A special privilege: suid sgid
1.suid (set uid set user ID) defining: a binary executable only provided above. Invalid directory
Function: Permission program is running into permission from the owner of the program executor
sgid: either to binary executable program settings can also be set on a directory
Function: When you create files in the directory set sgid privileges, all newly created set of files will inherit the parent directory of your group
Setting suid
chmod u + s binary executable file or chmod u = 4 binary executables
Set sgid
chmod g + s binary executable file or chmod g = 2 binary executables
suid attribute is generally used in the executable file when the user execute the file, will have temporary permission to the owner of the executable file.
When using the "ls -l" or "ll" command to browse files, if the executable file owner privileges third place is a lowercase "s", it indicates that the executable file has suid property
[root@andy ~]# which cat
/bin/cat
[root@andy ~]# chmod u+s /bin/cat
[root@andy ~]# ls -l /bin/cat
-rwsr-xr-x. 1 root root 54080 11月 6 2016 /bin/cat
[root@andy ~]# su - test
上一次登录:三 11月 27 22:00:51 CST 2019pts/0 上
[test@andy ~]$ cat /etc/shadow
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
sync:*:17110:0:99999:7:::
shutdown:*:17110:0:99999:7:::
halt:*:17110:0:99999:7:::
mail:*:17110:0:99999:7:::
operator:*:17110:0:99999:7:::
games:*:17110:0:99999:7:::
ftp:*:17110:0:99999:7:::
nobody:*:17110:0:99999:7:::
systemd-bus-proxy:!!:18079::::::
systemd-network:!!:18079::::::
dbus:!!:18079::::::
polkitd:!!:18079::::::
tss:!!:18079::::::
postfix:!!:18079::::::
sshd:!!:18079::::::
chrony:!!:18079::::::
mysql:!!:18117::::::
apache:!!:18118::::::
zabbix:!!:18118::::::
dhcpd:!!:18123::::::
geoclue:!!:18123::::::
andy:!!:18218::::::
andy1:$6$Xs6FGgpm$gOXgBQLVRVGGc6DbbWPxqU/ZK775VbGxkZD0ip3ziYHEtYCRaYXh1hjDKsn7dP4JpIRZwHxwBAHYPyMbRdIJQ.:18219::::::
root:$6$UL3tJO.I$L7IO.DLLH/SQj7dZ.c5ljFJKzQaRjUf9tPBDZnFBL46EhDhFANXsh7h93v6g0f4/pZknX9S7paLLCptQwp.d20:18219::::::
test:$6$DRHD2FZ5$ky30s5SlL8dup7.vn7Uhj7/4Q5PAOyKltZPp488OAWn2OoEQz.0OYg.4mJ/ajWqJNpJnNMMhnabpYG2aeG9M1.:18227:0:99999:7:::
[test@andy ~]$
Remove the suid permission
chmod us executable binary file
[root@andy ~]# ls -l /bin/cat
-rwsr-xr-x. 1 root root 54080 11月 6 2016 /bin/cat
[root@andy ~]# chmod u-s /bin/cat
[root@andy ~]# ls -l /bin/cat
-rwxr-xr-x. 1 root root 54080 11月 6 2016 /bin/cat
[root@andy ~]#
sgid both set to binary executable file, can also be set to directory
Function: When you create files in the directory set sgid privileges, belongs to the group of newly created files will inherit the permissions of the parent directory
chmod g + s executable binary file when other users execute binary commands, you can have the command execution user, owning group permissions
[root@andy ~]# ls -l /bin/cat
-rwxr-xr-x. 1 root root 54080 11月 6 2016 /bin/cat
[root@andy ~]# chmod g+s /bin/cat
[root@andy ~]# ls -l /bin/cat
-rwxr-sr-x. 1 root root 54080 11月 6 2016 /bin/cat
[root@andy ~]# ls -l /etc/passwd
-rw-r----- 1 root root 1463 11月 28 02:29 /etc/passwd
[root@andy ~]# id test
uid=1000(test) gid=1002(test) 组=1002(test)
