Article Directory
1. The significance file permissions
(1) file permissions : a method of setting one of the underlying security system, the user can ensure that the file be made available for the corresponding operation.
(2) *** "meaning each field of file permissions" ***: ① execute ls -l file # view the file attributes of each class with a byte, the file name that is a byte;
2. Common authority to order & test
2.1 Common Commands
| Features | command | Note |
|---|---|---|
| 1. Check the file permissions (ls) | ls -l filename | # View file properties |
| ls said -ld | # View Directory Properties | |
| ll filename | # (Ll = ls -l) to view the file attributes | |
| ll -d dir | # View Directory Properties | |
| ls -lR | # Recursively display files in subdirectories and files | |
| ls -lrt | # Displayed chronologically | |
| 2. Create (ln) of hard and soft connection | ln source destination file | # Source file to create a hard link - the target file, two files are synced |
| ln -s source file destination | # Source file to create a soft link - the target file | |
| 3. Modify the owner (chown) and all group (chgrp) | chown username filename/dir | # Modify the user's owner |
| chown -R westos.student dir | # Recursive modify the owner and all the groups, points can be replaced with: | |
| chgrp group file/dir | # User modify all groups | |
| 4.1 permission to modify the file (way 1chmod) | chmod <u | g |
| chmod u+x /mnt/filename | # Filename for a file to add user execute permissions | |
| chmod g-r /mnt/filename | # Remove the read permission filename of the file group | |
| chmod ug-r /mnt/filename | # Remove the file filename read access to user and group | |
| chmod u-r,g+x /mnt/filename | # Remove the file filename read user permissions, and execute permissions for group added | |
| chmod -r /mnt/filename | # Remove the file filename read permission | |
| chmod o=r-x /mnt/filename | # The filename of other rights covered by rwx | |
| hmod -R <u | g | |
| 4.2 permission to modify the file (way 2chmod) | chmod 774 you | Modify permissions to # 774 (R-4 W-2 X-1 --0) |
| hmod -R 774 land | # Modify permissions recursively | |
| 4.3 modify the file permissions (mode 3 copy permissions) | # | |
| 5.1 adherend made of special permissions -sticky ## bits (the chmod) | chmod o + t you | # Dir s permission to add, modify its owner, its files can only be changed owner, root is not allowed |
| chmod 1XXX you | # Ibid. | |
| 5.2 special privileges -sgid ## forced bits (chmod) | chmod g+s filename/dir | # Directory - ;; the file when all groups have sgid permissions on the directory file created any person in this directory belong directory - when there sgid files on anyone do this to generate binary executable file process all belong to group files |
| chmod 2XXX file/dir | # Ibid. | |
| 5.3 Special permission -suid ## adventure-bit (chmod) | chmod u+s file/dir | # Only for procedures and processes binary executable file, when the file has suid execute anyone remember this document are produced document belongs to everyone |
| chmod 4XXX file/dir | # Ibid. | |
| 6.acl rights (getfacl / setfacl) | getfacl file | # Acl permissions to view the files open |
| setfacl -m u:username:rwx file | # Set the username to file rwx permissions have | |
| setfacl -m g:group:rwx file | Rwx # rights group setting group members have to file | |
| setfacl -x u:username file | # Acl delete the username from the list | |
| setfacl -b file | # Close the file on the list acl | |
| setfacl -m d:u:student:rwx /mnt/westos | # acl默认权限只针对目录设定,acl权限只针对设定完成之后新建立的文件或目录生效,而已经存在的文件是不会继承默认权限 | |
| 6.2.mask值的修改 | chmod g-w westos | #在权限列表中mask表示能生效的权力值,当chmod减小开启acl的文件权限时mask值会发生改变 |
| setfacl -m m:rw westos | #恢复mask的值 |
2.3 结果
Result 1 文件权限查看(ls)
Result 2软硬连接(ln)
Result 3 修改用户&用户组(chown.chgrp)
***Result 4 修改用户权限(chmod)***
Result 5.1 修改用户t特殊权限(sticky)
针对的问题:多个用户都可以进行操作的文件,用户之间删除啦其他用户的文件(unsafe)
过程:(1)先在超级用户下建立一个目录 mkdir /westos
然后设置监控命令j监控改目录以及改目录下的文件:watch -n 1 “ls -ld /westos ; ls -l /westos”
并且在超级用户下设置满权限 chmod 777 /westos
(2)在超级用户下建立两个普通用户linux1 linux2 ,分别切换到两个普通用户下建立文件file1 file2
(3)linux1用户可以删除linux2用户建立的文件file2,这样做很不安全,我们可以设置(root下)特殊权限t,linux2用户就不能删除linux1用户建立的file1文件了
Result 5.2.1 修改用户特殊权限(sgid)—目录
*针对的问题:当目录上有sgid权限时任何人在此目录中建立的文件都属于目录的所有组
(1)首先在超级用户下建立一个目录,并且对这个目录进行监控;
(2)在超级用户下建立一个新用户,并且将新建目录的用户组变为刚刚新建的用户,然后在改目录下建立新的文件,发现此文件的用户组仍然为超级用户,并不是刚刚 新建的那个用户。
(3)为了使在目录中建立的文件都属于目录的用户组,需要在目录上加上s权限。
Result 5.2.1 修改用户特殊权限(sgid)—二进制文件
针对的问题:当目录上有sgid权限时任何人在此目录中建立的文件都属于目录的所有组
(1)首先必须要有一个watch 进程,监控二进制文件的进程,查看该二进制文件的权限;
(2)以root身份启动一个进程,这个进程的所有人和所有组均为root,然后将改文件的所有组改为linux3,发现并没有改变,仍为root;
(3)给二进制文进加上s权限,重新开启一个新的进程,用户组发生改变;
Result 5.3 修改用户特殊权限(sgid)—二进制文件
Result 6.1 acl列表的管理(suid)
Result 6.2mask值的修改(setfacl)
Result 6.3 acl的默认权限设定(setfacl)
3.umask:系统建立文件时默认保留的权力
临时设定系统预留权限为022,其他用户002
| 修改方式 | 命令 | 注释 |
|---|---|---|
| 1.短暂修改 | umask 074 | ##短暂修改为074 |
| 2.永久修改 | vim /etc/profile | ##修改系统配置文件 |
| vim /etc/bashrc | ##修改shell配置文件 |
4.acl权限
4.1 用途
acl rights : to let specific users that have certain privileges to specific files;
4.2 for an explanation
4.3 Permissions priority:
userperm> acluser> aclgroup> groupperm> otherperm
supplement:
i permissions: only look, not the establishment can not delete
a privilege: a system audit can only be built, you can not delete
the setting chatter View lsatter;
result!
5.Test
(1)
(2)
