Shulou(Shulou.com)06/03 Report--

Permission summary table

Manipulate source directory permissions file permissions target directory permissions

Rm delete file wx--

Mv was renamed wx--

Mv moves the file wx r wx

Cp copy file x r wx

Generate file wx--

Append content to file x w-

Overwrite file contents x w-

Vim Editor x rw-

Execute binary x x-

Execute shell script x rx-

Knowledge points: useradd,getent, restore home directory, join additional groups, delete additional groups, file directory permissions, minimum permissions required to copy files, umask,Linux special permissions SUID,SGID,Sticky BIT;Linux special properties setting and viewing: chatr,lsattr;ACL permissions; order of file access permissions

Cal, chown, chmod, chattr, lsattr, chpasswd, chsh (usermod-s), chage, getent, getfacl, setfacl, groups, groupmems, groupadd, groupdel, gpasswd, head, less, more, nl, newgrp, newusers, od, tac, tail, umask, usermod, userdel,

Users, groups

View the installation script for httpd

[root@centos7] # rpm-Q-scripts httpd

Preinstall scriptlet (using / bin/sh):

Add the "apache" group and user

/ usr/sbin/groupadd-g 48-r apache 2 > / dev/null | |:

/ usr/sbin/useradd-c "Apache"-u 48-g apache\

-s / sbin/nologin-r-d / usr/share/httpd apache 2 > / dev/null | |:

Postinstall scriptlet (using / bin/sh):

If [$1-eq 1]; then

Initial installation systemctl preset httpd.service htcacheclean.service > / dev/null 2 > & 1 | |:

Fi

Preuninstall scriptlet (using / bin/sh):

If [$1-eq 0]; then

Package removal, not upgrade systemctl-no-reload disable httpd.service htcacheclean.service > / dev/null 2 > & 1 | |: systemctl stop httpd.service htcacheclean.service > / dev/null 2 > & 1 | |:

Fi

Postuninstall scriptlet (using / bin/sh):

Systemctl daemon-reload > / dev/null 2 > & 1 | |:

Trigger for conversion from SysV, per guidelines at: https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd

Posttrans scriptlet (using / bin/sh):

Test-f / etc/sysconfig/httpd-disable-posttrans | |\

/ bin/systemctl try-restart httpd.service htcacheclean.service > / dev/null 2 > & 1 | |:

/ usr/sbin/groupadd-g 48-r apache 2 > / dev/null

Groupadd creates the group,-g specifies the gid,-r specifies the system group, and apache is the name of the created group. 2 > / dev/null does not print error messages

/ usr/sbin/useradd-c "Apache"-u 48-g apache-s / sbin/nologin-r-d / usr/share/httpd apache 2 > / dev/null

Useradd creates the user,-c "Apache" specifies the user description,-u 48 specifies the uid,-g apache to specify the main group,-s / sbin/nologin specifies the user's default shell type,-r specifies the system user,-d / usr/share/httpd specifies the user's home directory, 2 > / dev/null does not output error information

Ubuntu create user: useradd-ms / bin/bash zhangsan,ubuntu default create user does not create home directory, add-m parameter, default shell is sh, use-s / bin/bash to specify shell

Useradd-r-s / sbin/nologin mysql

Create a mysql user of system type with a shell type of / sbin/nologin

Change the password:

1. Passwd-- stdin (not supported by ubuntu)

[root@centos7 ~] # echo 123 | passwd-- stdin alice

Change the password of user alice.

Passwd: all authentication tokens have been successfully updated.

2. Chpasswd (both general-purpose ubuntu and centos are OK)

Chpasswd can be used to change passwords in batch.

[root@centos7 ~] # echo alice:123 | chpasswd

3. Passwd-Q (universal)

[root@centos7 ~] # echo-e "123\ n123" | passwd alice

Change the password of user alice.

New password: invalid password: password less than 8 characters

Re-enter the new password: passwd: all authentication tokens have been successfully updated.

4. Other parameters of passwd

Usermod-L can also lock users, and usermod-U can unlock users.

-e: let a user's password expire, you must change your password the next time you log in. Passwd-e alice

-l: lock the user and cannot log in next time. Passwd-l alice.

-u: contrary to-l, unlock the user. Passwd-u alice

Newusers creates users in batch, and chpasswd changes passwords in batch.

