Shulou(Shulou.com)06/01 Report--

Guys, I'm back. It's hard not to blog for a few days (of course it's a lie. However, I have learned a lot this week. I feel that if I don't tidy it up, I will have to learn it for nothing. And this week, I learned to listen to a very high-end script. Although it is quite difficult, listening to the tone of the teacher seems to have a lot to do with the use of some basic commands before. The quality of command learning directly determines whether your script is good or not. The first feeling is that the script is the same thing as the function in C++, that is, to centralize a lot of commands into a file and let the computer deal with them to complete a specific function. I feel like I've gone too far. Let's start with the user's rights management.

User rights management is mainly divided into the following two points:

General permissions:

Special permissions:

Related to this is something called FACL, which will be discussed later.

First of all, let's make it clear why the user's permissions should be divided into ordinary and special permissions.

Because every user in the process of using the computer, there must be restrictions on the use of limited computer resources, then the operating system must provide a way to ensure that each user uses the computer independently and reasonably.

After solving this problem, let's analyze the user's rights management.

First of all, the general permissions of the user:

When it comes to the general permissions of users, we have to talk about the security context mentioned last week.

Process security context:

1. Determine whether the owner of the process is the owner of the file you want to operate. If so, authorize it according to the owner's authority. If not, go to the second article.

two。 In determining whether the owner of the process is a member of the group of the file you want to operate, if so, it is authorized according to the permissions of the group, and if not, go to the third article

3. Authorize according to other user permissions of the file

The authorization of users is generally carried out in the above order, so let's talk about the composition of user permissions.

The user's rights are divided into MODE0 and OWNERSHIP.

MODE (Permission): right to use

R:Readable, readable

W:Writable, writable

X:Executable, executable

Let's understand the user's right of use in several aspects, first of all, for the directory:

R: you can use the ls command to get a list of all the file names in it: the ls-l command to get detailed attribute information in the directory file. You cannot use the cd command to enter it or reference the directory in the path.

W: you can modify the file name or list of file names in this directory, that is, you can create, modify or delete file names in this directory

X: you can use the ls-l command to get the detailed attribute information of the files in it, reference the directory in the path, or use the cd command to enter it

Note: X permission is the most basic right, and any directory must have x permission open to any user.

Why do we have to open x permissions to any user for directories? for directory files, when we carry out command operations, we often have to guide the computer to find the file by referencing the directory of the file. if we do not give the computer this permission, it will bring great inconvenience to our users to manage the computer.

In one, that is, for files:

File:

R: you can view or get the data stored in the file

W: you can modify the data stored in the file

X: you can initiate and run this file as a process

The first two options are not difficult to understand, basically like directories, for the x permission, we think that once the file has opened this permission to our users, we can initiate it as a process to execute, rather than simply open it to read it or modify it.

We use the following representations for the representation of permissions in the computer

Example: three permission bits of rw-r--r--:-owner, group, and other users

Master permission: rw-

Permission to belong to the group: rmuri-

Other user rights: rmurf-

It is obvious that the owner has read and writeable permission for it, while the subordinate group has only scale permission for it, and other users, like subordinate groups, only have readable access to it.

In addition, we can also express permissions in triples.

-000 0

-- x 001 1

-W010 2

-wx 011 3

Rmurf-100 4

Rmurx 101 5

Rw- 110 6

Rwx 111 7

Example: rw-r--r--

110100100

six hundred and forty four

Since the authority exists, we can certainly modify it, but for the sake of computer security, we must make strict regulations on the modification of permissions. We stipulate that only the owner of a file can modify the right to use the file, except for root.

Modify the permissions of the file:

Chmod-- > change mod

Chmod-change file mode bits

There are three ways:

1.chmod [OPTION]... MODE [, MODE]... FILE...

MODE: symbol permission identifier

U.m.g.com.o.a logo ownership

+, -, = identify authorization method

+: add some permissions to the original permissions

-: subtract some permissions from the original permissions

=: do not consider the original permissions, directly set the permissions to the target permissions

Rrecoery wpentry x indicates the specific permission content:

Example:

Chmod Usingw file

Chmod g+rw file

Chmod uprix.griptywxmeme oripx file

Chmod uprirw.gendarmerr file.

Chmod ug-x file

Chmod + x file adds execution permissions for a by default

Chmod + w file only adds write permissions for owners by default

Note: file execution permission: for Linux file systems, it is a very important security flag. Once the file has the execution permission, it means that the file can be initiated and executed as a process, so the file does not have the execution permission by default.

