮助信息并退出
--version 显示版本信息并退出
Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.
File permissions:
r: you can read the file
w: can be modified to increase the content of the document. (1) If there is no r permission, you can not vim, can only cover or append. (2) ability to delete files depends on the parent directory permissions
x: execute permission. (1) no r permission, can not perform shell script, it will be reported insufficient privileges, but can execute binary program.
Directory permissions:
r: browse the directory has a function. (1) x no authority, can not enter the directory, ls -l can only see the file name, file permissions do not see the information. You can not enter the sub-directory.
w:必须配合x权限。具有增加,删除,修改,移动,复制目录内的文件。(1)没有x权限,不能vim创建文件,不能使用重定向创建文件。(2)没r权限,不能看到目录下的文件; (3)没x权限,不能修改文件名。目录有了wx权限,可以删除,改名文件(前提知道目录下的文件名)(4)不能修改目录下别人文件的权限,能否追加内容,查看文件内容还要取决于该文件的权限。(5)移动目录内的文件除了目录需要wx,文件也需要r(6)cp文件,目录不需要w
x:能进入目录。(1)没r权限,看不到目录内容(2)没w权限,不能创建,删除,修改mv(3)cp文件除了目录需要x,文件也需要r
面试题:完成下列操作需要的最小权限:
cp /etc/fstab /data/testdir/
1、用户要有cp命令的执行权限(shell脚本还需要r权限);
2、/etc目录要有x权限(可以进去)
3、fstab需要r
4、/data目录需要x权限(可以进去)
5、/data/testdir目录需要wx权限(可以进去并修改)
权限总结
操作 | 源目录权限 | 文件权限 | 目标目录权限 |
---|---|---|---|
rm删文件 | wx | - | - |
mv改名 | wx | - | - |
mv移动文件 | wx | r | wx |
cp复制文件 | x | r | wx |
>生成文件 | wx | - | - |
>>追加内容到文件 | x | w | - |
>覆盖文件内容 | x | w | - |
vim编辑 | x | rw | - |
执行二进制文件 | x | x | - |
执行shell脚本 | x | rx | - |
umask与权限
- 打印umask值 : umask
- umask默认值022
创建的文件的默认权限:666-umask(如果出现奇数,奇数加一)
因为文件默认不能有执行权限,很危险
比如umask=023,创建的文件权限=666-023=643,3是奇数,加一,最终权限为644
创建的目录的默认权限:777-umask
比如umask=023,创建的目录权限为777-023=654
设置umask
echo "umask 022" >> ~/.bashrc
Linux特殊权限:SUID、SGID、SBIT
SUID
操作对象:可执行的二进制文件
作用:让普通用户临时拥有某执行文件所有者的权限(让本来没有相应权限的用户运行这个程序时,可以访问他没有权限访问的资源)
例如:passwd
[root@centos7 ~]# which passwd | xargs ls -l
-rwsr-xr-x. 1 root root 27832 6月 10 2014 /usr/bin/passwd
使用方法:chmod 4744 file1 chmod +s file1
SGID
1、作用于目录:当用户在此目录下创建文件时,文件的所属组会自动继承目录的所属组
2、作用于二进制可执行文件:当用户执行此程序时,将会临时继承此程序所属组的权限
SBIT
操作对象:目录
作用:粘滞位,只能针对目录设置,设置后只有文件所有者或者root才可以删除和移动其中的文件
例如:/tmp目录
[root@centos7 ~]# ll /tmp -d
drwxrwxrwt. 15 root root 4096 7月 28 21:17 /tmp
使用方法:chmod 1755 /data chmod +t /data
Linux特殊属性
chattr
- i属性:加上后不能修改文件,包括删除,改名
- a属性:加上后只能追加文件
lsattr
Display File Properties
[root@centos7 ~]# chattr +i /etc/passwd #加i属性
[root@centos7 ~]# lsattr /etc/passwd #查看特殊属性
----i----------- /etc/passwd
[root@centos7 ~]# rm /etc/passwd #删除不了
rm:是否删除普通文件 "/etc/passwd"?y
rm: 无法删除"/etc/passwd": 不允许的操作
[root@centos7 ~]# mv /etc/{passwd,p} #改名失败
mv: 无法将"/etc/passwd" 移动至"/etc/p": 不允许的操作
[root@centos7 ~]# echo hello >> /etc/passwd #追加失败
-bash: /etc/passwd: 权限不够
[root@centos7 ~]# chattr -i /etc/passwd #去掉i属性
[root@centos7 ~]# lsattr /etc/passwd #查看属性
---------------- /etc/passwd
ACL permissions
Access Control list: Access Control Lists
To a single user, a group to which set permissions
CentOS previous versions, the default ext4 system manually created no ACL, you need to manually increase
tune2fs -o acl /dev/sdb1
mount -o acl /dev/sdb1 /mnt/test
- setfacl -m Set ACL permissions
- setfacl -x cancel the permission
- setfacl -b file to clear all ACL permissions
- getfacl file view ACL permissions
[root@centos7 ~]# setfacl -m u:qqq:w date.sh #设置ACL
[root@centos7 ~]# getfacl date.sh #查看ACL
# file: date.sh
# owner: root
# group: root
user::---
user:qqq:-w-
group::---
mask::-w-
other::--x
[root@centos7 ~]# setfacl -x u:qqq date.sh
[root@centos7 ~]# getfacl date.sh
# file: date.sh
# owner: root
# group: root
user::---
group::---
mask::---
other::--x
[root@centos7 ~]# setfacl -x date.sh #清除所有ACL权限
ACL生效顺序:文件所有者,自定义用户,自定义组+所属组累加权限,其他人
下图:wang用户不是文件所有者;看自定义用户有wang,权限为0,所以wang用户不能看该文件。
<Font color = red> Error problem 1 </ font>
Copy Requirements: Copy the files need to have the file permissions r, x the source directory has permissions, the target directory have wx permissions.
Problem Description: Can not copy file
Problem: 10.txt file as shown below do not meet the requirements of the first point, 10.txt file owner is qqq, but the owner's permission to zero, no rights r
Solution: qqq user has permission to 10.txt wx directory, and is the owner 10.txt file, you can then operate chmod permissions to modify 10.txt
<Font color = red> Error problem 2 </ font>
Mobile requirements: the need to move files have the file permissions r, the source directory have wx permissions, the target directory have wx permissions.
Problem Description: Move not come back after moving past
Problem: 10.txt file as shown below do not meet the requirements of the first point, 10.txt file owner is qqq, but the owner's permission to zero, no rights r
Solution: qqq user has permission to 10.txt wx directory, and is the owner 10.txt file, you can then operate chmod permissions to modify 10.txt
<Font color = red> Error problem 3 </ font>
Mobile requirements: the need to move files have the file permissions r, the source directory have wx permissions, the target directory have wx permissions.
Problem Description: 10.txt file after the move, do not move back
The problem: Before 10.txt mobile owner is root, file permissions to 004, qqq r belonging to other people permission; 10.txt file is moved after the owner becomes qqq, qqq for the owner, no permission r
Solution: qqq user has permission to 10.txt wx directory, and is the owner 10.txt file, you can then operate chmod permissions to modify 10.txt