//修改三类用户的权限：
//语法：chmod MODE file,...
    -R      //递归修改权限

//修改某类用户或某些类用户权限：
//u,g,o,a（用户类别）

//chmod 用户类别=MODE file,.....
//chmod 用户类别=MODE,用户类别=MODE file,.....
    

//修改某类的用户某位或某些位权限：
//u,g,o,a（用户类别）

//chmod 用户类别+|-MODE file,.....
//chmod 用户类别+|-MODE,用户类别+|-MODE file,.....
//chmod +|-MODE file,.....

2.2 modify the command file the owner and group chown

Only administrators can use the chown command.

//chown USERNAME file,...
    -R      //修改目录及其内部文件的属主

//chown USERNAME:GROUPNAME file,...
//chown USERNAME.GROUPNAME file,...

2.3 is a set of commands to modify the file chgrp

//语法：chgrp [OPTION]... GROUP FILE...
    -R      //递归修改

3. mask code

Why is the default permissions files are created after 644?
Why is the directory that was created after the default permissions 755?

This is the mask code umask controlled.

Can tell from the name, code umask mask is used to hide some of the privileges. Example: If you do not want people to recognize you, how would you do?

The final permission for the file:

666-umask
directory permissions for the final:
777-umask
file by default can not have execute permissions, if the calculated result of Executive authority will increase its overall authority 1.

4. linux security context with special privileges

4.1 linux security context

Premise: there is the owner and group process; there is the owner and group files

Any executable file can not start to process, depending on whether the initiator of the program file has executable permission;
After starting as a process, its process group owner is the initiator, the initiator is a group belongs

When the file access permissions process depends on the initiator of the process:
- The initiator of the process is the owner of a file, then use the file owner permissions
- The initiator of the process is of the group file, the file is a set of permissions the application
- Application Files "other" permission

4.2 Special Permissions

linux linux default permissions based on the security context of ways to control, and there is a special permission to break the rules linux security context.

SUID(4)     //运行程序时，这个程序启动的进程的属主是程序文件自身的属主，而不是启动者为属主
    chmod u+s file
    chmod u-s file
    //如果file本身原来就有执行权限，则SUID显示为s，否则显示为S
    
SGID(2)     //运行程序时，这个程序启动的进程的属组是程序文件自身的属组，而不是启动者所属的基本组
    //默认情况下，用户创建文件时，其属组为此用户所属的基本组；
    //一旦某目录被设定了SGID，则对此目录有写权限的用户在此目录中创建的文件或目录，其所属的组 \
    //为此设定了SGID的目录的属组
    chmod g+s DIR
    chmod g-s DIR
    //如果file本身原来就有执行权限，则SGID显示为s，否则显示为S
    
Sticky(1)       //在一个公共目录，每个人都能创建文件，删除自己的文件，但是不能删除别人创建的文件
    chmod o+t DIR
    chmod o-t DIR
    //如果DIR本身原来就有执行权限，则Sticky显示为t，否则显示为T
    
4755    //有SUID，文件权限为755
2755    //有SGID，文件权限为755
1755    //有Sticky，文件权限为755
7755    //有SUID、SGID、Sticky，文件权限为755
//这里前面的4、2、1分别表示SUID、SGID、Sticky

The file system access control list facl

facl (Filesystem Access Control List), using the file extension to save additional access control permission.

//语法：setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
    -m      //设定
        u:UID:perm
        g:GID:perm
    //setfacl -m u:test:rw file
    //setfacl -m g:test:rw file
    //如果要为某个目录设定默认的访问控制列表，只需要设定时在u或g前面加上d即可。 如：\
    //setfacl -m d:u:test:rw file，此时在此目录中创建的文件均继承此访问控制列表所设置的权限
    -x      //取消
        u:UID
        g:GID
    //setfacl -x u:test file
    //setfacl -x g:test file
    -b      //Remove all
        
//语法：getfacl [-aceEsRLPtpndvh] file ...
//getfacl file


//文件权限应用次序：
//默认情况下：
    Owner --> Group --> Other
//有设置facl的情况下：
    Owner --> facl,user --> Group --> facl,group --> Other

6. sudo

sudo can realize what a user can execute a command by which the identity of the host to which a user of another

sudo configuration file: / etc / sudoers

Use visudo command sudo configuration, each row is a sudo entry, entry format is as follows:

who which_hosts=(runas) command
- who: User_Alias, represents the identity of the person running the command
- which_hosts: Host_Alias, by which hosts
- runas: Runas_Alias, to which the user's identity
- command: Cmnd_Alias, which run the command
  alias must be completely and only use a combination of capital letters, you can use an exclamation mark inverted

Alias Category:

User Alias:
- User_Alias NETWORKADMIN =
  - User name
  - Group name, use the boot%
  - You may also have other user defined aliases
Host Aliases:
- Host_Alias =
  - CPU name
  - IP addresses
  - website address
Other host aliases
- Runas alias:
  - Runas_Alias =
  - username
  - %group name
  - Other Runas alias
Command aliases:
- Cmnd_Alias =
  - Command path
  - Directory (All commands in this directory)
  - Other commands defined alias

//sudo命令语法：sudo [options] COMMAND
    -V      //显示版本编号
    -h      //会显示版本编号及指令的使用方式说明
    -l      //列出当前用户可以使用的所有sudo类命令
    -v      //因为sudo在第一次执行时或是在N分钟内没有执行（N默认为5）会问密码，这个参数 \
            //是重新做一次确认，如果超过N分钟，也会问密码
    -k      //让认证信息失效，如果不指定-k，默认认证信息在5分钟后失效
    -b      //将要执行的指令放在后台执行
    -u USERNAME     //以指定的用户名执行命令，默认为root

7. Management Command

w   //显示当前登录到系统的用户有哪些，以及其正在做什么        
sleep   //睡眠，写脚本为防止上一个命令没执行完下一命令就开始执行时可以加上sleep # \
        //表示停顿#秒后再执行后面的命令 
    sleep NUMBER[SUFFIX]...
        SUFFIX：
            s:秒，默认
            m：分
            h：小时
            d：天
last    //显示/var/log/wtmp文件，显示用户登录历史及系统重启历史                
    -n #        //显示最近#次的相关信息        
lastb   //显示/var/log/btmp文件，显示用户错误的登录尝试                
    -n #        //显示最近#次的相关信息        
lastlog //显示每个用户最近一次成功登录信息                
    -u username     //显示特定用户最近的登录信息        
basename        //显示路径基名

959ggg

Published 151 original articles · won praise 12 · views 10000 +

Private letter concerns

Linux_ Rights Management

Linux

Article Directory

1. Rights Introduction

2. Rights Management Command

2.1 modify the permissions of chmod command