On the sixth day, users, groups, permissions, grep
<Font color = red> permission summarized in Table </ font>
| operating | Source Directory Permissions | file permission | Target directory permissions |
|---|---|---|---|
| rm delete files | wx | - | - |
| mv renamed | wx | - | - |
| mv move files | wx | r | wx |
| cp copy files | x | r | wx |
| > Makefile | wx | - | - |
| >> additional content to file | x | w | - |
| > Overwrite the file contents | x | w | - |
| vim editor | x | rw | - |
| Perform a binary file | x | x | - |
| Execute a shell script | x | rx | - |
Knowledge Point: useradd, getent, restore the home directory, add additional groups, delete additional groups, file directory permissions, minimum permissions to copy the necessary files, umask, Linux special permissions SUID, SGID, Sticky BIT; Linux specific property settings and view: chatr , lsattr; ACL permissions; sequential file access permissions;
user group
View httpd installation script
[root@centos7 ~]# rpm -q --scripts httpd
preinstall scriptlet (using /bin/sh):
# Add the "apache" group and user
/usr/sbin/groupadd -g 48 -r apache 2> /dev/null || :
/usr/sbin/useradd -c "Apache" -u 48 -g apache \
-s /sbin/nologin -r -d /usr/share/httpd apache 2> /dev/null || :
postinstall scriptlet (using /bin/sh):
if [ $1 -eq 1 ] ; then
# Initial installation
systemctl preset httpd.service htcacheclean.service >/dev/null 2>&1 || :
fi
preuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
systemctl --no-reload disable httpd.service htcacheclean.service > /dev/null 2>&1 || :
systemctl stop httpd.service htcacheclean.service > /dev/null 2>&1 || :
fi
postuninstall scriptlet (using /bin/sh):
systemctl daemon-reload >/dev/null 2>&1 || :
# Trigger for conversion from SysV, per guidelines at:
# https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd
posttrans scriptlet (using /bin/sh):
test -f /etc/sysconfig/httpd-disable-posttrans || \
/bin/systemctl try-restart httpd.service htcacheclean.service >/dev/null 2>&1 || :/usr/sbin/groupadd -g 48 -r apache 2> /dev/null
groupadd create a group, -g specified gid, -r specified system group, apache to create a group name. 2> / dev / null does not print an error message
/usr/sbin/useradd -c "Apache" -u 48 -g apache -s /sbin/nologin -r -d /usr/share/httpd apache 2> /dev/null
useradd create a user, -c "Apache" as user instructions, -u 48 specified uid, -g apache specify the group, -s / sbin / nologin specified user default shell type, -r designated users of the system, -d / usr / share / httpd specify the user's home directory, 2> / dev / null does not output an error message
ubuntu create a user: useradd -ms / bin / bash zhangsan, ubuntu default create a user does not create a home directory to add the -m parameter, the default shell is sh, to use the -s / bin / bash shell specified
useradd -r -s /sbin/nologin mysql
Create a system type mysql user, shell type / sbin / nologin
change Password:
1, passwd --stdin (ubuntu is not supported)
[root@centos7 ~]# echo 123 | passwd --stdin alice
更改用户 alice 的密码 。
passwd:所有的身份验证令牌已经成功更新。2, chpasswd (ubuntu universal and can be centos)
chpasswd can be used to batch change the password
[root@centos7 ~]# echo alice:123 | chpasswd3, passwd -q (Universal)
[root@centos7 ~]# echo -e "123\n123" | passwd alice
更改用户 alice 的密码 。
新的 密码:无效的密码: 密码少于 8 个字符
重新输入新的 密码:passwd:所有的身份验证令牌已经成功更新。4, passwd other parameters
usermod -L user lock can also be achieved, usermod -U unlock the user can be achieved
-
-e: let a user password expires, you must change your password the next landing. passwd -e alice
- -l: lock the user, not the next landing. passwd -l alice.