[root@andy ~]# su - test
上一次登录:四 11月 28 02:59:39 CST 2019pts/0 上
/usr/bin/id: cannot find name for user ID 1000
/usr/bin/id: cannot find name for user ID 1000
[I have no name!@andy ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:997:995::/var/lib/chrony:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
zabbix:x:996:994:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
geoclue:x:995:993:User for geoclue:/var/lib/geoclue:/sbin/nologin
andy:x:994:991::/home/andy:/sbin/nologin
andy1:x:993:990::/home/andy1:/sbin/nologin
test:x:1000:1002::/home/test:/bin/bash
andy2: the X-: 992: 989 :: / Home / andy2: / bin / bash
[the I have have NO name @andy ~!] $ su - root
password:
single sign-on: 4:11 Yue 28 03:01:35 CST 2019pts / a 0
[Andy the root @ ~] # the chmod GS / bin / CAT
[Andy the root @ ~] -l LS # / bin / CAT
-rwxr-XR-X.. 1. 11 the root the root 54080 dated 2016. 6 / bin / CAT
[the root @andy ~] # su - test
single sign-on: 4:11 Yue 28 03:05:27 CST 2019pts / on 0
/ usr / bin / the above mentioned id: CAN not the Find name for the User ID 1000
/ usr / bin / the above mentioned id: CAN not name the Find the User ID 1000 for
[! NO name @andy have have the I ~] $ CAT / etc / passwd
CAT: / etc / passwd: enough authority
[I have no name @andy ~! ] $
chmod g + s directory belongs to the group of inherited permissions
[root@andy ~]# ls -ld
dr-xr-x---. 4 root root 225 11月 28 03:13 .
[root@andy ~]# ls -ld test
drwxr-xr-x 3 root root 19 11月 28 03:16 test
[root@andy ~]# chown test:G1 test
[root@andy ~]# ls -ld test
drwxr-xr-x 3 test G1 19 11月 28 03:16 test
[root@andy ~]# cd test
[root@andy test]# mkdir test1
[root@andy test]# ls -ld test1
drwxr-xr-x 2 root root 6 11月 28 03:21 test1
[root@andy test]# cd
[root@andy ~]# chmod g+s test
[root@andy ~]# ls -ld test
drwxr-sr-x 4 test G1 32 11月 28 03:21 test
[root@andy ~]# cd test
[root@andy test]# mkdir test3
[root@andy test]# ls -ld test3
drwxr-sr-x 2 root G1 6 11月 28 03:24 test3
[root@andy test]#
Two, sbit rights
For setting sbit file permissions, users can delete only files you created, you can not delete other user-created files
Directory / tmp add sbit permissions, delete the file when the show rejected
root user settings sbit
[root@andy ~]# chmod o+t /tmp
Switch to the andy1 user-created files andy1
[root@andy ~]# su - andy1
[andy1@andy ~]$ cd /tmp
[andy1@andy tmp]$ touch andy1
Switch to the user andy2
[andy1@andy tmp]$ su - andy2
[andy2@andy ~]$ cd /tmp
[andy2 @ andy tmp] $ RM -rf andy1
RM: Can not delete "andy1": Operation not permitted
Switch to the root authority to switch again to cancel suit andy2 can be deleted
[andy2 @ andy tmp] $ su - root
password:
Last login: last 3:12 Yue 13:43:03 CST 2019pts 4/1
[root @ andy ~] # chmod OT / tmp
[root @ andy ~] # su - andy2
single sign-on: the 3:12 Yue 15:18:15 CST 2019pts 4/1
[andy2 andy @ ~] $ RM -rf / tmp / andy1
[andy2 andy @ ~] $
Third, the file extension permissions ACL
Extended ACL: access control list
Scene: Set user andy3 file a.txt have rwx permissions, andy does not belong to the respective owners a.txt group, andy is the other, but also to ensure that in addition to andy user, other users in the other, no rwx permission.
