Linux's permission settings (the default permissions, hidden privileges and special rights)

Bowen outline:

• A, umask command (default permissions)
• Two, chattr and lsattr command (hidden privileges)
• Third, the role of SUID, SGID and SBIT of (special permission)

A, umask command:

chmod umask is related to something that represents the permission mask, a total of four, in the form of anti-mask, said the original file permissions are 666 original directory permissions is 777, and the corresponding original permissions umask value with the operation, the result is the new default permissions for the file or directory. details as follows:

[root@localhost ~]# umask     #执行umask命令
0022

You can view it four digits are "0022", respectively for a special permission, owner permissions, group permissions, and other people's rights, such as the query out above 0022, now create a new file, the default file permission is 644, if a new directory, then the default permissions for the directory is 755, as follows:

[root@localhost tmp]# touch test1.txt    #新建一个文件
[root@localhost tmp]# ll test1.txt     #可以看到默认的权限为644
-rw-r--r-- 1 root root 0 Aug 12 17:51 test1.txt
[root@localhost tmp]# mkdir test2  #新建一个目录
[root@localhost tmp]# ls -ld test2     #可以看到默认的权限为755
drwxr-xr-x 2 root root 6 Aug 12 17:51 test2

Modify authority digital umask:

[root@localhost ~]# umask 0002        #直接在umask命令后输入权限数字即可
[root@localhost ~]# umask    #验证
0002

umask command umask value can only be a temporary modification, after the system restart will revert to the default umask value. If you want to permanently modify the umask value, need to modify / etc / profile file or modify / etc / bashrc file, for example, to set the default umask value to 027, you can add a line in the file "umask 027", and the use of source / etc / profile, the changes take effect.

/ Etc / profile and / etc / bashrc can be used to automatically perform certain actions when setting up a user login system, the difference between them is / etc / profile is executed only the first time the user logs on, and / etc / bashrc at will be executed every time a user logon load Bash Shell.

Thus, if it is to modify / etc / profile file, only the newly created users into effect; and if it is to modify / etc / bashrc file, take effect for all users.

For a particular user for more than two configuration files, .bashrc configuration file in a higher priority.

Two, chattr and lsattr command

Sometimes we encounter this situation, it is the root permissions can not modify a file, because they've locked the file with the chattr command. Chattr command a large role, some functions are supported by the Linux kernel versions, but now produce most of the systems are running linux kernel 2.6 or more. By chattr command to modify properties can improve the security of the system, but it is not suitable for all directories. chattr command can not protect /, / dev, / tmp, / var directory. lsattr command displays the file attributes chattr command.

These two commands are used to view and change the file, directory attributes compared with the chmod command, chmod just change the file read and write, execute permissions, but the underlying property control (that is, special permission) is changed by chattr of.

1, chattr command usage:

[root@localhost ~]# chattr [+-=] [ASacdistu]   文件或目录名

Various options have the following meanings:

• +: Setting parameters on the basis of the original hide, adding one or more of the hidden parameters.
• -: in the original hidden parameter settings based on the removal of certain hidden parameters.
• =: Hidden update for the specified parameters.
• A: When this property is set A, if you have to re-access the file or directory, the file or directory itself atime will not be modified, to avoid I / O slower machines excessive disk access (at present the suggested file system mount options to deal with this item).
• S: general non-synchronized file written to disk, plus S if this attribute, that when you modify any file, the changes will "sync" written to disk.
• a: That append, after setting the parameters, can only add to the data in the file, but not delete, multi-server log files for security, only root can set this property.
• c: That compresse, whether to set the file compressed before storage. Need to go through the automatic read decompression operation.
• d: That no dump, set the target files can not be backed up dump program.
• i: is the focus on a file or a directory, set the file can not be deleted, renamed, set the link relationship, and can not write or add content. i parameters of great help to the security settings of the file system.
• j: i.e. journal, this parameter is set so that when the mount by the parameter: data = ordered or data = writeback mounted file system, the file is first recorded (in the journal) when writing. If the parameter is set to filesystem data = journal, the parameter automatically disabled.
• s: When a file set s property, if this file is deleted, it will completely remove the hard disk space. So if accidentally deleted, and also completely unable to save back.
• u: s and contrast, when the set u, content data stored on the disk in fact, the data recovery techniques may be used to recover data.

Option parameters are used to the a and i. a mandatory only option that can be added can not be deleted, multiple security settings for logging system. And i is more stringent security settings, only the superuser (root) or have CAP_LINUX_IMMUTABLE processing capacity (identification) process can be applied to the option.

Note: xfs file system supports only AadiS parameters.

