table of Contents
This article from the "Linux in respect of such a school," Liu finishing excerpt Trent teacher, write their own blog easy access to the latter part
of the book is great, concise language, easy to understand, highly recommended, you can point connection to learn ~
File permissions and ownership
Although everything is a file, but each in a Linux system, type of file different, so Linux systems use different characters to distinguish, as shown in the following common characters.
The figure file:
It contains a file type, access permissions, the owner (owner), belongs to the group (genus group), the amount of disk size, modification time, and file name and other information.
By analysis, the type of the file as a regular file, the owner of the rights to read, write (rw-), owning group permissions to read (r--), other than other people only read permission ( r--), disk usage file size is 34298 bytes, last modification time for the April 2 in the morning 23 points, as the name of the file install.log.
File type and the corresponding representative character
- -: normal file
- d: directory file
- l: Link file
- b: block device file
- c: character device file
- p: pipe file
file permission
In the Linux system, each file has belongs to the owner and all the groups, and specifies the file's owner, group and others on all files have read (r), write (w), executable (x) and other privileges.
General file permissions
- Read: represents the actual contents of the file can be read
- Write: Indicates able to edit, add, modify, delete files of the actual content
- Executable: it means to run a script
Directory permissions
- Read: that can read a list of files in the directory
- Write: that can be added in the directory, delete, rename files
- Executable: that can enter the directory
Character and numeric representation of file permissions
Read files, write and execute permissions can be abbreviated as rwx, respectively, can also be used to represent numbers 4,2,1, no association between the file owner, owning group, and other user rights
Digital method of file permissions representation based on the character representation (rwx) permission from the calculation, which aims to simplify the representation rights. (Such as with the chmod command to file authorization chmod 760 test)
E.g
- If permission for a file . 7 represents the readable, writable, executable (4 + 2 + 1)
If permission is 6 represents a readable, writable (4 + 2).
- There is such a file, its owners readable, writable, executable permissions, that the file belongs to the group have permission readable, writable; and others only read permissions.
- So, access to this file is rwxrw-r--, represent a digital method that is 764 (must stop these three numbers together to calculate the results of 7 + 6 + 4 = 17, which is a plus elementary school mathematics authority digital subtraction, not Linux system representation, there is no exchange relationship between the three.)
Small exercises
- Method 764,642,153,731 character corresponding digital representation are calculated notation
- The rwxrw-r -, rw - w - wx, rw-r - r-- converted into a digital representation
Special file permissions
In the midst of production environments, rwx file permissions set alone can not meet our need for security and flexibility, so there will be a SUID, SGID and SBIT special permission bits.
This is a special kind of file permissions feature set can be used simultaneously with the general authority to compensate for the general authority can not be achieved function.
SOUTH
SUID is a special kind of binary permissions settings, you can make performer binary program temporary possession rights of the owner (binary program only has execute permission valid).
Scenarios
So that ordinary users have permission to operate a temporary shadow file:
However, when using the passwd command if coupled with SUID bit special permission, so that ordinary users can obtain temporary identity of the owner of the program, change the password information is written to the shadow file.
This is much like what we see in the costume drama in the most powerful weapon in the hand-held imperial minister, he holds the most powerful weapon on behalf of the authority of the emperor, so you can discipline corrupt, but that does not mean he permanently became emperor. So this is just a conditional, temporary special privileges authorization method.
View passwd found rwx permission to the owner by the property became rws command, where x changes to s means that the file is given a SUID permission. Another reader will wonder, then, if the original permissions are rw- it? If you do not execute permissions on the original x permission bits, it will be given special permission to become a capital S.
[root@linuxprobe ~]# ls -l /etc/shadow
----------. 1 root root 1004 Jan 3 06:23 /etc/shadow
[root@linuxprobe ~]# ls -l /bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 29 2017 /bin/passwdSIGD
- Let executives have temporary permission is a group of (binary program have execute permissions set)
- Files created in a directory automatically inherit the directory user group (can only be set directory)
The first function is a reference SGID SUID and design, except that the user program execution is no longer obtain temporary permission to file owner, but to get access to the file belongs.