Create users in batches through files in passwd format

[root@centos7 ~] # cat users.txt

Wangmazi:x:2000:2000:wangmazi:/home/wangmazi:/bin/bash

Wangmazi2:x:2001:2001:wangmazi2:/home/wangmazi2:/bin/bash

[root@centos7 ~] # newusers users.txt

[root@centos7 ~] # id wangmazi

Uid=2000 (wangmazi) gid=2000 (wangmazi) group = 2000 (wangmazi)

[root@centos7 ~] # id wangmazi2

Uid=2001 (wangmazi2) gid=2001 (wangmazi2) group = 2001 (wangmazi2)

[root@centos7 ~] # cat passwd.txt

Wangmazi:123

Wangmazi2:123

[root@centos7 ~] # cat passwd.txt | chpasswd

[root@centos7 ~] # getent shadow wangmazi

Wangmazi:$6$ GTDPf/xUtOE$2XBjr7prZI0mr3M4SH1z4/Gmhoyut/IWv6YOKQd1jhGYl8NweXhIH7sFQDbATniaKlR4ZPHlnJZTqhOJpDLyC1:18104:0:99999:7:::

[root@centos7 ~] # getent shadow wangmazi2

Wangmazi2:$6 $CZ6RG/ndilFV2s$gsl4mVNkE/QlctHn6EQDw74uilWofVSjuw8bYOfeh4LqUP8INw7R46THhzfSY88AYvpJMHSM43Psgu1Y5ODBw1:18104:0:99999:7:::

Where did the hidden file to create the directory come from?

From the / etc/skel/ directory. You want to have a file in the new user's home directory. Just put the file in the / etc/skel directory.

[root@centos7] # ls / home/alice/-a

. .bash _ logout .bashrc template

.. .bash _ profile .mozilla

[root@centos7] # ls / etc/skel/-a

. .bash _ logout .bashrc template

.. .bash _ profile .mozilla

Where is the user's default configuration, default home directory, default shell, default mail, etc.?

/ etc/login.defs / etc/useradd

[root@centos7 ~] # grep-Ev "^ $| #" / etc/login.defs

MAIL_DIR / var/spool/mail

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_MIN_LEN 5

PASS_WARN_AGE 7

UID_MIN 1000

UID_MAX 60000

SYS_UID_MIN 201

SYS_UID_MAX 999

GID_MIN 1000

GID_MAX 60000

SYS_GID_MIN 201

SYS_GID_MAX 999

CREATE_HOME yes

UMASK 077

USERGROUPS_ENAB yes

ENCRYPT_METHOD SHA512

[root@centos7 ~] # grep-Ev "^ $| #" / etc/default/useradd

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

Getent to view a user's passwd library, shadow library, group library and other information

For more information, see getent-help.

[root@centos7 ~] # getent passwd alice

Alice:x:2006:2006::/home/alice:/bin/bash

[root@centos7 ~] # getent group alice

Alice:x:2006:

[root@centos7 ~] # getent shadow alice

Alice:!!:18104:0:99999:7:::

Useradd help

If you don't want to create a home directory, you can use-centos ubuntu does not create a home directory by default. By default, it creates a home directory.

[root@centos7] # useradd-- help

Usage: useradd [option] login

Useradd-D

Useradd-D [options]

Options:

-b,-- the base directory of the home directory of the new base-dir BASE_DIR account

-c,-- GECOS field of the new comment COMMENT account

-d,-- the home directory of the new home-dir HOME_DIR account

-D,-- defaults displays or changes the default useradd configuration

-e,-- expiry date of the new expiredate EXPIRE_DATE account

-f,-- the password inactivity period of the new inactive INACTIVE account

-g,-- name of the primary group or ID of the new gid GROUP account

-G,-- list of additional groups for groups GROUPS's new account

-h,-- help displays this help and launches

-k,-- skel SKEL_DIR uses this directory as the skeleton directory

-K,-- key KEY=VALUE does not use the default value in / etc/login.defs

-l,-- no-log-init do not add this user to the recent login and login failure database

-m,-- create-home creates the user's home directory

-M,-- no-create-home does not create the user's home directory

-N,-- no-user-group does not create a group with the same name

-o,-- non-unique allows users to be created using duplicate UID

-p,-- the password of the new account encrypted by password PASSWORD

-r,-- system creates a system account

-R,-- the directory to which root CHROOT_DIR chroot went

-s,-- login shell of shell SHELL's new account

-u,-- ID of uid UID's new account

-U,-- user-group creates a group with the same name as the user

-Z,-- selinux-user SEUSER uses the specified SEUSER for SELinux user mapping

Add three additional groups to alice users: root,bob,jerry

Usermod command if only the-G option is used, the new additional group will replace the old additional group, and-aG means to append the additional group and does not affect the original additional group. -G "" can clear all additional groups for this user

