Privilege management of 5 Linux system

Posted by davieboy on Sat, 15 Jan 2022 05:31:56 +0100

View and read permissions

View of permissions

ls -l file									#View file permissions
ls -ld dir									#View directory permissions

Read permission

The attributes of a file are called meta data

A type of metadata that uses a byte to record content

-	|rw-r--r--|  .	| 1	|root| root | 0 | Jul 22 10:44 | file
**********************************************************************
[1]		[2]		[3]	 [4] [5]   [6]	 [7] 		[8]		[9]
d	|rwxr-xr-x|  .	| 2	|root| root | 6 | Jul 22 10:44 | dir
**********************************************************************
[1]		[2]		[3]	 [4] [5]   [6]	 [7] 		[8]		[9]

[1] # file type

  • -Ordinary file
    -d directory
    -l soft connection
    -Block b equipment
    -c character device
    -Socket socket
    -p pipe|

[2] # user permissions

‚Äč rw-|r--|r-- user|group|other

[3] selinux # system startup

[4]

  • File: the number of times the file content is recorded by the system
  • Directory: the number of subdirectories in the directory

[5] # file owner

[6] # file owning group

[7]

  • Files: file content size
  • Directory: metadata size of sub files in the directory

[8] # file content modified time

[9] File name

Types and functions of common permissions

User identity to file

u: #user file owner, column 5 information seen by ls -l

g: The #g#group file has a group, and ls -l sees the sixth column of information

o: #other is a general term for other users who are neither the owner nor belong to the owning group

Permission bit and type

rw-r--r--

-# permission not enabled

r # readable

  • File: you can read the contents of the file
  • Directory: you can ls list files in the directory

w # writable

  • File: you can change the contents of the file
  • Directory: you can create or delete files in the directory

x # executable

  • File: the program recorded in the file can be called with the file name
  • Directory: you can enter the directory

Set normal permissions

chmod is used to set file permissions

chmod replication permissions:

chmod  --reference=/tmp /mnt/songdir 		#Copy the permissions of the / tmp directory to / mnt/songdir
chmod -R --reference=/tmp /mnt/songdir 		#Copy the permissions of / tmp directory to / mnt/songdir and its sub files 
##	-R means recursion

chmod setting permission:

##Character mode:
chmod <a|u|g|o><+|-|=><r|w|x> file			#a means all users
**********************************************************************
chmod u-rw /mnt/file1
chmod u-rw,g+x,o+wx /mnt/file2
chmod a-rw /mnt/file3
chmod -R u=rwx,g=rx,o=--- /mnt/songdir/

Permission Boolean representation

rwx = 111

--- = 000

Binary representation:

rwx = 111 = 7
rw- = 110 = 6
r-x = 101 = 5
r-- = 100 = 4 = r
-wx = 011 = 3
-w- = 010 = 2 = w
--x = 001 = 1 = x
--- = 000 = 0

##Digital mode:
chmod 644 /mnt/songdir1						#rw-r--r--

System default permission settings

The significance of the system itself lies in sharing resources
From the perspective of security, the less resources the system shares, the less open power, and the higher system security
We should not only ensure the security of the system, but also create value for the system, so we should open the power that should be open by default and retain the unsafe power by default

Reserved power

umask is used in the system to represent the reserved rights of the system

umask
umask Permission value

File default permissions = 777 - umask - 111

Directory default permissions = 777 - umask

umask temporary changes

umask 077									#Reserved power temporarily changed to 077

umask permanent changes

Permanent changes require editing the system files / etc/bashrc and / etc/profile

vim /etc/bashrc
*******************************************************************
 74     if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
 75        umask 002						#umask for ordinary users
 76     else
 77        umask 022						#umask of root user
 78     fi
 79 
vim /etc/profile
*******************************************************************
 59     if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
 60        umask 002						#umask for ordinary users
 61     else
 62        umask 022						#umask of root user
 63     fi
 64 

After modification, the system needs to re read the configuration file information:

source /etc/bashrc							#source makes the changed content immediately recognized by the system
source /etc/profile

User and user group management of files

chown username file							#Change file owner
chown groupname file						#Change the group to which the file belongs
chown username:groupname file				#Change the owner and group of the file (: can be replaced by.)
chown|chgrp -R user|group dir				#Change the owner or group of the directory itself and the contents in the directory

special competencies

stickyid (sticking position)

Stickyid works on directories. If stickyid is enabled for a directory, the files in this directory can only be deleted by the file owner

##Start stickyid
chmod 1 Original permissions dir							
chmod o+t dir

sgid (forced bit)

sgid acts on the directory and automatically assigns the newly created files in the directory to the group to which the directory belongs

##Turn on sgid
chmod 2 Original permissions dir
chmod g+s dir

Note: after the sgid of the directory is enabled, the group to which the file belongs is created first

suid (Adventure bit)

Suid acts on binary executable files (c programs). When suid is enabled, binary executable files are run as the owner of the file, regardless of the execution user

open suid
chmod 4 Original permissions file
chmod u+s file

acl(Access Control Lists) permission list

acl function: you can set special permissions of special users for special files in the list

acl list opening ID

-rw-rw---- 1 root root 0 Jul 18 09:03 file1
*******************************************************************
		  ^
		  No,"+"representative acl List not open
*******************************************************************
-rw-rw----+ 1 root root 0 Jul 18 09:03 file1
*******************************************************************
		  ^
		  have"+"representative acl List open
*******************************************************************

acl list permission read

When the acl permission list of a file is open, you cannot use ls -l to view the permissions of the file

getfacl file1
*******************************************************************
# file: file1								#File name
# owner: root								#File owning group
# group: root								#File owner permissions
user::rw-									#Special specified user permissions
user:westos:rw-								#The file has group permissions
group::r--									#Permissions for specially specified user groups
group:song:---								#Permissions for specially specified user groups
mask::rw-									#Maximum permission threshold that can be given to special users and special user groups
other::r--									#Permissions of others

Control of acl list

setfacl -m u:lee:rw file1					#Set acl permissions
setfacl -m g:westos:rw file1				#Set acl permissions
setfacl -m u::rwx file1						#Set acl permissions
setfacl -m g::0 file1						#Set acl permissions
setfacl -x u:lee file1						#Delete special permissions for user lee in the list
setfacl -b file1							#Close acl permission list

acl permission priority

Owner > special designated user > groups with permission > groups without permission > other

mask control in acl

The maximum threshold that can be given to a specified user when mask

After setting the acl list of files, use chmod to narrow down the file ownership group, and the mask will change

Default permissions for acl lists

setfacl -m u:aha:rwx /mnt/songdir			#Only valid for the / mnt/westosdir directory itself
setfacl -Rm u:aha:rwx /mnt/songdir			#Takes effect for the / mnt/westosdir directory and content that already exists in the directory
*******************************************************************
The above commands only take effect for existing files, and will not take effect for new files
*******************************************************************
setfacl -m d:u:lee:rwx /mnt/songdir/		#Effective for new files in the / mnt/songdir / directory

attr permissions

attr permissions are used to restrict all users

lsattr dir|file								#View attr permissions
chattr +i|+a|-i|-a dir|file					#Set attr permissions
*******************************************************************
	i	#No changes can be made
	a	#Can you add or delete

Topics: Linux