For example , in the early Linux systems, / dev / kmem is a character device file for the kernel data storage to be accessed, permissions:
cr--r----- 1 root system 2, 1 Feb 11 2017 kmem
In addition to belonging to the system administrator or root group member, all users do not have access to the file read.
Because usually we need to see the process status of the system, in order to be able to get into the process of status information, can increase the SGID bit special privileges on the system used to view the process status of the ps command file.
View property information ps command file:
-r-xr-sr-x 1 bin system 59346 Feb 11 2017 ps
Thus, since the ps command is increased SGID special permission bits, when the user executes the command, it obtains a temporary user group permissions system, so that the device can successfully read the file.
As mentioned earlier, each file has its owner and group ownership, or when creating a file transfer, the file will be automatically assigned to this operation performed by the user (i.e. the user is the owner of the file).
If you now need to set up a shared directory in the sector, so that all personnel within the department are able to read the contents of the directory after, then you can create a department shared directory, set the SGID bit special permissions on the directory.
Thus, any document will be any personnel within the department in which the group belongs attributable to the creation of the directory, rather than your basic user groups.
In this case, we use SGID is the second function, the file that is created in a directory automatically inherit the user group to which the directory (the directory can only be set).
[root@linuxprobe ~]# cd /tmp
[root@linuxprobe tmp]# mkdir testdir
[root@linuxprobe tmp]# ls -ald testdir/
drwxr-xr-x. 2 root root 6 Feb 11 11:50 testdir/
[root@linuxprobe tmp]# chmod -Rf 777 testdir/
[root@linuxprobe tmp]# chmod -Rf g+s testdir/
[root@linuxprobe tmp]# ls -ald testdir/
drwxrwsrwx. 2 root root 6 Feb 11 11:50 testdir/After using the command to set a good 777 directory (to ensure that the average user can write to a file), and set the SGID bit special permissions for the directory, you can switch to a normal user, and then try to create a file in that directory , and see whether the newly created file will inherit the newly created directory where the file belongs to the group name:
[root@linuxprobe tmp]# su - linuxprobe
Last login: Wed Feb 11 11:49:16 CST 2017 on pts/0
[linuxprobe@linuxprobe ~]$ cd /tmp/testdir/
[linuxprobe@linuxprobe testdir]$ echo "linuxprobe.com" > test
[linuxprobe@linuxprobe testdir]$ ls -al test
-rw-rw-r--. 1 linuxprobe root 15 Feb 11 11:50 testchmod
chmod command is a very useful command, it can be used to set the file or directory permissions
format: chmod [参数] 权限 文件或目录名称
If permission is arranged to make a file read-write executables its owner, readable and writable belonging group, the others do not have any rights, the corresponding character is represented rwxrw ---- methods, which method corresponding number expressed as 760.
By the previous and the current practice based learning practice, and now we can feel the convenience of using a digital method to set the file permissions of the bar.
chown
chown can be used to set the file or directory owner and group
format:chown [参数] 所有者:所属组 文件或目录名称
chmod and chown command is the most common commands used to modify file attributes and permissions, they also have a special commonality is the need to add the -R parameter when operating capital for the directory to represent recursive operation, that is, all the files in the directory to the overall operation.
[root@linuxprobe ~]# ls -l test
-rwxrw----. 1 linuxprobe root 15 Feb 11 11:50 test
[root@linuxprobe ~]# chown root:bin test
[root@linuxprobe ~]# ls -l test
-rwxrw----. 1 root bin 15 Feb 11 11:50 testSBIT just let the file owner can delete files
He can ensure that users can only delete their own files, not delete other users' files
Now, many university teachers require students to upload jobs to a specific shared directory on the server, but there are always a few "saboteurs" like other students to delete the job, then we should set SBIT (Sticky Bit) special permission the bit (also can be called the sticky bit special permission bits).