[root@centos7 ~] # usermod-aG root,bob,jerry alice

Check which groups alice joined

[root@centos7 ~] # id alice

Uid=2006 (alice) gid=2006 (alice) group = 2006 (alice), 0 (root), 1006 (bob), 1007 (jerry)

Check what additional users are in the root group

[root@centos7 ~] # getent group root

Root:x:0:gentoo,alice

[root@centos7] # groupmems-g root-l

Gentoo alice

Kick alice out of the root group

[root@centos7] # groupmems-g root-d alice

[root@centos7 ~] # id alice

Uid=2006 (alice) gid=2006 (alice) group = 2006 (alice), 1006 (bob), 1007 (jerry)

Clear all additional groups for alice

Use null to replace alice's original additional group

[root@centos7 ~] # usermod-G "" alice

[root@centos7 ~] # id alice

Uid=2006 (alice) gid=2006 (alice) group = 2006 (alice)

Groupmems help

[root@centos7] # groupmems-- help

Usage: groupmems [option] [Action]

Options:

-g,-- group groupname changes the group groupname instead of the user's group (root only)

-R,-- the directory to which root CHROOT_DIR chroot went

Action:

-a,-- add username adds the user username to the group member

-d,-- delete username removes the user username from the members of the group

-h,-- help displays this help and launches

-p,-- purge removes all members from the group

-l,-- list lists all members of the group

If the alice home directory is deleted and there is nothing in the home directory, how to quickly restore the alice home directory

1. / etc/skel recovery

[root@centos7 ~] # rm-rf / home/alice/

[root@centos7] # cp / etc/skel / home/alice-a

[root@centos7 ~] # chmod 700 / home/alice

[root@centos7] # chown alice:alice / home/alice-R

2. Restore the newly created users

[root@centos7 ~] # rm-rf / home/alice/

[root@centos7 ~] # useradd rose

[root@centos7 ~] # cp / home/ {rose,alice}-a

[root@centos7] # chown alice:alice / home/alice-R

[root@centos7] # userdel-r rose

Define aliases to prevent accidental deletion of rm

[root@centos7 ~] # mkdir / data/.trash-p

[root@centos7] # echo "alias rm='mv-t / data/.trash'" > > ~ / .bashrc

[root@centos7] #. ~ / .bashrc

[root@centos7 ~] # rm hello.txt

[root@centos7 ~] # ls / data/.trash/

Hello.txt

Use the id command to determine whether the user exists, or create it if it does not exist

-u-G

[root@centos7 ~] # id root

Uid=0 (root) gid=0 (root) group = 0 (root)

[root@centos7 ~] # id wang

Uid=1003 (wang) gid=1003 (wang) group = 1003 (wang), 10 (wheel)

Switch users

1. Su wang (incomplete switching, similar to travel)

Switch to wang user, PATH variable, environment unchanged, current directory unchanged

2. Su-l wang (full switching, similar to moving)

-l is-- login, indicating complete switching, which can be abbreviated to su-wang.

3. Users of nologin cannot cut.

System users are usually nologin and cannot be switched.

4. Temporarily switch root and execute a command.

[qqq@centos7 ~] $su-- c "cat / etc/shadow"

Modify user password policy chage

Chage

[root@centos7] # chage-- help

Usage: chage [option] login

Options:

-d,-- lastday recent date sets the last password setting time to "recent date"

-E,-- expiredate expiration date sets the account expiration time to the expiration date

-h,-- help displays this help and launches

-I,-- set the password to invalid after the inactive INACITVE expires INACTIVE days

-l,-- list displays account age information

-m,-- mindays minimum number of days sets the minimum number of days between two password changes to "minimum days"

-M,-- maximum number of days for maxdays sets the maximum number of days between two password changes to "maximum days"

-R,-- the directory to which root CHROOT_DIR chroot went

-W,-- warndays warning days set the overdue warning days to "warning days"

Chfn specifies personal information

Chsh modifies user shell, which is equal to usermod-s

Newgrp

Create user gentoo. The additional groups are bin and root. The default shell is / bin/csh, and the comment information is "Gentoo Distribution".

[root@centos7 ~] # getent passwd gentoo

[root@centos7] # useradd gentoo-G bin,root-s / bin/csh-c "Gentoo Distribution"

[root@centos7 ~] # getent passwd gentoo

Gentoo:x:2007:2007:Gentoo Distribution:/home/gentoo:/bin/csh

Create the following user, group, membership relationships

A group named webs

User nginx, using webs as an additional group

User varnish, using webs as an additional group

User mysql, cannot interactively log in to the system, is not a member of the webs group. Nginx,mysql,varnish passwords are all magedu.