2.chmod [OPTION]... OCTAL-MODE FILE...

If the octal digital identification method is used, all permission bits must be given each time. If the permission bits given are incomplete, the file system will automatically fill them up, placing the given permissions on the right side and using 0 on the left side to make up.

Chmod 640 file

3.chmod [OPTION]... -- reference=RFILE FILE...

Chmod-reference=/PATH/TO/SOMEFILE DES_FILE

Chmod-reference=a b

These are several ways to modify file permissions given in linux, and you can use them flexibly according to the specific situation.

Options:

-R:--Recursive: uniformly sets the files in the directory and the files in the subdirectories and subdirectories to the specified permission identity

After talking about the right to use, let's talk about ownership:

OWNERSHIP: ownership

Owner: a specific user under the control of resources: owner (user), u

Group: some specific users controlled by resources: group,g

Other users: those who do not control resources: other,o

All users: all,a

We can also modify the owner and group of the file, mainly using the chown and chgrp commands:

Chown: file owners and groups can be modified

Chown-change file owner and group

Chown [OPTION]... [OWNER] [: [GROUP]] FILE...

Chown OWNER FILE

Chown: GROUP FILE

Chown OWNER:FILE / / change the owner of the target file to OWNER and change the generic group to the basic group of OWNER

Chown OWNER:GROUP FILE / / change the owner and group of the target file to OWNER and GROUP

Chown [OPTION]... -- reference=RFILE FILE...

-R:--Recursive: uniformly sets the files in the directory and the files in subdirectories and subdirectories to the specified ownership root

Note that only superuser (root) can modify OWNERSHIP.

Chgrp: only the subordinate group of a file can be modified

Chgrp-change group ownership

Chgrp [OPTION]... GROUP FILE...

Chgrp [OPTION]... -- reference=RFILE FILE...

In general, we can use chown to satisfy users' changes to file owners and groups, and we can also remember chgrp.

Let's talk about a few more orders.

1.install command:

Install-copy files and set attributes

Installation: copy files:

Common options:

-m: specify the permissions of the target file. Default is 755.

-o,-- owner=OWNER: set the owner of the target file: only root is available

-g,-- group=GROUP: set the group of the target file: only root is available

Note: the install command cannot copy a directory, that is, its source cannot be a directory. If its source is a directory, install will enter the directory and copy all the non-directory files to the destination location in turn.

We can use the install command to modify the right of use and ownership of the file in the process of copying, for example, add the execution permission to the file in the process of copying, then the copied file can be initiated as a process.

Mktemp command:

Generally speaking, temporary files are created in / tmp or / var/tmp directory without manual deletion. Files in these two directories are deleted periodically.

Options:

-d,-- directory: temporary directories can be created

Example:

Mktemp [- d] / PATH/TO/TMP.XXXXXXXXXXXX

This command makes it easy for us to create a temporary directory, and instead of deleting it manually, the computer will clean it up regularly.

After talking about general permissions, let's talk about special permissions, which are mainly SUID, SGID and STICKY.

By default, the user initiates and executes a process whose initiator is its owner, that is, the process is running as its initiator

SUID:

Function: when a user initiates a process, if the program file has SUID permission, the owner of the process initiated by this program is the owner of the program file, not its initiator. This sentence means that no matter which user initiates the process, as long as the file has SUID permission, we all think that the owner of the file is the owner of the file, not the user who initiated the process.

Where the SUID permission is displayed: the execution permission bit in the owner permission of the file. If the owner already has the execution permission, it will be displayed as s, otherwise it will be displayed as S

Manage SUID permissions for files:

Chmod u + |-s FILE

SGID:

If a directory has write permission for some users and SGID permission is set, after all users who have write permission to this directory create a new file or directory, the subordinate group of the new file is no longer the basic group of the creating user, but inherits the subordinate group of the directory.

SGID display location: execute permission bit in the group permissions of the file: if the group originally has the execution permission, it is displayed as s, otherwise it is displayed as S

Manage SGID permissions for files:

Chmod g+ |-s FILE

SICKY:sticky: sticky bit

If more than one user can have write permission in a directory, these users are free to create, modify, and delete file names in that directory

The functions of STICKY:

If STICKY permissions are set for similar directories above, each user can still create and modify file names, but each user can only delete file names that belong to themselves.