1. Check andy3 owner is a group, create and view a.txt owner is a group
[root@andy ~]# id andy3
uid=1003(andy3) gid=1003(andy3) 组=1003(andy3)
[root@andy ~]# rm -rf a.txt
[root@andy ~]# id andy3
uid=1003(andy3) gid=1003(andy3) 组=1003(andy3)
[root@andy ~]# touch a.txt
[root@andy ~]# ls -lh a.txt
-rw-r--r-- 1 root root 0 12月 4 15:45 a.txt
[root@andy ~]#
2. Set a.txt extend permission to see a.txt extended permission
[root@andy ~]# setfacl -m u:andy3:rwx a.txt
[root@andy ~]# getfacl a.txt
# file: a.txt
# owner: root
# group: root
user::rw-
user:andy3:rwx
group::r--
mask::rwx
other::r--
[root@andy ~]#
3. Be sure to modify the permissions -R -m (set) in front of all of the files in the directory
[root@andy ~]# setfacl -R -m u:andy3:rw- /root/
[root@andy ~]# getfacl a.txt
# file: a.txt
# owner: root
# group: root
user::rw-
user:andy3:rw-
4. remove individual permissions
[root@andy ~]# setfacl -x u:andy3 a.txt
[root@andy ~]# getfacl a.txt
# file: a.txt
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--
[root@andy ~]#
5. Remove all permissions acl (a.txt open if a plurality of users rights acl)
[root@andy ~]# setfacl -b /root/a.txt
Four, sudo combat
1.sudo concept
sudo is commonly used to allow ordinary users superuser privileges tool under linux, allowing system administrators to allow ordinary users to perform some or all of the root command. Reduced root landing time management, also improves security
2. Features
1) sudo can limit user access only run certain commands on a host
2) sudo log provides a rich, detailed record of what each user did. It can spread to the center of the log on the log host or server
3) sudo use the timestamp file - logs to perform a similar collection system, when a user calls sudo and enter his password, users get a ticket for the survival of 5min
4) sudo configuration file is / etc / sudoers, property must be 440, which allows system administrators to centrally manage user permissions and usage of the host, the general use visudo to edit the configuration file
3. combat sudo
1) Create a user andy and create a password
[root @ andy ~] # useradd andy
[root @ andy ~] # echo "andy" | passwd --stdin andy
change a user's password andy.
passwd: all authentication tokens have been successfully updated.
[root @ andy ~] #
2) modify the configuration file to add permissions for useradd andy
[root@andy ~]# visudo
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
andy ALL=(ALL) /usr/sbin/useradd
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
3) Verify the useradd rights andy
[root@andy ~]# su - andy
[andy@andy ~]$ useradd test1
-bash: /usr/sbin/useradd: 权限不够
[andy@andy ~]$ sudo /usr/sbin/useradd test1
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for andy: (输入andy密码)
[andy@andy ~]$
[andy@andy ~]$ sudo /usr/sbin/useradd test2
[andy@andy ~]$
4) configuration log
1. Create a log file
[root@andy ~]# touch /var/log/sudo.log
[root@andy ~]#
Configuring rsyslog
[root@andy ~]# vim /etc/rsyslog.conf
log # sudo
local2.debug /var/log/sudo.log
"/etc/rsyslog.conf" 92L, 3272C has been written
[root @ andy ~] #
3. Configure visudo
[root@andy ~]# visudo
Defaults logfile=/var/log/sudo.log
"/etc/sudoers.tmp" 112L, 3983C written
[root@andy ~]#
4. Test, view the log
[root@andy ~]# cat /var/log/sudo.log
Dec 12 16:42:47 : andy : TTY=pts/0 ; PWD=/home/andy ; USER=root ;
COMMAND=/usr/sbin/useradd test5
[root@andy ~]#