[root@centos7 ~] # getent group webs

Webs:x:2008:

[root@centos7 ~] # getent passwd nginx varnish mysql

Nginx:x:987:981:nginx user:/var/cache/nginx:/sbin/nologin

Mysql:x:986:980::/home/mysql:/sbin/nologin

[root@centos7] # userdel-r nginx

[root@centos7 ~] # groupdel webs

[root@centos7 ~] #

[root@centos7 ~] # groupadd webs

[root@centos7 ~] # useradd-G webs nginx

[root@centos7 ~] # useradd-G webs mysql

[root@centos7] # userdel-r mysql

[root@centos7 ~] # useradd-G webs varnish

[root@centos7] # useradd-s / sbin/nologin mysql

[root@centos7 ~] # echo magedu | passwd-- stdin nginx

Change the password of user nginx.

Passwd: all authentication tokens have been successfully updated.

[root@centos7 ~] # echo magedu | passwd-- stdin mysql

Change the password of user mysql.

Passwd: all authentication tokens have been successfully updated.

[root@centos7 ~] # echo magedu | passwd-- stdin varnish

Change the password of user varnish.

Passwd: all authentication tokens have been successfully updated.

[root@centos7 ~] # getent passwd nginx varnish mysql

Nginx:x:2008:2009::/home/nginx:/bin/bash

Varnish:x:2009:2010::/home/varnish:/bin/bash

Mysql:x:2010:2011::/home/mysql:/sbin/nologin

[root@centos7] # groupmems-g webs-l

Nginx varnish

[root@centos7 ~] # getent shadow nginx mysql varnish

Nginx:$6 $hch9C3JT$oK5.j.CG8rJ1kndv542EbBBEtdB2SYqER9n8m48KUtr0wFuENZviQL2X/IO6CfsAfyYpZH4F856JGRIpCSgit.:18104:0:99999:7:::

Mysql:$6$ iODHihkf$slMMlr2yfQO9NY6Ob/QIV4t8VaFm7yQRLg4VIRJTB6ZGi3a9RqBE8VMo/fzU3u2bjP9nakiai8W.0Y2CRsFr/:18104:0:99999:7:::

Varnish:$6$ pdjOkLXJ$D4Xzm3v8oyiQjakHhmU/5Yg.05XKDZCsUWoWZ7e7HtqyW6WacfjJqEZWMZudDECoqdRtWNS8szrDg8tDHm1y60:18104:0:99999:7:::

File permissions

Picture reference: detailed description of Linux file attributes

Reference: summary and detailed explanation of Linux file permissions

Chmod help

[root@centos7] # chmod-- help

Usage: chmod [option]. Mode [, mode]. A document.

Or: chmod [options]... Octal mode file.

Or: chmod [options]... -- reference= reference file file.

Change the mode of each FILE to MODE.

With-reference, change the mode of each FILE to that of RFILE.

-c,-- changes like verbose but report only when a change is made

-f,-- silent,-- quiet suppress most error messages

-v,-- verbose output a diagnostic for every file processed

-- no-preserve-root do not treat'/ 'specially (the default)

-- preserve-root fail to operate recursively on'/'

-- reference=RFILE use RFILE's mode instead of MODE values

-R,-- recursive change files and directories recursively

-- help displays this help and exits

-- version displays version information and exits

Each MODE is of the form'[ugoa] ([- + =] ([rwxXst] | [ugo])) + | [- + =] [0-7] +'.

Permissions for the file:

R: can read files

W: the contents of the file can be modified and added. (1) if you do not have r permission, you cannot vim. You can only override or append it. (2) whether files can be deleted depends on the permissions of the parent directory

X: execute permissions. (1) do not have r permission, cannot execute shell script, will report insufficient permission, but can execute binary program.

Permissions for the directory:

R: has the function of browsing the directory. (1) without x permission, you cannot enter the directory. Ls-l can only see the file name and cannot see the file permission information. You cannot enter a subdirectory of a directory.

W: must cooperate with x permission. Have to add, delete, modify, move, copy files in the directory. (1) without x permission, you cannot create a file by vim or use redirection to create a file. (2) without r permission, you cannot see the files in the directory; (3) without x permission, you cannot modify the file name. Directory with wx permissions, you can delete, rename files (the premise that you know the file name under the directory) (4) can not modify the permissions of other files under the directory, can append content, view the contents of the file also depends on the permissions of the file. (5) moving files in a directory requires not only wx, but also r (6) cp files, but not w.