- -u: -l and contrast, unlock the user. passwd -u alice
newusers batch create users, chpasswd batch change password
Passwd file format through batch create user
[root@centos7 ~]# cat users.txt
wangmazi:x:2000:2000:wangmazi:/home/wangmazi:/bin/bash
wangmazi2:x:2001:2001:wangmazi2:/home/wangmazi2:/bin/bash
[root@centos7 ~]# newusers users.txt
[root@centos7 ~]# id wangmazi
uid=2000(wangmazi) gid=2000(wangmazi) 组=2000(wangmazi)
[root@centos7 ~]# id wangmazi2
uid=2001(wangmazi2) gid=2001(wangmazi2) 组=2001(wangmazi2)[root@centos7 ~]# cat passwd.txt
wangmazi:123
wangmazi2:123
[root@centos7 ~]# cat passwd.txt | chpasswd
[root@centos7 ~]# getent shadow wangmazi
wangmazi:$6$GTDPf/xUtOE$2XBjr7prZI0mr3M4SH1z4/Gmhoyut/IWv6YOKQd1jhGYl8NweXhIH7sFQDbATniaKlR4ZPHlnJZTqhOJpDLyC1:18104:0:99999:7:::
[root@centos7 ~]# getent shadow wangmazi2
wangmazi2:$6$CZ6RG/ndilFV2s$gsl4mVNkE/QlctHn6EQDw74uilWofVSjuw8bYOfeh3LqUP8INw7R46THhzfSY88AYvpJMHSM43Psgu1Y5ODBw1:18104:0:99999:7:::Create a directory hidden files come from?
/ Etc / skel / directory, and we hope the new user's home directory has such and such a file, put the files / etc / skel directory can
[root@centos7 ~]# ls /home/alice/ -a
. .bash_logout .bashrc 模板
.. .bash_profile .mozilla
[root@centos7 ~]# ls /etc/skel/ -a
. .bash_logout .bashrc 模板
.. .bash_profile .mozillaThe user's default configuration, the default home directory, default shell, etc. Where the default mail configuration?
/etc/login.defs /etc/useradd
[root@centos7 ~]# grep -Ev "^$|#" /etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512 [root@centos7 ~]# grep -Ev "^$|#" /etc/default/useradd
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yesgetent view information about a user's library passwd, shadow libraries, group libraries, etc.
More can be seen getent --help
[root@centos7 ~]# getent passwd alice
alice:x:2006:2006::/home/alice:/bin/bash
[root@centos7 ~]# getent group alice
alice:x:2006:
[root@centos7 ~]# getent shadow alice
alice:!!:18104:0:99999:7:::useradd help
Do not want to create a home directory can use -M, ubuntu does not create a default home directory, centos default home directory is created
[root@centos7 ~]# useradd --help
用法:useradd [选项] 登录
useradd -D
useradd -D [选项]
选项:
-b, --base-dir BASE_DIR 新账户的主目录的基目录
-c, --comment COMMENT 新账户的 GECOS 字段
-d, --home-dir HOME_DIR 新账户的主目录
-D, --defaults 显示或更改默认的 useradd 配置
-e, --expiredate EXPIRE_DATE 新账户的过期日期
-f, --inactive INACTIVE 新账户的密码不活动期
-g, --gid GROUP 新账户主组的名称或 ID
-G, --groups GROUPS 新账户的附加组列表
-h, --help 显示此帮助信息并推出
-k, --skel SKEL_DIR 使用此目录作为骨架目录
-K, --key KEY=VALUE 不使用 /etc/login.defs 中的默认值
-l, --no-log-init 不要将此用户添加到最近登录和登录失败数据库
-m, --create-home 创建用户的主目录
-M, --no-create-home 不创建用户的主目录
-N, --no-user-group 不创建同名的组
-o, --non-unique 允许使用重复的 UID 创建用户
-p, --password PASSWORD 加密后的新账户密码
-r, --system 创建一个系统账户
-R, --root CHROOT_DIR chroot 到的目录
-s, --shell SHELL 新账户的登录 shell
-u, --uid UID 新账户的用户 ID
-U, --user-group 创建与用户同名的组
-Z, --selinux-user SEUSER 为 SELinux 用户映射使用指定 SEUSERAlice user to add three additional groups: root, bob, jerry
If you use the command usermod -G option only, the new group will replace the old attach additional groups, -aG represent additional groups added, does not affect the original additional groups. -G "" to clear all of the user's additional groups
[root@centos7 ~]# usermod -aG root,bob,jerry aliceView alice joined those groups
[root@centos7 ~]# id alice
uid=2006(alice) gid=2006(alice) 组=2006(alice),0(root),1006(bob),1007(jerry)View root group which additional user
[root@centos7 ~]# getent group root
root:x:0:gentoo,alice