SBIT special permission bits can ensure that users can only delete their own files, not delete other users' files.
In other words, when a directory is set to SBIT sticky bit permissions, then the files in the directory can only be executed deletion of its owner.
Not initially know which non-senior technical personnel will Sticky Bit literally become "sticky bit", teacher Trent Liu suggested that it be called "protection bit", which not only remember, but also people immediately understand its role.
RHEL 7 system in the / tmp directory as a shared file, the default has been set SBIT special permission bits, unless the owner of the directory, or can not delete these files inside.
Previously spoken SUID SGID permissions and different display method, when the directory is set SBIT special permission bits, x execute permissions file permissions section others will be replaced or t T, would otherwise have x written execute permissions t, x execute permission will not originally written as T.
[root@linuxprobe tmp]# su - linuxprobe
Last login: Wed Feb 11 12:41:20 CST 2017 on pts/0
[linuxprobe@linuxprobe tmp]$ ls -ald /tmp
drwxrwxrwt. 17 root root 4096 Feb 11 13:03 /tmp
[linuxprobe@linuxprobe ~]$ cd /tmp
[linuxprobe@linuxprobe tmp]$ ls -ald
drwxrwxrwt. 17 root root 4096 Feb 11 13:03 .
[linuxprobe@linuxprobe tmp]$ echo "Welcome to linuxprobe.com" > test
[linuxprobe@linuxprobe tmp]$ chmod 777 test
[linuxprobe@linuxprobe tmp]$ ls -al test
-rwxrwxrwx. 1 linuxprobe linuxprobe 10 Feb 11 12:59 testIn fact, the file can be deleted does not depend on its own authority, but whether they have write permissions in the directory .
In order to avoid that many readers do not trust, so the above command is given the largest test file 777 (rwxrwxrwx).
We switched to another regular user, and then try to delete the files created by other people will find
Even read, write, and execute permissions to open, but due to SBIT special permission bits, still can not delete the file:
[root@linuxprobe tmp]# su - blackshield
Last login: Wed Feb 11 12:41:29 CST 2017 on pts/1
[blackshield@linuxprobe ~]$ cd /tmp
[blackshield@linuxprobe tmp]$ rm -f test
rm: cannot remove ‘test’: Operation not permittedTo set the directory permission bits SBIT
Of course, if SBIT also want to set special permissions bits to other directories, use chmod command on it. O + t corresponding to the parameter representative of the sticky bit set SBIT permissions:
[blackshield@linuxprobe tmp]$ exit
Logout
[root@linuxprobe tmp]# cd ~
[root@linuxprobe ~]# mkdir linux
[root@linuxprobe ~]# chmod -R o+t linux/
[root@linuxprobe ~]# ls -ld linux/
drwxr-xr-t. 2 root root 6 Feb 11 19:34 linux/Hidden file attributes
Linux system files in addition to the general rights and have special privileges, there is a hidden authority, ie hidden permissions, the user can not directly be found by default.
Users have encountered in a production environment is too obviously sufficient authority but can not delete a file case or only the additional content in the log file but can not modify or delete content , which prevents hackers tampering with the system log to a certain extent the plot, so this "strange" documents also protect the security of Linux systems.
Hidden attribute management file chattr
chattr command is used to hide the file permission settings
format:chattr [参数] 文件
If you want to add a feature to hide the files, append "+ parameters" in the command back, if you want to move files to a hidden feature, append "- parameter."