Where the STICKY permission is displayed: in the execute permission bit of other users with file permissions, it is displayed as t if you already have execute permission, otherwise it is displayed as T

Manage STICKY permissions for files:

Chmod o+ |-t FILE...

Suid sgid sticky

-000 0

-t 001 1

-s-010 2

-st 011 3

Smuri-100 4

Smurt 101 5

Ss- 110 6

Sst 111 7

Another way to modify special permissions:

Just put the octal number corresponding to the special permission in front of the octal number of the general permission.

Ex.: want to add sticky bits to a directory

Chmod 1755 DIRECTORY

The existence of sticky bit is mainly to provide restrictions on root users to prevent root users from making irreparable losses to the computer due to mistakes.

Let's take a look at the concept of permission mask code. we know that when we create a file, the computer will authorize the file by default, so according to what standard does the computer authorize the file? we have to talk about the concept of permission mask code.

Root:0022

Special permission bits are not considered

For newly created files or directories, any permissions belonging to the master are not blocked, and the write permissions of the array and other users are obscured.

The way to understand the mask code: change the value of the mask code to binary. Whenever there is a position of 1, its permission is not set when creating a file.

0033Plus 000011011-110100100

-111100100 744

By default, the mask code of the file already has a 0111, based on which umask is applied again to mask permissions

The file also has some special properties:

View the special properties of the file:

Lsattr-list file attributes on a Linux second extended file system

Lsattr [- RVadv] [files... ]

Modify the special properties of the settings file:

Chattr-change file attributes on a Linux file system

Chattr [- RVf] [- v version] [mode] files...

Mode: will be set using +-=

The most critical and core setting of the whole chattr command is the mode part:

[aAcCdDeijsStTu] are all required attributes

+: add a new attribute based on the original attribute setting

-: removes the specified attribute from the original property settings

=: update the properties of the file to the specified attribute content without considering the original property settings

The content of the file whose a:append sets this property cannot be changed or deleted, but can only write data to the file by append. Most server log files will set this property.

A:atime, file access timestamp, IO bottleneck: setting the An attribute can make the file not change the access timestamp when it is accessed, thus effectively preventing the occurrence of IO bottleneck events.

C: set whether the text is automatically compressed and then stored

C: sets whether the "copy on write" property is enabled for the file

D: setting files will not become backup targets when using dump for backup

D: sets the asynchronous write operation of files in the file system

I: settings files cannot be deleted, modified, or set link relationships

S: set the confidentiality of the file. Once the file with the s attribute is deleted, the usage space in the corresponding storage device will be withdrawn as well.

U: contrary to the s attribute, if such a file is deleted, the data stored in the device is retained

The most commonly used attributes are actually I and a

Common options:

-R: recursively sets all files in the specified directory and files in subdirectories

In addition to the method of managing user permissions mentioned above, the computer also provides us with another way to manage file permissions.

Mechanism for granting additional permissions to files: FACL:File Access Control List, file access control list

Additional weighting mechanism for files:

An empowerment mechanism that enables ordinary users to control permissions to assign to other users and groups in addition to the original UBG authority bit

It is generally recommended that it will gradually mature in a release after the centos or RHEL7 version.

Commands related to FACL:

Getfacl:getfacl-get file access control lists

Getfacl [- aceEsRLPtpndvh] file...

User:USERNAME:MODE

Group:GROUPNAME:MODE

Setfacl:setfacl-set file access control lists

Setfacl [- bkndRLPvh] [{- m |-x} acl_spec] [{- M |-X} acl_file] file.

Acl_spec: acl specification, specified access control list

U:USERNAME:MODE

G:GROUPNAME:MODE

MODE: general use of symbolic permission identification

Give the user additional permissions:

Setfacl-m u:USERNAME:MODE FILE...

Give additional permissions to the group:

Setfacl-m g:USERNAME:MODE FILE...

Revoke additional permissions to the user:

Setfacl-x u:USERNAME

Undo gives additional permissions to the group:

Setfacl-x g:USERNAME

Note: if you modify the permissions of the target file after setting FACL, the entries set in FACL may be affected and may not comply with the requirements. Therefore, if you really need to set FACL, you should set it after you have determined the permissions of the target file.

The above is about the user's rights management, learn a little bit in the clouds, but also have to cooperate with the homework to consolidate.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.