X: can enter the directory. (1) No r permission, no directory content (2) No w permission, no creation, deletion, modification of mv (3) cp files need not only x for directories, but also r for files.

Interview questions: the minimum permissions required to complete the following operations:

Cp / etc/fstab / data/testdir/

1. Users must have the permission to execute cp commands (shell scripts also need r permissions)

2. / etc directory must have x permission (you can enter it)

3. Fstab needs r

4. / data directory requires x permission (you can enter it)

5. / data/testdir directory requires wx permission (you can go in and modify it)

Permission summary

Manipulate source directory permissions file permissions target directory permissions

Rm delete file wx--

Mv was renamed wx--

Mv moves the file wx r wx

Cp copy file x r wx

Generate file wx--

Append content to file x w-

Overwrite file contents x w-

Vim Editor x rw-

Execute binary x x-

Execute shell script x rx-

Umask and permissions

Print umask value: umask

Umask default value 022

Default permissions for created files: 666-umask (odd plus one if odd)

Because the file cannot have execute permission by default, it is very dangerous.

For example, umask=023, the created file permission = 666-023 permissions 643 is odd, plus one, and the final permission is 644

Default permissions for the created directory: 777-umask

For example, umask=023 creates a directory with permissions of 777-023. 654.

Set up umask

Echo "umask 022" > > ~ / .bashrc

Linux special permissions: SUID, SGID, SBIT

SUID

Operands: executable binaries

Function: to give an ordinary user temporary access to the owner of an execution file (so that a user who does not have the corresponding permission to run this program can access resources that he does not have permission to access)

For example: passwd

[root@centos7 ~] # which passwd | xargs ls-l

-rwsr-xr-x. 1 root root 27832 June 10 2014 / usr/bin/passwd

Usage: chmod 4744 file1 chmod + s file1

SGID

1. Acting on a directory: when a user creates a file under this directory, the group to which the file belongs will automatically inherit the group of the directory

2. Acting on binary executable files: when the user executes this program, the permissions of the group to which the program belongs will be temporarily inherited

SBIT

Operands: directory

Function: stickiness bit can only be set for directories. After setting, only the file owner or root can delete and move the files in it.

For example: / tmp directory

[root@centos7 ~] # ll / tmp-d

Drwxrwxrwt. 15 root root 4096 July 28 21:17 / tmp

Usage: chmod 1755 / data chmod + t / data

Linux Special Properties

Chattr

I attribute: the file cannot be modified after it is added, including deletion and renaming

An attribute: only files can be appended after addition

Lsattr

Show file properties

[root@centos7 ~] # chattr + I / etc/passwd # plus I attribute

[root@centos7 ~] # lsattr / etc/passwd # View Special Properties

-I-/ etc/passwd

[root@centos7 ~] # rm / etc/passwd # cannot be deleted

Rm: do you want to delete the normal file "/ etc/passwd"? Y

Rm: cannot delete "/ etc/passwd": disallowed operation

[root@centos7 ~] # mv / etc/ {passwd,p} # failed to rename

Mv: cannot move "/ etc/passwd" to "/ etc/p": disallowed operation

[root@centos7 ~] # echo hello > > / etc/passwd # append failed

-bash: / etc/passwd: insufficient permissions

[root@centos7 ~] # chattr-I / etc/passwd # remove I attribute

[root@centos7 ~] # lsattr / etc/passwd # View Properties

-/ etc/passwd

ACL permission

Access Control list: access control list

Give it to a user or a group separately to set permissions here.

In previous versions of CentOS, manually created ext4 systems have no ACL function by default and need to be manually added

Tune2fs-o acl / dev/sdb1

Mount-o acl / dev/sdb1 / mnt/test

Setfacl-m sets ACL permissions

Setfacl-x revokes permission

Setfacl-b file clears all ACL permissions

Getfacl file View ACL permissions

[root@centos7 ~] # setfacl-m u:qqq:w date.sh # set ACL

[root@centos7 ~] # getfacl date.sh # View ACL

File: date.showner: rootgroup: root

User::

User:qqq:-w-

Group::

Mask::-w-

Other::--x

[root@centos7 ~] # setfacl-x u:qqq date.sh

[root@centos7 ~] # getfacl date.sh

File: date.showner: rootgroup: root

User::

Group::

Mask::

Other::--x

[root@centos7 ~] # setfacl-x date.sh # clear all ACL permissions

ACL effective order: file owner, custom user, custom group + cumulative permissions of the group to which it belongs, others

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.