Optional parameters command chattr
| parameter | effect |
|---|---|
| i | The file can not be modified; if this parameter is set on the directory, you can only modify the contents of the files son can not create or delete files |
| a | Allow only supplementary (additional) contents can not be overwritten / deleted content (Append Only) |
| S | After the contents of the file changes immediately synchronized to the hard disk (sync) |
| s | Completely deleted from the hard disk, unrecoverable (filled with zeros where the original file hard disk area) |
| A | Not modify the last access time of the file or directory (atime) |
| b | No longer modify the access time of the file or directory |
| D | Check the compressed file errors |
| d | Ignore this file / directory when using the dump command to back up |
| c | The default compress a file or directory |
| in | When still retain their data in the hard disk after deleting the file for future recovery |
| t | Let merge file system supports the tail (tail-merging) |
| x | You can directly access the contents of compressed files |
Create a regular file, and set the cover can not be removed (+ a parameter) permissions, then try to delete this file:
[root@linuxprobe ~]# echo "for Test" > linuxprobe
[root@linuxprobe ~]# chattr +a linuxprobe
[root@linuxprobe ~]# rm linuxprobe
rm: remove regular file ‘linuxprobe’? y
rm: cannot remove ‘linuxprobe’: Operation not permittedPermission to display hidden files lsattr
lsattr command for permission to display hidden files
format:lsattr [参数] 文件
In the Linux system, hidden file permissions must use the lsattr command to view, usually use the ls command like you do not see the clues:
[root@linuxprobe ~]# ls -al linuxprobe
-rw-r--r--. 1 root root 9 Feb 12 11:42 linuxprobeOnce the lsattr command, the hidden files are given permission soon betrays itself . At this time you can be displayed according to the type of hide authority (alpha) using chattr command to remove:
[root@linuxprobe ~]# lsattr linuxprobe
-----a---------- linuxprobe
[root@linuxprobe ~]# chattr -a linuxprobe
[root@linuxprobe ~]# lsattr linuxprobe
---------------- linuxprobe
[root@linuxprobe ~]# rm linuxprobe
rm: remove regular file ‘linuxprobe’? yFile Access Control Lists ACL (for users, user groups)setfacl
File Access Control Lists - Popular Science
I do not know if we find that the foregoing explanation of general competence, special privileges, in fact, there is a common hiding rights - rights are set for a certain type of user.
If you want a separate access control, you need to use for a specified user or group access to the file control list (ACL) a.
Popular terms, set the ACL on the file or directory is actually a common set of operating authority for the file or directory specified by the user or user group.
important point
- For a directory set up ACL, the files in the directory will inherit its ACL
- For file sets ACL, the file is no longer inherit their ACL in the directory.
In order to be more intuitive to see a strong effect on the ACL file permissions to control, let's switch to the normal user, and then try to enter the root administrator's home directory. Before ACL is not set to the home directory of the root administrator for the average user, its execution results are as follows:
[root@linuxprobe ~]# su - linuxprobe
Last login: Sat Mar 21 16:31:19 CST 2017 on pts/0
[linuxprobe@linuxprobe ~]$ cd /root
-bash: cd: /root: Permission denied
[linuxprobe@linuxprobe root]$ exitControl file ACL setfacl
ACL rule setfacl commands for managing files
format:setfacl [参数] 文件名称
ACL files are provided special privileges in addition to the owner, the owning group, others read / write / execute permissions control, use setfacl command can be read / write for a single user or group of users, single file or directory / control execute permission.
Among them, for the catalog files requires the use -R recursive parameter; use for normal file -m parameter; if you want to delete a file's ACL, you can use the -b parameter. Let's set user permissions on the / root directory:
[root@linuxprobe ~]# setfacl -Rm u:linuxprobe:rwx /root
[root@linuxprobe ~]# su - linuxprobe
Last login: Sat Mar 21 15:45:03 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ cd /root
[linuxprobe@linuxprobe root]$ ls
anaconda-ks.cfg Downloads Pictures Public
[linuxprobe@linuxprobe root]$ cat anaconda-ks.cfg
[linuxprobe@linuxprobe root]$ exitView Files ACL getfacl
getfacl command ACL settings on the display file
format:getfacl 文件名称
Getfacl use the following command to display all ACL information set on the root administrator home directory:
[root@linuxprobe ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:linuxprobe:rwx
group::r-x
mask::rwx
other::---