Shulou(Shulou.com)06/03 Report--

Special permissions for Linux rights management

ACL (access control list)

It is used to solve the problem of users' insufficient identity to permissions.

File system support is required to use ACL

On the Linux platform, the common file systems that support ACL include ext2\ ext3\ ext4,JFS,XFS and so on.

Check whether the partition ACL permission is enabled

Dumpe2fs-h device name | grep "Default mount options" # View the default mount permissions of the device (dumpe2fs only supports ext2/3/4 file system)

To view the super fast information of the XFS file system using the xfs_growfs command

Temporarily turn on partition ACL permissions

Mount-o remount,acl / # remount the root partition and add acl permissions

Permanently enable ACL permissions, modify / etc/fstab

View ACL permissions

Getfacl file name

Example:

[root@VM_0_8_centos home] # getfacl av

# file: av # filename

# owner: tony # owner

# group: stu # belongs to the group

User::rwx # permissions of the owner

Permissions of the user:lw:r-x # lw user

Group::rwx # permissions for groups (real permissions for effective:r-x # groups)

Permissions for the group:tgroup2:rwx # tgroup2 group (real permissions for the effective:r-x # tgroup2 group)

Mask::r-x

Other::

ACL maximum effective permission mask

Mask is used to specify the maximum valid permissions. The ACL permission given to a user needs to be "identical" to the mask permission in order to get the real permission of the user.

Configure the mask method:

Setfacl-m m: permissions file name # sets the mask permissions of the file

Set ACL permissions

Setfacl [option] acl parameter file name

-m: set ACL permissions

-x: deletes the specified ACL permission

-b: remove all ACL permissions

-d: set default ACL permissions

-k: delete the default ACL permission

-R: recursively set ACL permissions

ACL parameters are mainly composed of three parts:

Three identities: corresponding identity name: three permissions

[U | g | o]: [user name | Group name]: [rwx]

Set ACL permissions to the user:

Setfacl-mu: user name: corresponding permissions file name

Set ACL permissions for user groups:

Setfacl-mg: group name: corresponding permission file name

Example:

Setfacl-mu RW-test.txt

Setfacl-m gvu stuw-hello.txt

Remove ACL permissions:

Setfacl-x u: username file name # removes the specified user's ACL permission

Setfacl-x g: group name file name # remove the specified user group ACL permission

Setfacl-b file name # remove all ACL permissions for the file

ACL default permissions and recursive permissions

Recursive ACL permissions

Recursion is that when the parent directory sets ACL permissions, all child files and subdirectories will have the same ACL permissions, which can easily lead to permission overflow.

Use-R permission when setting ACL permission

Recursive permissions can only be given to directories, not files.

When recursive permissions are set, only the same ACL permissions are granted to files and subdirectories that have been created under the directory, and then new files and subdirectories are created

Will not be granted the same ACL permissions

Example

Setfacl-m u:lw:rw-R / hello.txt

Default ACL permissions

The effect of the default ACL permission is that if the default ACL permission is set for the parent directory, then all new child files in the parent directory will inherit the ACL permission of the parent directory

Setfacl-m dapplu: user name: permissions file name

-

Linux sudo permission

Root gives commands that can only be executed by super users to ordinary users to execute.

The operating object of sudo is the system command

Give superuser permissions to ordinary users

Visudo command

The format in which the normal user / user group is granted permissions in the file opened by the visudo command:

Username address of the managed host = (usable identity) authorized command (must be an absolute path)

% Group name address of managed host = (usable identity) authorized command (must be absolute path)

The average user executes the command given by the root user:

Absolute path to the sudo command

Special permissions for Linux files (special permissions are refined and rarely modified)

SetUID

Only executable binaries can set SUID permissions

The executor of the command should have x (execute) permission to the program

The executor of the command obtains the identity of the owner of the program file when executing the program (the soul is possessed as the owner of the file during the execution of the program)

The SetUID permission is valid only during the execution of the program, that is, the identity change is valid only during the execution of the program

The method of setting SetUID

4 stands for SUID

Chmod 4755 filename

Chmod Ubuns filename

The method of canceling SetUID

Chmod 0755 filename

Chmod Umurs filename

Dangerous SetUID

Write permissions for key directories should be strictly controlled.

Users' password setting should strictly abide by the three principles of password.

Make a list of files in the system that should have SetUID permission by default, and regularly check to see if any files other than this are set with SetUID permission.

SetGID

The role of SetGID for files

Only executable binaries can set SGID permissions

The executor of the command should have x (execute) permission to the program

Command execution when the program is executed, the group identity is upgraded to a group belonging to the program file

SetGID permissions are also valid only during the execution of the program, that is, group identity changes are valid only during the execution of the program.

The role of SetGID for directories

Ordinary users must have r and x permissions on this directory before they can enter this directory

The valid groups of ordinary users in this directory will become subordinate groups of this directory.

If an ordinary user has w permission to this directory, the default belonging group of the newly created file is the subordinate group of this directory

Set SetGID

2 stands for SGID

Chmod 2755 filename

Chmod gems filename

Sticky BIT permissions (adhesive bit permissions)

Adhesive bits are currently only valid for directories

Ordinary users have w and x permissions to this directory, that is, ordinary users can have write permissions in this directory

If there is no adhesive bit, because the ordinary user has w permission, you can delete all files in this directory, including files created by other users.

One load gives adhesion bit, except root can delete all files, even if ordinary users have w permission, they can only delete files created by themselves.

However, files created by other users cannot be deleted.

Set adhesion bit

Chmod 1755 directory name

Chnod obliqut directory name

Cancel the adhesion position

Chmod 0777 directory name

Chmod Omurt directory name

Linux immutable bit permissions (chattr permissions)

Chattr command format

Chattr [+-=] [option] file or directory name

+: add permissions

-: delete permissions

=: equal to a permission

Options:

I: if you set the I attribute to the file, you are not allowed to delete, rename, or add modified data to the file; if you set the I attribute to the directory, you can only modify the data of the file in the directory, but you are not allowed to establish and delete the file.

A: if you set the an attribute on the file, you can only add data to the file, but you can neither delete nor modify the data; if you set the an attribute on the directory, you can only create and modify the file in the directory, but not delete it.

View file system properties:

Lsattr

-a: show all files and directories

-d: if the target is a directory, only the attributes of the directory itself are listed, not those of the subfiles

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.