[root@centos7 ~]# groupmems -g root -l
gentoo alice Alice kicked out of the root group
[root@centos7 ~]# groupmems -g root -d alice
[root@centos7 ~]# id alice
uid=2006(alice) gid=2006(alice) 组=2006(alice),1006(bob),1007(jerry)Clear all of the additional group of alice
Alice empty to replace the original additional groups,
[root@centos7 ~]# usermod -G "" alice
[root@centos7 ~]# id alice
uid=2006(alice) gid=2006(alice) 组=2006(alice)groupmems Help
[root@centos7 ~]# groupmems --help
用法:groupmems [选项] [动作]
选项:
-g, --group groupname 更改组 groupname,而不是用户的组(只 root)
-R, --root CHROOT_DIR chroot 到的目录
动作:
-a, --add username 将用户 username 添加到组成员中
-d, --delete username 从组的成员中删除用户 username
-h, --help 显示此帮助信息并推出
-p, --purge 从组中移除所有成员
-l, --list 列出组中的所有成员If alice home directory is deleted, the home directory did things, how to quickly restore alice home directory
1, / etc / skel recovery
[root@centos7 ~]# rm -rf /home/alice/
[root@centos7 ~]# cp /etc/skel /home/alice -a
[root@centos7 ~]# chmod 700 /home/alice
[root@centos7 ~]# chown alice:alice /home/alice -R2, the new user recovery
[root@centos7 ~]# rm -rf /home/alice/
[root@centos7 ~]# useradd rose
[root@centos7 ~]# cp /home/{rose,alice} -a
[root@centos7 ~]# chown alice:alice /home/alice -R
[root@centos7 ~]# userdel -r roseDefine an alias, rm prevent accidental deletion
[root@centos7 ~]# mkdir /data/.trash -p
[root@centos7 ~]# echo "alias rm='mv -t /data/.trash'" >> ~/.bashrc
[root@centos7 ~]# . ~/.bashrc
[root@centos7 ~]# rm hello.txt
[root@centos7 ~]# ls /data/.trash/
hello.txtBy id command to determine whether the user exists, does not exist, create
-u -G
[root@centos7 ~]# id root
uid=0(root) gid=0(root) 组=0(root)
[root@centos7 ~]# id wang
uid=1003(wang) gid=1003(wang) 组=1003(wang),10(wheel)Switch User
1, su wang (incomplete switching, similar travel)
Wang switch to the user, PATH variable, the environment remains unchanged, the current directory unchanged
2, su -l wang (completely switched, similar to moving)
--login -l i.e., switching means fully, may be abbreviated as su - wang,
3, nologin users can not cut
System users are generally nologin, can not be switched
4, the temporary handover command as root
[qqq@centos7 ~]$ su - -c "cat /etc/shadow"Modify the user password policy chage
chage
[root@centos7 ~]# chage --help
用法:chage [选项] 登录
选项:
-d, --lastday 最近日期 将最近一次密码设置时间设为“最近日期”
-E, --expiredate 过期日期 将帐户过期时间设为“过期日期”
-h, --help 显示此帮助信息并推出
-I, --inactive INACITVE 过期 INACTIVE 天数后,设定密码为失效状态
-l, --list 显示帐户年龄信息
-m, --mindays 最小天数 将两次改变密码之间相距的最小天数设为“最小天数”
-M, --maxdays 最大天数 将两次改变密码之间相距的最大天数设为“最大天数”
-R, --root CHROOT_DIR chroot 到的目录
-W, --warndays 警告天数 将过期警告天数设为“警告天数”- chfn specify personal information
- chsh modify user shell, equal usermod -s
- newgrp
Create a user gentoo, additional group bin and root, the default shell is / bin / csh, annotation information "Gentoo Distribution"
[root@centos7 ~]# getent passwd gentoo
[root@centos7 ~]# useradd gentoo -G bin,root -s /bin/csh -c "Gentoo Distribution"
[root@centos7 ~]# getent passwd gentoo
gentoo:x:2007:2007:Gentoo Distribution:/home/gentoo:/bin/cshCreate the following users, groups, memberships
The group named webs
User nginx, webs used as an additional Group
User varnish, used as an additional set of webs
User mysql, non-interactive landing system, is not a member webs. nginx, mysql, varnish passwords are magedu
[root@centos7 ~]# getent group webs
webs:x:2008:
[root@centos7 ~]# getent passwd nginx varnish mysql
nginx:x:987:981:nginx user:/var/cache/nginx:/sbin/nologin
mysql:x:986:980::/home/mysql:/sbin/nologin
[root@centos7 ~]# userdel -r nginx