2, lsattr command syntax:

[root@localhost ~]# lsattr [adR]  文件或目录

Various options have the following meanings:
-a: The property hidden files are also displayed;
-d: If you look at a directory, list only the file name in the properties of the directory itself, rather than a directory;
-R: along with the data subdirectories also a tie out;

Example usage:

1, with the chattr command to prevent a critical system files are modified:

[root@localhost ~]# chattr +i /etc/resolv.conf

Then mv /etc/resolv.conf to the file operation command and the like, are the results obtained in Operation not permitted. vim can edit the file when prompted W10: Warning: Changing a readonly file error. To modify this file you should remove the i attribute: chattr -i /etc/resolv.conf

[root@localhost ~]# lsattr /etc/resolv.conf   #查看一下属性，会得到以下结果
----i-------- /etc/resolv.conf

2, so that a file can only be entered, and additional data, but can not be deleted for a variety of log files:

[root@localhost ~]# chattr +a /var/log/messages

Three, SUID, SGID and SBIT role

1, SUID role

In fact, the role of SUID and SGID with sudo is similar. When the user A wants to execute a user B originally belonged to the executable file, if the file B is set suid bit, then A is B identity of the user at the time of execution to execution.

SUID Set UID is short, translation is to set user ID, which appears on the execute bit file owner permissions, file permissions will have this at the time of its execution, the caller temporarily obtain permission of the owner of the file . For example, using the following command:

[root@localhost ~]# ls -ld /usr/bin/passwd     #查询passwd命令
-rwsr-xr-x. 1 root root 27832 6月  10 2014 /usr/bin/passwd

We can see, there is s instead of x in the execute bit file owner, so that the passwd program is a SUID privileges. We modify the user's password when the passwd command is used, this is the system default to the SUID permission passwd command, because we can not say that users change their passwords also need to mention the right, right?

We all know the password is stored in / etc / shadow in, but the file, only root can write, so the average user is how we will write a new password for it? This SUID and relevant, and when we use the passwd command passwd to get the permission of the owner is root, and then you can write to the shadow file.

SUID features:
1.SUID valid only for binary files;
2. the caller to the file (such as / usr / bin / passwd) have executive powers, that is, "x" permission
3. In the implementation process, the caller will be temporarily owner rights to obtain the file
4. this permission is only valid during program execution

The chart below shows the effect of SUID vivid:

2, SGID role

That acronym SGID Set GID, which appears in the file belongs to the group execute bit above privileges, its common binary files and directories are valid. When it acts on a regular file, and SUID similar, in the implementation of the file, the user will get the file permissions belongs. When SGID act on the directory, the meaning is very important. When the user has write and execute permissions for a directory, the user can create files in the directory, if the directory has special privileges SGID, the file that the user created in this directory belong to this directory belongs group.

SGID features:
1, SGID binary programs, files or directories are effective;
2, program executive for the program, the need to have "x" permission;
3, implementers will receive the program group in the implementation process support;

3, SBIT

SBIT That Sticky Bit, it appears on the execution of other users privileges, it can only be set on a directory. When one has SBIT directory permissions, you can build any user files in this directory, the file in this directory the user created, only the root user can delete their own and other users can not. / Tmp is a good example, such as:

[lv@localhost tmp]$ touch a.txt    #用户“lv”在tmp目录下创建一个文件
[lv@localhost tmp]$ ls -ld /tmp    
#确认/tmp目录的权限为777，并且有“t”权限
drwxrwxrwt. 16 root root 4096 8月  13 16:27 /tmp
[lv@localhost tmp]$ chmod 777 a.txt    #将新建的文件改为777权限
[lv@localhost tmp]$ ls -ld a.txt    #确认一下
-rwxrwxrwx 1 lv lv 0 8月  13 16:27 a.txt
#至此，在一般目录下，所有人都可以删除这个a.txt文件了
#但由于/tmp目录有“t”的特殊权限，所以并不可以，来验证一下
[lv@localhost tmp]$ su lvjianzhao  #切换至另一个用户
密码：
[lvjianzhao@localhost tmp]$ rm -rf a.txt     #进行强制删除，会提示以下
rm: 无法删除"a.txt": 不允许的操作

This is SBIT role.

Modify the SUID, SGID and SBIT There are two ways, we are using the chmod command, chmod can either modify the general authority, or you can modify these three special privileges,

These three special privileges corresponding to authority figures:
SUID. 4 =
SGID = 2
the sbit. 1 =

For example, you want to give permission to the / tmp directory a sbit, then perform one of the following two commands you can:

[root@localhost /]# chmod o+t /tmp
                                   或
[root@localhost /]# chmod 1777 /tmp   #其中权限数字中的第一位就是特殊权限位

Note: u = User; g = group; o = others, is generally recommended to modify permission to use the method of digital rights, convenient! ! !

Example of use:

[root@localhost /]# chmod o-t /tmp  #将/tmp目录去掉“t”的权限
[root@localhost /]# ls -ld /tmp    #查看，“t”的权限没有了，刚才的a.txt谁也可以删除了
drwxrwxrwx. 16 root root 4096 8月  13 16:30 /tmp
[root@localhost /]# chmod 1777 /tmp   #使用数字权限加上“t”的权限
[root@localhost /]# ls -ld /tmp
drwxrwxrwt. 16 root root 4096 8月  13 16:30 /tmp