Linux? Rights management

Posted by shooka on Sat, 29 Feb 2020 05:37:48 +0100


Article directory

1. Introduction to authority

File permissions are mainly defined for three types of objects:

  • : owner, u
  • Group: genus group, g
  • Other: other, o

Bold style each file defines three permissions for each visitor:

Binary to decimal conversion of permissions:

2. Authority management command

2.1 command chmod to modify permissions

//Modify the permissions of three types of users:
//Syntax: chmod MODE file
    -R      //Recursively modify permissions

//To modify a user or some user permissions:
//u. G, O, a (user category)

//chmod user category = MODE file
//chmod user class = MODE, user class = MODE file

//Modify one or some permissions of a certain type of user:
//u. G, O, a (user category)

//chmod user category + | - MODE file
//chmod user category + | - MODE, user category + | - MODE file
//chmod +|-MODE file,.....

2.2 modify command chown of file owner and group

The chown command is available only to administrators.

//chown USERNAME file,...
    -R      //Modify the owner of the directory and its internal files

//chown USERNAME:GROUPNAME file,...
//chown USERNAME.GROUPNAME file,...

2.3 modify file group command chgrp

//Syntax: chgrp [OPTION]... GROUP FILE
    -R      //Recursive modification

3. mask code

Why is the default permission 644 after file creation?
Why is the default permission 755 after directory creation?

This is controlled by mask code umask.

As you can see from the name, the mask code umask is used to hide some permissions. For example: what would you do if you didn't want to be recognized?

The final permissions of the file are:

  • 666-umask
    The final permissions of the directory are:

  • 777-umask
    By default, a file cannot have execution permission. If the calculated result has execution permission, its permission will be increased by 1.

4. linux security context and special permissions

4.1 linux security context

Premise: process has owner and group; document has owner and group

Whether any executable program file can be started as a process depends on whether the initiator has executable rights to the program file;
After starting as a process, the owner of the process is the initiator and the group of the initiator is the group of the initiator

  • The permissions for a process to access a file depend on the initiator of the process:
    • When the initiator of the process is the owner of the file, the application file belongs to the owner
    • When the initiator of the process is the file's group, the file group permission is applied
    • Application file "other" permission

4.2 special authority

linux default permissions are controlled according to the way of linux security context, and the existence of special permissions breaks the rules of linux security context.

SUID(4)     //When running a program, the owner of the process started by the program is the owner of the program file itself, not the owner of the initiator
    chmod u+s file
    chmod u-s file
    //If the file itself has execution permission, the SUID is displayed as s; otherwise, it is displayed as S
SGID(2)     //When running a program, the process started by the program belongs to the group of the program file itself, not the basic group of the initiator
    //By default, when a user creates a file, its group is the basic group to which the user belongs;
    //Once a directory is set with SGID, the files or directories created in this directory by users with write permission belong to the group\
    //Group of directories for which SGID is set
    chmod g+s DIR
    chmod g-s DIR
    //If the file itself has execution permission, the SGID will be displayed as s, otherwise it will be displayed as S
Sticky(1)       //In a public directory, everyone can create files, delete their own files, but not delete files created by others
    chmod o+t DIR
    chmod o-t DIR
    //If DIR itself has execution permission, Sticky will be displayed as t, otherwise it will be displayed as t
4755    //With SUID and file permission of 755
2755    //With SGID and file permission of 755
1755    //Sticky, 755
7755    //With SUID, SGID, Sticky, and file permission of 755
//The first 4, 2 and 1 represent SUID, SGID and Sticky respectively

5. File system access control list

facl (Filesystem Access Control List), using file extension to save additional access control permissions.

//Syntax: setfacl [- bkndrlp] {- m| - m| - x| - x...} file
    -m      //Set up
    //setfacl -m u:test:rw file
    //setfacl -m g:test:rw file
    //If you want to set the default access control list for a directory, just add d before u or g when setting. Such as:
    //setfacl -m d:u:test:rw file. The files created in this directory inherit the permissions set in this access control list
    -x      //cancel
    //setfacl -x u:test file
    //setfacl -x g:test file
    -b      //Remove all
//Syntax: getfacl [-aceEsRLPtpndvh] file
//getfacl file

//File permission application order:
//By default:
    Owner --> Group --> Other
//With facl set:
    Owner --> facl,user --> Group --> facl,group --> Other

6. sudo

sudo can realize what commands a user can execute through which hosts as another user

sudo's configuration file / etc/sudoers

Use the visudo command to configure sudo. Each line is a sudo entry. The entry format is as follows:

  • who which_hosts=(runas) command
    • Who: user? Alias, indicating the identity of the person who runs the command
    • Which hosts: host alias, through which hosts
    • Runas: runas? Alias, as which user
    • command: cmnd? Alias, which commands to run
      Aliases must be all and can only use the combination of uppercase letters. You can use exclamation mark to reverse

Alias classification:

  • User alias:
    • User_Alias NETWORKADMIN =
      • User name of the user
      • Group name, using% boot
      • You can also define other user aliases
  • Host alias:
    • Host_Alias =
      • host name
      • IP address
      • network address
  • Other host aliases
    • Runas alias:
      • Runas_Alias =
      • User name
      • % group name
      • Other Runas aliases
  • Command alias:
    • Cmnd_Alias =
      • Command path
      • Directory (all commands in this directory)
      • Other command aliases defined
//Sudo command syntax: sudo [options] COMMAND
    -V      //Show version number
    -h      //The version number and instruction instructions will be displayed
    -l      //List all sudo class commands available to the current user
    -v      //Because sudo does not execute at the first time or within N minutes (N defaults to 5), the password will be asked. This parameter\
            //It is to make a new confirmation. If it is more than N minutes, you will also ask for the password
    -k      //Invalidate the authentication information. If - k is not specified, the default authentication information will expire after 5 minutes
    -b      //Put the instructions to be executed in the background
    -u USERNAME     //Execute the command with the specified user name, which is root by default

7. Management order

w   //Displays who are currently logged in to the system and what they are doing        
sleep   //Sleep, write a script to prevent sleep from being added when the previous command starts executing before the next command finishes executing\
        //It means to pause for several seconds before executing the following command 
    sleep NUMBER[SUFFIX]...
            s:Seconds, default
            m: branch
            h: hour
            d: day
last    //Display / var/log/wtmp file, display user login history and system restart history                
    -n #        //Display the latest related information        
lastb   //Display the / var/log/btmp file to display the user's wrong login attempt                
    -n #        //Display the latest related information        
lastlog //Display the last successful login information of each user                
    -u username     //Show recent login information for a specific user        
basename        //Show path base name  
151 original articles published, praised 12, visited 10000+
Private letter follow

Topics: sudo Linux network