[root@centos7 ~]# groupdel webs
[root@centos7 ~]#
[root@centos7 ~]# groupadd webs
[root@centos7 ~]# useradd -G webs nginx
[root@centos7 ~]# useradd -G webs mysql
[root@centos7 ~]# userdel -r mysql
[root@centos7 ~]# useradd -G webs varnish
[root@centos7 ~]# useradd -s /sbin/nologin mysql
[root@centos7 ~]# echo magedu | passwd --stdin nginx
更改用户 nginx 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@centos7 ~]# echo magedu | passwd --stdin mysql
更改用户 mysql 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@centos7 ~]# echo magedu | passwd --stdin varnish
更改用户 varnish 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@centos7 ~]# getent passwd nginx varnish mysql
nginx:x:2008:2009::/home/nginx:/bin/bash
varnish:x:2009:2010::/home/varnish:/bin/bash
mysql:x:2010:2011::/home/mysql:/sbin/nologin
[root@centos7 ~]# groupmems -g webs -l
nginx varnish
[root@centos7 ~]# getent shadow nginx mysql varnish
nginx:$6$hch9C3JT$oK5.j.CG8rJ1kndv542EbBBEtdB2SYqER9n8m48KUtr0wFuENZviQL2X/IO6CfsAfyYpZH4F856JGRIpCSgit.:18104:0:99999:7:::
mysql:$6$iODHihkf$slMMlr32yfQO9NY6Ob/QIV4t8VaFm7yQRLg4VIRJTB6ZGi3a9RqBE8VMo/fzU3u2bjP9nakiai8W.0Y2CRsFr/:18104:0:99999:7:::
varnish:$6$pdjOkLXJ$D4Xzm3v8oyiQjakHhmU/5Yg.05XKDZCsUWoWZ7e7HtqyW6WacfjJqEZWMZudDECoqdRtWNS8szrDg8tDHm1y60:18104:0:99999:7:::file permission
Picture Reference: Linux file attributes Detailed
Reference: summary Linux file permissions Detailed
chmod Help
[root@centos7 ~]# chmod --help
用法:chmod [选项]... 模式[,模式]... 文件...
或:chmod [选项]... 八进制模式 文件...
或:chmod [选项]... --reference=参考文件 文件...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE.
-c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's mode instead of MODE values
-R, --recursive change files and directories recursively
--help 显示此帮助信息并退出
--version 显示版本信息并退出
Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.File permissions:
r: you can read the file
w: can be modified to increase the content of the document. (1) If there is no r permission, you can not vim, can only cover or append. (2) ability to delete files depends on the parent directory permissions
x: execute permission. (1) no r permission, can not perform shell script, it will be reported insufficient privileges, but can execute binary program.
Directory permissions:
r: browse the directory has a function. (1) x no authority, can not enter the directory, ls -l can only see the file name, file permissions do not see the information. You can not enter the sub-directory.
w:必须配合x权限。具有增加,删除,修改,移动,复制目录内的文件。(1)没有x权限,不能vim创建文件,不能使用重定向创建文件。(2)没r权限,不能看到目录下的文件; (3)没x权限,不能修改文件名。目录有了wx权限,可以删除,改名文件(前提知道目录下的文件名)(4)不能修改目录下别人文件的权限,能否追加内容,查看文件内容还要取决于该文件的权限。(5)移动目录内的文件除了目录需要wx,文件也需要r(6)cp文件,目录不需要w
x:能进入目录。(1)没r权限,看不到目录内容(2)没w权限,不能创建,删除,修改mv(3)cp文件除了目录需要x,文件也需要r
面试题:完成下列操作需要的最小权限:
cp /etc/fstab /data/testdir/1、用户要有cp命令的执行权限(shell脚本还需要r权限);
2、/etc目录要有x权限(可以进去)
3、fstab需要r
4、/data目录需要x权限(可以进去)
5、/data/testdir目录需要wx权限(可以进去并修改)
权限总结
| 操作 | 源目录权限 | 文件权限 | 目标目录权限 |
|---|---|---|---|
| rm删文件 | wx | - | - |
| mv改名 | wx | - | - |
| mv移动文件 | wx | r | wx |
| cp复制文件 | x | r | wx |
| >生成文件 | wx | - | - |
| >>追加内容到文件 | x | w | - |
| >覆盖文件内容 | x | w | - |
| vim编辑 | x | rw | - |
| 执行二进制文件 | x | x | - |
| 执行shell脚本 | x | rx | - |
umask与权限
- 打印umask值 : umask
- umask默认值022
创建的文件的默认权限:666-umask(如果出现奇数,奇数加一)
因为文件默认不能有执行权限,很危险
比如umask=023,创建的文件权限=666-023=643,3是奇数,加一,最终权限为644
创建的目录的默认权限:777-umask
比如umask=023,创建的目录权限为777-023=654
设置umask
echo "umask 022" >> ~/.bashrc
Linux特殊权限:SUID、SGID、SBIT
SUID
操作对象:可执行的二进制文件
作用:让普通用户临时拥有某执行文件所有者的权限(让本来没有相应权限的用户运行这个程序时,可以访问他没有权限访问的资源)
例如:passwd
[root@centos7 ~]# which passwd | xargs ls -l
-rwsr-xr-x. 1 root root 27832 6月 10 2014 /usr/bin/passwd
使用方法:chmod 4744 file1 chmod +s file1SGID
1、作用于目录:当用户在此目录下创建文件时,文件的所属组会自动继承目录的所属组
2、作用于二进制可执行文件:当用户执行此程序时,将会临时继承此程序所属组的权限SBIT
操作对象:目录
作用:粘滞位,只能针对目录设置,设置后只有文件所有者或者root才可以删除和移动其中的文件
例如:/tmp目录
[root@centos7 ~]# ll /tmp -d
drwxrwxrwt. 15 root root 4096 7月 28 21:17 /tmp
使用方法:chmod 1755 /data chmod +t /dataLinux特殊属性
chattr
- i属性:加上后不能修改文件,包括删除,改名
- a属性:加上后只能追加文件
lsattr
Display File Properties
[root@centos7 ~]# chattr +i /etc/passwd #加i属性
[root@centos7 ~]# lsattr /etc/passwd #查看特殊属性
----i----------- /etc/passwd
[root@centos7 ~]# rm /etc/passwd #删除不了
rm:是否删除普通文件 "/etc/passwd"?y
rm: 无法删除"/etc/passwd": 不允许的操作
[root@centos7 ~]# mv /etc/{passwd,p} #改名失败
mv: 无法将"/etc/passwd" 移动至"/etc/p": 不允许的操作
[root@centos7 ~]# echo hello >> /etc/passwd #追加失败
-bash: /etc/passwd: 权限不够
[root@centos7 ~]# chattr -i /etc/passwd #去掉i属性
[root@centos7 ~]# lsattr /etc/passwd #查看属性
---------------- /etc/passwdACL permissions
Access Control list: Access Control Lists
To a single user, a group to which set permissions
CentOS previous versions, the default ext4 system manually created no ACL, you need to manually increase
tune2fs -o acl /dev/sdb1
mount -o acl /dev/sdb1 /mnt/test- setfacl -m Set ACL permissions
- setfacl -x cancel the permission
- setfacl -b file to clear all ACL permissions
- getfacl file view ACL permissions
[root@centos7 ~]# setfacl -m u:qqq:w date.sh #设置ACL
[root@centos7 ~]# getfacl date.sh #查看ACL
# file: date.sh
# owner: root
# group: root
user::---
user:qqq:-w-
group::---
mask::-w-
other::--x
[root@centos7 ~]# setfacl -x u:qqq date.sh
[root@centos7 ~]# getfacl date.sh
# file: date.sh
# owner: root
# group: root
user::---
group::---
mask::---
other::--x
[root@centos7 ~]# setfacl -x date.sh #清除所有ACL权限ACL生效顺序:文件所有者,自定义用户,自定义组+所属组累加权限,其他人
下图:wang用户不是文件所有者;看自定义用户有wang,权限为0,所以wang用户不能看该文件。
<Font color = red> Error problem 1 </ font>
Copy Requirements: Copy the files need to have the file permissions r, x the source directory has permissions, the target directory have wx permissions.
Problem Description: Can not copy file
Problem: 10.txt file as shown below do not meet the requirements of the first point, 10.txt file owner is qqq, but the owner's permission to zero, no rights r
Solution: qqq user has permission to 10.txt wx directory, and is the owner 10.txt file, you can then operate chmod permissions to modify 10.txt
<Font color = red> Error problem 2 </ font>
Mobile requirements: the need to move files have the file permissions r, the source directory have wx permissions, the target directory have wx permissions.
Problem Description: Move not come back after moving past
Problem: 10.txt file as shown below do not meet the requirements of the first point, 10.txt file owner is qqq, but the owner's permission to zero, no rights r
Solution: qqq user has permission to 10.txt wx directory, and is the owner 10.txt file, you can then operate chmod permissions to modify 10.txt
<Font color = red> Error problem 3 </ font>
Mobile requirements: the need to move files have the file permissions r, the source directory have wx permissions, the target directory have wx permissions.
Problem Description: 10.txt file after the move, do not move back
The problem: Before 10.txt mobile owner is root, file permissions to 004, qqq r belonging to other people permission; 10.txt file is moved after the owner becomes qqq, qqq for the owner, no permission r
Solution: qqq user has permission to 10.txt wx directory, and is the owner 10.txt file, you can then operate chmod permissions to modify 10.txt
